The CreatorCon Call for Content is officially open! Get started here.

addErrorMessageNoSanitization and addInfoMessageNoSanitization

Go to solution
Nitish_Kumar
ServiceNow Employee
ServiceNow Employee

‎07-16-2024 01:13 AM

When do we use the addErrorMessageNoSanitization and addInfoMessageNoSanitization methods and what is a javascript sandbox ?

0 Helpfuls
  • 864 Views
1 ACCEPTED SOLUTION

Go to solution
Robbie
Kilo Patron
Kilo Patron
In response to Nitish_Kumar

‎07-16-2024 02:00 AM

Hi @Nitish_Kumar,

 

To answer the first part of your question and what is the difference between the methods. Eg addErrorMessage and addErrorMessageNoSanitization - Essentially whilst they provide the same functionaility, it's more of who or what can call these methods. Typically you would not want an API to call the addErrorMessage ebcuase of the ability to pass unsanitized informational or error messages. (See below for more about unsanitized informational or error messages).

 

As you've probably read from the SN Docs link I sent (above), in order to enable these API calls, a system property needs to be set: glide.sandbox.usersession.allow_unsanitized_messages

This property along with others are all part of Instance Security Hardening Settings.

 

This property will restrict unsanitized informational or error messages from being called in a sandboxed user session.

Running scripts generated from unsanitized inputs (for example, evaluating expressions that include user-provided strings) can lead to malicious behavior and inadvertently running code remotely.

 

To try and summarize this simply, by setting the system property appropriately, these methods allow the script and message to be called by the API.

Don't forget, typically, a sandbox is a known source and configuration within your 'environments' which you would trust in order to call one of these methods.

 

To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Kudos.


Thanks, Robbie

View solution in original post

0 Helpfuls
3 REPLIES 3

Go to solution
Robbie
Kilo Patron
Kilo Patron

‎07-16-2024 01:37 AM

Hi @Nitish_Kumar,

 

To set context, a sandbox is simply (and importantly) a separate and isolated environment (instance) that allows you to use and test functionality without affecting the main system or platform. (Think of it as another instance).

 

The addErrorMessageNoSanitization and addInfoMessageNoSanitization methods can be called via a API and script by that sandbox/separate instance or any application that integrates with your ServiceNow instance.

 

See here for ServiceNow docs:

https://docs.servicenow.com/bundle/washingtondc-platform-security/page/administer/security/reference...

 

To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Kudos.


Thanks, Robbie

0 Helpfuls

Go to solution
Nitish_Kumar
ServiceNow Employee
ServiceNow Employee
In response to Robbie

‎07-16-2024 01:42 AM

Thanks Robbie,
What is the difference between addErrorMessage and addErrorMessageNoSanitization or addInfoMessage and addInfoMessageNoSanitization. 
What is the use case for this ?When one should prefer one over the other ?

0 Helpfuls

Go to solution
Robbie
Kilo Patron
Kilo Patron
In response to Nitish_Kumar

‎07-16-2024 02:00 AM

Hi @Nitish_Kumar,

 

To answer the first part of your question and what is the difference between the methods. Eg addErrorMessage and addErrorMessageNoSanitization - Essentially whilst they provide the same functionaility, it's more of who or what can call these methods. Typically you would not want an API to call the addErrorMessage ebcuase of the ability to pass unsanitized informational or error messages. (See below for more about unsanitized informational or error messages).

 

As you've probably read from the SN Docs link I sent (above), in order to enable these API calls, a system property needs to be set: glide.sandbox.usersession.allow_unsanitized_messages

This property along with others are all part of Instance Security Hardening Settings.

 

This property will restrict unsanitized informational or error messages from being called in a sandboxed user session.

Running scripts generated from unsanitized inputs (for example, evaluating expressions that include user-provided strings) can lead to malicious behavior and inadvertently running code remotely.

 

To try and summarize this simply, by setting the system property appropriately, these methods allow the script and message to be called by the API.

Don't forget, typically, a sandbox is a known source and configuration within your 'environments' which you would trust in order to call one of these methods.

 

To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Kudos.


Thanks, Robbie

0 Helpfuls