Implications of Changing glide.ui.escape_html_list_field?

Go to solution
JosephW1
Tera Guru

‎10-08-2020 08:52 AM

Hello,

I am curious to know what the specific implications of changing the glide.ui.escape_html_list_field system property is.

 

At first glance, this field causes html tags - <p>, <li>, etc - to disappear from list-views. They disappear from list views of table and in list reports, leaving behind only the plain text, and also heavily reducing truncation. My group finds this particularly useful for digesting such fields from list reports.

find_real_file.png

 

However, we are wondering if any implications might come from changing this system property. Just to be cautious.

Thank you for your time, I look forward to your input.

 

Kind Regards,
Joseph

Labels:
Preview file
16 KB
Preview file
8 KB
0 Helpfuls
  • 3,923 Views
1 ACCEPTED SOLUTION

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

‎10-08-2020 09:04 AM

Hi,

The system property glide.ui.escape_html_list_field escapes HTML for HTML fields in a list view. HTML is one of the types that can be assigned to the dictionary fields. Assigning "HTML" fields to any field type provides functionality to the user to format the content using HTML codes (for example, <p>,<a href>,<b>,<font>,<img> etc.). When you see the table list (for example, /problem_list.do) or view the list of records, these HTML formatted fields may appear if that column is selected in a list view and if this property is set to false.

A malicious user can inject HTML code within the form field to execute unwanted scripts on different client/user sessions. It is recommended to set this property to true so that HTML escaping is performed before the records/fields are rendered in the browser when the table is displayed as a list view.

reference: Escape HTML

Regards
Ankur

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

View solution in original post

8 REPLIES 8

Go to solution
sachin_namjoshi
Kilo Patron
Kilo Patron

‎10-08-2020 09:05 AM

setting the glide.ui.escape_text property to false should not be considered, as this impacts the security of the Instance as mentioned in the Product Documentation: High Security Settings properties.

 

Regards,

Sachin

Go to solution
ritajit
Tera Contributor
In response to sachin_namjoshi

‎03-15-2022 05:43 AM

The link does not work. Please explain how does it impact the security of the instance.

0 Helpfuls

Go to solution
gjz
Mega Sage

‎07-09-2021 08:54 AM

I have referred to the documentation many times and it doesn't seem correct.

  • Set this property to true to perform an HTML escaping before the records/fields are rendered in the browser when the table appears as a list view.
  • If set to false, and you select that column in a list view when viewing a table or record listing, these HTML formatted fields may appear.

Per the documentation above, if I set the property to false the HTML in the fields will appear. However, I'm experiencing the opposite behavior.  What I need to know is the behavior I'm seeing in my instance the correct behavior?

Go to solution
Joe DeStefano2
Tera Expert
In response to gjz

‎11-07-2022 08:03 AM

It appears the documentation was incorrect and has been updated.  This is how it reads now

 

  • Set this property to false to perform an HTML escaping before the records/fields are rendered in the browser when the table appears as a list view.
  • If set to true, and you select that column in a list view when viewing a table or record listing, these HTML formatted fields may appear.