Enabling HTML Sanitizer in ServiceNow

Go to solution
Rajeev ponuguma
Kilo Guru

‎11-30-2023 09:37 PM

Hello All,

We have a requirement to enable HTML Sanitizer , Can someone help me with the steps to enable it and also what will be the impact on existing date once we enable HTML sanitizer ?

how can we test in real time that HTML sanitization is working ?

0 Helpfuls
  • 2,224 Views
1 ACCEPTED SOLUTION

Go to solution
Daniel Borkowi1
Mega Sage

‎12-03-2023 11:38 PM - edited ‎12-03-2023 11:44 PM

Hi @Rajeev ponuguma , you only need to adjust Blacklist and Whitelist if you want to extend the OOTB filters. For the standard use cases it's not needed. Here you can read what is already included: Exploring HTML sanitizer 

Greets
Daniel

Please mark reply as Helpful/Correct, if applicable. Thanks!

View solution in original post

3 REPLIES 3

Go to solution
Daniel Borkowi1
Mega Sage

‎12-01-2023 04:15 AM - edited ‎12-01-2023 04:17 AM

Hi @Rajeev ponuguma , you only need to set the System Properties: glide.html.sanitize_all_fields and glide.translated_html.sanitize_all_fields to true. 

 

The impact is, that within html fields some tags and attributes are filtered or restricted: e.g. usage of protocols in links. Also tags like <script> are removed. You can configure black and whitelists  in  Script Include HTMLSanitizerConfig. So users are not allowed to enter dangerous HTML code into HTML fields.

 

To test it, you can use any record with HTML field - change in this field to Source code (button <>) and enter tags like script. After saving the record you will see that this tag is removed.

Everything is documented here: https://docs.servicenow.com/bundle/vancouver-platform-security/page/administer/security/concept/c_HT...

 

Greets
Daniel

Please mark reply as Helpful/Correct, if applicable. Thanks!

0 Helpfuls

Go to solution
Rajeev ponuguma
Kilo Guru
In response to Daniel Borkowi1

‎12-03-2023 09:44 PM

Hello Daniel, 

Thank you so much for your reply .

I can see that we have OOTB script include 'HTMLSanitizerConfig' with below script. can you please confirm do we need to  configure black and whitelists ? or only enabling properties will restrict the tags without modifying the script include? 

 

var HTMLSanitizerConfig = Class.create();
HTMLSanitizerConfig.prototype = {
    initialize: function() {
    },
   
    HTML_WHITELIST : {
        globalAttributes: {
            attribute:[],
            attributeValuePattern:{}
        },
    },
   
    HTML_BLACKLIST : {
        globalAttributes: {},
    },
   
    getWhiteList : function() {
        return this.HTML_WHITELIST;
    },
   
    getBlackList : function() {
        return this.HTML_BLACKLIST;
    },
   
    type: 'HTMLSanitizerConfig'
};
0 Helpfuls

Go to solution
Daniel Borkowi1
Mega Sage

‎12-03-2023 11:38 PM - edited ‎12-03-2023 11:44 PM

Hi @Rajeev ponuguma , you only need to adjust Blacklist and Whitelist if you want to extend the OOTB filters. For the standard use cases it's not needed. Here you can read what is already included: Exploring HTML sanitizer 

Greets
Daniel

Please mark reply as Helpful/Correct, if applicable. Thanks!