Sandbox enabled on script include

Go to solution
pramodkumar
Tera Expert

‎12-23-2024 05:23 PM

Hi Everyone,

I see a new checkbox 'sandbox enabled' in script include after upgrading to Xanadu. Can anyone explain what is the use of this checkbox with an example?

 

Thanks!

0 Helpfuls
  • 5,899 Views
1 ACCEPTED SOLUTION

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

‎12-23-2024 07:12 PM

@pramodkumar 

The 'sandbox enabled' checkbox in ServiceNow's Xanadu release allows you to run scripts within a secure, restricted environment known as a sandbox. This sandbox limits the script's access to certain APIs and resources, enhancing security by preventing potentially harmful operations.

Example Use Case: Imagine you have a script include that processes user input from a client-side form. By enabling the 'sandbox enabled' checkbox, you ensure that this script runs in a controlled environment, reducing the risk of malicious code execution or unintended access to sensitive data.

More details here

Configuring Script sandbox property 

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

View solution in original post

6 REPLIES 6

Go to solution
NS
Kilo Sage

‎06-03-2025 02:21 AM - edited ‎06-03-2025 02:22 AM

>Can anyone explain what is the use of this checkbox with an example?

 

Here's one example (use-case): if you are calling a script include from a list filter. Let's say in this case we want to get employee numbers like so:

NS_0-1748942234027.png

If you have set `Sandbox enabled = false` on the script include, that filter will not work. The output will be `Employee Number = NULL`.

 

You'll find from error logs something along the lines of

Not allowing access to script include rhino.sandbox.Super_Script_Include
Script include is not callable from the sandbox: no thrown error

 


Setting the `Sandbox enabled = true` will make the filter work.

0 Helpfuls

Go to solution
Subramanyam V
Giga Expert
In response to NS

‎06-03-2025 02:49 AM

Greetings,

 

Configuring Script sandbox property

 

There are two cases within the system that allow the client to send scripts to the server for evaluation.

  • Filters or queries: It’s legal to send a filter to the server such as: assigned_to=javascript:getMyGroups(). [ In your case - Super_Script_Include]
  • System API: The API call AJAXEvaluate allows the client to run arbitrary scripts on the server and receive a response.
If you enable the script sandbox property (glide.script.use.sandbox), the script being evaluated via either of these two entry points runs within a reduced-rights sandbox with the following characteristics:
  • Only those business rules marked Client callable are available within the sandbox.
  • Only script includes marked Sandbox enabled are available within the sandbox.
  • Certain API calls (largely but not entirely limited to those dealing with direct DB access) aren’t allowed.
  • Data can’t be inserted, updated, or deleted from within the sandbox. Any calls to current.update(), for example, are ignored;

Note: Beginning with the Xanadu release, script includes marked as Glide AJAX enabled (previously named Client callable) aren’t accessible within the sandbox. Only those marked Sandbox enabled are available within the sandbox. When upgrading to the Yokohama release from the Washington DC release or earlier, any script includes marked as Client callable are also marked as Sandbox enabled.

 

Ciao,

Subbu