I read on some forums the myth that it is enough to pass the Veracode CWE 117 (Improper Output Neutralization for Logs) issue by doing something like this. Can somebody confirm if this is the case or not ?
message.replaceAll("\r", "_").replaceAll("\n", "_");
From this topic How to fix Veracode CWE 117 (Improper Output Neutralization for Logs) , I understand that I need to do something like this
ESAPI.encoder().encodeForHTML(message);
The message needs to be escaped for the context which it is in. The ESAPI logger does replace the \r and \n characters as well as encode for html if configured to do so.
Currently this code gives me a CWE 117 from Veracode:
log.log(Level.WARNING, System.getenv("unsafe"));
This code does not:
log.log(Level.WARNING, ESAPI.encoder().encodeForHTML(System.getenv("unsafe")));
encodeForHTML encodes \r and \n to 
 and 
 respectively, but an underscore is imho cleaner and if you decoded the html you may get unexpected new lines.