Improper Output Neutralization for Logs

  package main
  
  import (
      "log"
      "net/http"
- )
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     username := r.URL.Query().Get("user")
-     // Vulnerable: user input logged directly
-     log.Printf("Login attempt for user: %s", username)
+     "strings"
+ )
+ 
+ func sanitizeLogInput(s string) string {
+     s = strings.ReplaceAll(s, "\n", "")
+     s = strings.ReplaceAll(s, "\r", "")
+     return s
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     username := r.URL.Query().Get("user")
+     // Safe: newlines stripped before logging
+     log.Printf("Login attempt for user: %s", sanitizeLogInput(username))
  }
  

  const express = require('express');
  const winston = require('winston');
  const app = express();
  
  app.post('/login', (req, res) => {
-   const username = req.body.username;
+   const username = req.body.username.replace(/[\r\n]/g, '');
    winston.info(`Login attempt: ${username}`);
    res.json({ status: 'ok' });
  });
  

- app.post('/login', (req, res) => {
-   logger.info(`Login attempt from: ${req.body.username}`);
+ const sanitize = (str) => str.replace(/[\r\n]/g, '').substring(0, 200);
+ 
+ app.post('/login', (req, res) => {
+   logger.info('Login attempt', { username: sanitize(req.body.username) });
  });
  

  import logging
  from flask import request
  
- @app.route('/login', methods=['POST'])
- def login():
-     username = request.form.get('username')
-     logging.info(f"Login attempt for user: {username}")
+ logger = logging.getLogger(__name__)
+ 
+ @app.route('/login', methods=['POST'])
+ def login():
+     username = request.form.get('username', '')
+     logger.info("Login attempt", extra={'username': username})
      return "OK"