* lib/logger.rb: added RDoc document for logging message escape

          by Hal Brodigan. See #3869


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@30591 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 16 insertions, 2 deletions

diff --git a/lib/logger.rb b/lib/logger.rb
index 5c00fe24c2..1f09af0f6b 100644
--- a/lib/logger.rb
+++ b/lib/logger.rb
@@ -1,7 +1,6 @@
 # logger.rb - simple logging utility
-# Copyright (C) 2000-2003, 2005, 2008  NAKAMURA, Hiroshi <[email protected]>.
+# Copyright (C) 2000-2003, 2005, 2008, 2011  NAKAMURA, Hiroshi <[email protected]>.
 #
-# Author:: NAKAMURA, Hiroshi  <[email protected]>
 # Documentation:: NAKAMURA, Hiroshi and Gavin Sinclair
 # License::
 #   You can redistribute it and/or modify it under the same terms of Ruby's
@@ -41,6 +40,21 @@ require 'monitor'
 # want to know about the program's internal state, and would set them to
 # +DEBUG+.
 #
+# **Note**: Logger does not escape or sanitize any messages passed to it.
+# Developers should be aware of when potentially malicious data (user-input)
+# is passed to Logger, and manually escape the untrusted data:
+#
+#   logger.info("User-input: #{input.dump}")
+#   logger.info("User-input: %p" % input)
+#
+# You can use Logger#formatter= for escaping all data.
+#
+#   original_formatter = Logger::Formatter.new
+#   logger.formatter = proc { |severity, datetime, progname, msg|
+#     original_formatter.call(severity, datetime, progname, msg.dump)
+#   }
+#   logger.info(input)
+#
 # === Example
 #
 # A simple example demonstrates the above explanation: