Enforce HTML Sanitization

Stuart Comstiv1 · ‎07-02-2025

SN documentation states the following system properties

glide.html.sanitize_all_fields - ' to enable the HTMLSanitizer script include, which sanitizes HTML input based on exclusion listed and inclusion listed attributes configured in a script. You can also configure the inclusion list or exclusion list to sanitize HTML tags and attributes as per your organizations policy. By default, the property is set to true for new instances.

glide.translated_html.sanitize_all_fields - property is set to true, all translated_html elements are sanitized with an HTML sanitizer. If the property is set to false, only elements with the dictionary attribute html_sanitize set to true will be sanitized. By default, the property is set to true for new instances.

Our instance currently has these two properties set to true. However our instance was identified as being non-compliant for "Check Unsanitized HTML" . Documentation suggests this is controlled by property 'com.glide.security.check_unsanitized_html' - Use the com.glide.security.check_unsanitized_html property to enforce sanitization behavior of translated_html fields on a global level for field assignments. Set this property to enforce to enforce sanitization behavior of translated_html fields

My question is, what is the difference between

glide.translated_html.sanitize_all_fields
and

com.glide.security.check_unsanitized_html

as they both appear to relate to translated HTML fields. The first is already set to true in our instance and the second one doesn't yet exist.

I am also struggling to test the impact of this as even without 'com.glide.security.check_unsanitized_html' set to 'enforce' as the HTML editor already seems to remove an unsafe tag such as <script> upon save (may have to look into using a background script to test this) but if this already happens what is the value in creating com.glide.security.check_unsanitized_html ?

Is there any impact on existing config when com.glide.security.check_unsanitized_html is set to enforce?

I have had a look at the conclusions drawn in post below

Solved: Is the "Check Unsanitized HTML" feature mentioned ... - ServiceNow Community

Any further help appreciated

pavani_paluri · ‎07-03-2025

Hi @Stuart Comstiv1 ,

Here is my understanding on the properties and HTML sanitization:

glide.html.sanitize_all_fields : Cleans up all HTML fields (removes unsafe tags like <script>) when saving through the UI or forms.

glide.translated_html.sanitize_all_fields : Specifically cleans translated_html fields.

com.glide.security.check_unsanitized_html: Doesn’t clean — instead, it blocks unsafe HTML from being saved at all, even through background scripts, REST API, or automation. It's an extra safety net.

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for
Kind Regards,
Pavani P

Stuart Comstiv1 · ‎07-04-2025

Thanks for your understanding on this.

Copilot gave me this interpretation

glide.translated_html.sanitize_all_fields controls whether sanitization happens.

com.glide.security.check_unsanitized_html enforces that sanitization must happen, and can be used to detect or prevent unsafe HTML usage even if the first property is misconfigured or bypassed

So, I think, again looking at SN documentation below

glide.translated_html.sanitize_all_fields - property is set to true, all translated_html elements are sanitized with an HTML sanitizer. If the property is set to false, only elements with the dictionary attribute html_sanitize set to true will be sanitized. By default, the property is set to true for new instances.

This property is possibly just simply determining which Translated HTML fields should be sanitized, but not actually enforcing it, and the 'com.glide.security.check_unsanitized_html' property then enforces this. Documentation does suggest that sanitization of Translated HTML fields occurs by default, so the 3rd property (com.glide.security.check_unsanitized_html) must perform more thorough enforcement?

My other concern was whether enforcing this would stop existing content from functioning, but from what I have read this appears to function by sanitizing upon Save.

Stuart Comstiv1 · ‎07-08-2025

I raised a question with ServiceNow and they clarified the following:

1. The property glide.translated_html.sanitize_all_fields for the sanitization of translated HTML fields does not depend on other properties. Once you enable this property, the sanitization of translated HTML fields will take effective. The sanitization for this property happens when you save the record.

2. The property com.glide.security.check_unsanitized_html is an additional enforcement mechanism that ensures sanitization is applied at the UI rendering level for translated_html fields. You may refer to the link below, which mentioned that "This remediation enforces HTML sanitization to occur on the UI and renders translated html fields to the user. It can have an impact on readability and formatting". This enforcement can impact readability and formatting because it sanitizes HTML at display time.

Please refer to the following article:
https://www.servicenow.com/docs/bundle/vancouver-platform-security/page/administer/security/referenc...

3. For new instance, I observed that glide.translated_html.sanitize_all_fields is true and com.glide.security.check_unsanitized_html is enforced.

4. Both properties performed the sanitization at different time:
- The com.glide.security.check_unsanitized_html property is enforcing at the UI rendering level, ensuring no unsanitized HTML is displayed. That is the sanitization for this property happens at display time. This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible. For example, once set to enforce, it cannot be reverted or disabled. If you see 'Not allowing set of unsafe property value: com_glide.security_unsanitized_html=disable', the property was previously set to enforce and now you're trying to disable it (not allowed).

- The glide.translated_html.sanitize_all_fields property, the sanitization occurs when the record is saved.