Help with HTML Sanitization

Kai Tingey
Tera Guru

‎12-03-2023 05:00 PM - edited ‎12-03-2023 05:07 PM

Hi All

 

I'm hoping someone can help me figure out what i'm doing wrong the the HTML Sanitizer config.

 

I need to blacklist some html elements (e.g. "form", "button", "input", "textarea", etc) so you cant enter them into a HTML variable on the service portal.

 

I have enabled HTML Sanitizer and confirmed that it is working with the OOB settings, however trying to add some things to the blacklist has so far been unsuccessful. 

 

I have tried every combination of things i can think on based on the documentation and threads i can find on the internet, but it refuses to strip the <form> etc. tags from the HTML.

Based on the example in the documentation: https://docs.servicenow.com/bundle/vancouver-platform-security/page/administer/security/task/t_Confi...

 

I would have thought that something like: 

 

HTML_BLACKLIST : {
		globalAttributes: {
			attribute:[],
			attributeValuePattern:{}
		},

		form:{}, 
	},

 

 

should be close to what i need (i have tried with and without attribute and attributeValuePattern strings) but it's not happening.

 

I'm sure it's a syntax mistake I am making but I cant think of any other way to try it than I already have. 

Does anyone have an example of a blacklisting a tag and not just certain attributes that I can look at?

 

 

0 Helpfuls
  • 1,830 Views
3 REPLIES 3

CJB
Tera Expert

‎01-15-2024 12:14 PM

Hi Kai. Have you had any luck with this yet? Facing the same issue.

0 Helpfuls

Kai Tingey
Tera Guru
In response to CJB

‎01-15-2024 01:55 PM

Hi CJB

 

I logged it with HI support and they gave me this reply:

 

After extensive investigation with the assistance of the Development Team, we have identified that the HTML Sanitizer Script Include will run after an event such as inserting OR updating a record.

The Script Include will not run during the runtime (e.g. typing within the field) for assessing and validating the inputted element.

For example, if the HTML element - - is to be blacklisted from entry into the HTML fields then it will render when exiting the code editor, however, it will not be saved and excluded for when the record is saved.

 

Unfortuately i've been off work on extended leave and didn't get this email until after the case has closed. I have yet to validate that saving the record strips the html, in fact i'm fairly positive that when I was testing this - i was saving the record and the unwanted HTML tags remained. However until I return to work  i've put it on the back burner.

0 Helpfuls

Community Alums
Not applicable

‎01-15-2024 03:58 PM

remove the last comma , should be ending like - form:{}};