Is it dangerous thing to view access log without sanitizing via web browser?
I am considering to record access log, and I am considering to view it via wev browser, but if attacker modifies his remote host or user agent or something, can he attack to me?
By inserting attacking code into his remote host or user agent or ect.
So do I need to sanitize by htmlspecialchar before opening the access log file via web browser?
I mean attacker insert some attacking code into his remote host or user agent or someware, then I see that access log via web browser, then my PC will be affected that code.
You probably want some html formatting for the output and therefore have to sanitize/encode the log data. But for the arguments sake: If you send the output as text/plain the client isn't supposed to parse any html/javascript.
E.g. the output of
<?php
header('Content-type: text/plain; charset=utf-8');
echo '<script>alert(document.URL);</script>';<script>alert(document.URL);</script>(at least in FF3, IE8, opera, safari).