Implications of Changing glide.ui.escape_html_list_field?

JosephW1
Tera Guru

Hello,

I am curious to know what the specific implications of changing the glide.ui.escape_html_list_field system property is.

 

At first glance, this field causes html tags - <p>, <li>, etc - to disappear from list-views. They disappear from list views of table and in list reports, leaving behind only the plain text, and also heavily reducing truncation. My group finds this particularly useful for digesting such fields from list reports.

find_real_file.png

 

However, we are wondering if any implications might come from changing this system property. Just to be cautious.

Thank you for your time, I look forward to your input.

 

Kind Regards,
Joseph

1 ACCEPTED SOLUTION

Ankur Bawiskar
Tera Patron
Tera Patron

Hi,

The system property glide.ui.escape_html_list_field escapes HTML for HTML fields in a list view. HTML is one of the types that can be assigned to the dictionary fields. Assigning "HTML" fields to any field type provides functionality to the user to format the content using HTML codes (for example, <p>,<a href>,<b>,<font>,<img> etc.). When you see the table list (for example, /problem_list.do) or view the list of records, these HTML formatted fields may appear if that column is selected in a list view and if this property is set to false.

A malicious user can inject HTML code within the form field to execute unwanted scripts on different client/user sessions. It is recommended to set this property to true so that HTML escaping is performed before the records/fields are rendered in the browser when the table is displayed as a list view.

reference: Escape HTML

Regards
Ankur

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

View solution in original post

8 REPLIES 8

Ankur Bawiskar
Tera Patron
Tera Patron

Hi,

The system property glide.ui.escape_html_list_field escapes HTML for HTML fields in a list view. HTML is one of the types that can be assigned to the dictionary fields. Assigning "HTML" fields to any field type provides functionality to the user to format the content using HTML codes (for example, <p>,<a href>,<b>,<font>,<img> etc.). When you see the table list (for example, /problem_list.do) or view the list of records, these HTML formatted fields may appear if that column is selected in a list view and if this property is set to false.

A malicious user can inject HTML code within the form field to execute unwanted scripts on different client/user sessions. It is recommended to set this property to true so that HTML escaping is performed before the records/fields are rendered in the browser when the table is displayed as a list view.

reference: Escape HTML

Regards
Ankur

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

Hi Ankur,

Can you elaborate on this a little more?

In our instance, when the property was set to false any HTML field in a list view displayed without HTML tags.  When I set it to true per the Security Hardening rules, now the HTML tags display.  This appears to be the opposite of the behavior described in the documentation and your response.

For example, a list of Demands including the Business case field which is HTML...

Set to false:

find_real_file.png

Set to true:

find_real_file.png

 

Is the desired behavior to display the HTML tags when the property is set to true?

please check docs

Escape HTML

Regards
Ankur

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

The docs are showing exactly the opposite.

As per documentation:

  • Set this property to true to perform an HTML escaping before the records/fields are rendered in the browser when the table appears as a list view.
  • If set to false, and you select that column in a list view when viewing a table or record listing, these HTML formatted fields may appear.

This is doing exactly the opposite. Once i set it to False, HTML formatted fields do NOT appear in the list view.