Issue with HTML field – users can’t update values (Zurich release)

Joatan Fontoura · ‎10-24-2025

Hi everyone,

I’m facing an issue with an HTML-type field in one of my tables. Non-admin users — who have access to the table and its fields — are unable to insert values into this field when creating a new record, or update it in existing records.

At first, I suspected it was related to ACLs. So, I created an ACL with the “create” operation for this specific field, and then users were able to insert values during record creation. However, when I created a similar ACL with the “write” operation, it didn’t work — users still can’t update the field value afterward.

What’s strange is that this field belongs exclusively to this table, which rules out the possibility of inheriting ACLs from a parent table.

Is there any known restriction or security behavior that applies specifically to HTML fields by default in ServiceNow?

One more detail: I have the same table and field in another instance running Xanadu, and the issue does not occur there. The problem happens only in an instance running Zurich.

Thanks in advance for any insights!

Mani23 · ‎10-27-2025

Hi Joatan,

I guess it is because of 'Scripting Governance Tool' which is part of Zurich release. It happens to HTML fields as it is possible to use script tag.

Please check the below article
https://www.servicenow.com/community/servicenow-ai-platform-articles/why-your-admins-can-t-script-po...

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2538150

https://www.servicenow.com/docs/bundle/zurich-platform-security/page/administer/security/concept/scr...

Best Regards,

Mani

View solution in original post

Ankita Sharma · ‎10-30-2025

Hi Joatan,

In the Zurich upgrade, a new field type ACL is introduced for HTML fields (*.[html]).
This ACL is associated with a specific role that’s linked to the Conditional Script Writer group.

As a result, users who are not part of this group will be unable to view HTML-type fields on forms.

To resolve the issue, simply add the affected users to the Conditional Script Writer group. Once added, they’ll be able to see the HTML fields as expected.

If my response helped, please mark it as correct.

Regards

Ankita

View solution in original post

Joatan Fontoura · ‎10-31-2025

@Mani23 and @Ankita Sharma, you are right! It's happening because Scripting Governance Tool. When I added the users to the group Conditional Script Writer - that contains the role "snc_required_script_writer_permission" - they were able to write on HTML field. Thank you!

Feiry · ‎12-01-2025

There is another solution, as adding users to the Conditional Script Writer group might be the best option based on the priviliges that come with the role associated to the group. You can create deny unless ACLs for the concerned fields with the appropriated role, this will solve this issue.

timnardoni · ‎01-26-2026

Am I the only person who thinks this change to HTML fields is really stupid? Or am I missing something.

Daniel Oderbolz · 12 hours ago

I would say it is not very well thought through.

If people now add all users that ever need to edit a HTML field (basically any active user) to the "Conditional Script Writer" or worse, add the role ""snc_required_script_writer_permission" to a very basic role, nothing is gained.
While it is true that a HTML field may contain <script> Tags, it is not the same severity as being able to edit a script that is executed on the platform (basically we have the HTML sanitizer for that).

In a nutshell: I would also exclude HTML from this mechanism, as it will make this YASNA (yet another ServiceNow ACL) useless.

If this post was helpful, I would appreciate if you marked it as such - thanks!

Best
Daniel