ESAPI log injection

Question

I included ESAPI in project due to possibility of log injection.

The only thing that I am using it for is sth like this:

message = message.replace("\n", ERROR_MESS)
            .replace("\r", ERROR_MESS)
            .replace("\t", ERROR_MESS);
message = ESAPI.encoder().encodeForHTML(message);

However, I get plenty of logs displayed such as:

ESAPI: WARNING: System property [org.owasp.esapi.opsteam] is not set
ESAPI: WARNING: System property [org.owasp.esapi.devteam] is not set
...

I have two questions:

1. Is there a possibility to turn off this logs? If there is, how to do it? I found a way to it by creating new class, however I am looking for more like setting it in ESAPI.properties file.
2. Is it really needed to use ESAPI.properties only for that one method? Is there any chance to delete it and it will be working as well?

Answer 1

1. Not at present, but you're welcome to come over and help us out at any time. Just submit a PR for whatever features you desire.

2. ESAPI will not load without validation.properties or esapi.properties. This is by design.

I am the esapi-java project co-lead.