Kirill Sanitization of the input is not the problem. The problem is that log4j 2.x tries to interpret the contents of messages using lookups using very powerful machinery. Attempting such lookups may be insanely flexible but also very dangerous. Log4j 1.x also has such machinery but it is nowhere as powerful nor as integrated to the framework's core. Logback has no such machinery because logging frameworks do not need to be Turing complete.