- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2023 08:49 PM
Hi,
1) Need explanation of how the property (com.glide.security.check_unsanitized_html) will impact the translated_html fields.
2) What are the list of disallowed html tags after setting this property to 'enforce'
3) Is there any way to delete the property (com.glide.security.check_unsanitized_html)
Thanks in advance.
Best Regards,
ServiceNow Developer.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2023 09:11 PM
Hi @Bhanu31 ,
Certainly! Here's the explanation for the property `com.glide.security.check_unsanitized_html` and its impact, along with the list of disallowed HTML tags after setting the property to 'enforce':
### 1) **Explanation of `com.glide.security.check_unsanitized_html`:**
The property `com.glide.security.check_unsanitized_html` is a security setting in ServiceNow that controls whether the system checks for unsanitized HTML content in fields. When this property is set to `'enforce'`, ServiceNow checks for unsafe HTML content and sanitizes it to prevent potential security vulnerabilities.
### 2) **List of Disallowed HTML Tags (After Setting to 'Enforce'):**
When `com.glide.security.check_unsanitized_html` is set to `'enforce'`, ServiceNow disallows certain HTML tags and attributes to prevent security risks. The exact list of disallowed tags and attributes may vary based on the ServiceNow version and patch level, as security policies and restrictions might be updated in newer releases. Generally, common disallowed tags include `<script>`, `<iframe>`, `<object>`, and other tags that can execute scripts or load external content.
To get the most accurate and up-to-date information about the disallowed tags in your specific ServiceNow version, you should refer to the official ServiceNow documentation, security advisories, or contact ServiceNow support.
### 3) **Deleting the Property (`com.glide.security.check_unsanitized_html`):**
In standard configurations, you cannot delete system properties in ServiceNow. Deleting core system properties can lead to unpredictable behavior and security vulnerabilities. It's highly discouraged to delete or modify fundamental security properties.
Instead, if you need to revert to the default behavior or change the setting, you can reset the property to its default value. To reset the property, go to "System Properties" in your ServiceNow instance, find the property `com.glide.security.check_unsanitized_html`, and reset it to its default value.
Remember, when dealing with security-related settings, always follow best practices, and consider the implications of your changes to maintain the integrity and security of your ServiceNow instance.
Mark my answer as helpful & accepted if it helps you resolve your issue.
Thanks,
Danish
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2023 09:11 PM
Hi @Bhanu31 ,
Certainly! Here's the explanation for the property `com.glide.security.check_unsanitized_html` and its impact, along with the list of disallowed HTML tags after setting the property to 'enforce':
### 1) **Explanation of `com.glide.security.check_unsanitized_html`:**
The property `com.glide.security.check_unsanitized_html` is a security setting in ServiceNow that controls whether the system checks for unsanitized HTML content in fields. When this property is set to `'enforce'`, ServiceNow checks for unsafe HTML content and sanitizes it to prevent potential security vulnerabilities.
### 2) **List of Disallowed HTML Tags (After Setting to 'Enforce'):**
When `com.glide.security.check_unsanitized_html` is set to `'enforce'`, ServiceNow disallows certain HTML tags and attributes to prevent security risks. The exact list of disallowed tags and attributes may vary based on the ServiceNow version and patch level, as security policies and restrictions might be updated in newer releases. Generally, common disallowed tags include `<script>`, `<iframe>`, `<object>`, and other tags that can execute scripts or load external content.
To get the most accurate and up-to-date information about the disallowed tags in your specific ServiceNow version, you should refer to the official ServiceNow documentation, security advisories, or contact ServiceNow support.
### 3) **Deleting the Property (`com.glide.security.check_unsanitized_html`):**
In standard configurations, you cannot delete system properties in ServiceNow. Deleting core system properties can lead to unpredictable behavior and security vulnerabilities. It's highly discouraged to delete or modify fundamental security properties.
Instead, if you need to revert to the default behavior or change the setting, you can reset the property to its default value. To reset the property, go to "System Properties" in your ServiceNow instance, find the property `com.glide.security.check_unsanitized_html`, and reset it to its default value.
Remember, when dealing with security-related settings, always follow best practices, and consider the implications of your changes to maintain the integrity and security of your ServiceNow instance.
Mark my answer as helpful & accepted if it helps you resolve your issue.
Thanks,
Danish
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2023 10:58 PM
Hi,
How do we check these tags are not working after setting the property to 'enforce'. Can you please provide an example screens.
Thanks in Advance.
Best Regards,
ServiceNow Developer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2023 11:11 PM - edited 10-09-2023 11:14 PM
Hi @Bhanu31 ,
Here's an example demonstrating how the enforcement of the property works:
Client Script Example:
Let's assume you have a translated_html field (you can create one field for testing purpose in Non prod environment with type as translated html) named description on the incident table (use your choice of table). When the property is set to enforce, you can't use disallowed tags:
function onSubmit() {
var description = g_form.getValue('description');
// The following line will not work as <script> tags are disallowed
g_form.setValue('description', '<script>alert("Hello");</script>');
// The value will be sanitized and stored without the <script> tags
g_form.save();
}
In this example, the <script> tag is disallowed, and the attempt to set it in the description field will result in the tag being sanitized or removed before saving.
Mark my answer helpful & accepted if it helps you resolve your issue.
Thanks,
Danish
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2025 06:32 AM
Hi, did you find a way to test the sanitization of translated HTML fields once enforced? I have tried adding data to an existing translated html field but this is already removed on Save regardless of the system property being enabled (com.glide.security.check_unsanitized_html)
