side effects to turn on glide.ui.security.allow_codetag
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2017 03:58 PM
Hey folks,
I was wondering if any side effects to turn on glide.ui.security.allow_codetag in Istanbul patch 5 release. Based on the Audit Compliance recommendations, the default setting on this option is on, please refer to Search
however, none of the finding at my end has found it has a negative impact to the instance ?
Would anyone advise ?
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2017 04:07 PM
I am not sure about side effects but SN does not recommend using this property and Also if you ever want to do Penetration test SN will ask you to deactivate the property.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2017 06:56 PM
Hi George,
The default value for the allow_codetag property is true in OOB. If it was not recommended then this default value would be false.
Every instance is different and the only way to find out if there are issues with a feature is to make sure you test your instance thoroughly.
There are other system properties part of the High Security Settings Plugin such as "glide.ui.escape_text" which prevents cross-site scripting.
High Security Settings - ServiceNow Wiki
If you configure certain properties in this plugin to a configuration that is not the default value, then you may have unexpected behaviour on your instance.
Having said that, there can also be defects with features in any platform so should you have any issues with the codetags feature it is best to raise it as an incident in HI for us to investigate and verify.
Kind regards,
Mansoor Omar | Technical Lead | User Experience
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2017 10:26 PM
Thanks Mansoor, the instance is running Istanbul patch 5 and based on the link give, you are right it is defaulting to yes, but our team have disabled it for security concerns. I have since raised with HI for advanced advice about the turning it back on.
I will see how HI investigation this and update you.
Your response is very much appreciated.
Kind regards,
George
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2018 06:10 AM
Hi George,
will there be any impact if we disable that property(glide.ui.security.allow_codetag)?
