Turning on glide.ui.security.allow_codetag is not working

nowuser24 · ‎04-02-2024

Hi community,

initially when glide.ui.security.allow_codetag was true it did updated as hyperlink but seems now its not.

Cache cleared still not working.

Any help would be appreciated.

the only thing we did is custom url but all those working okay

Thanks

Community Alums · ‎04-05-2024

Hi @nowuser24 ,

glide.ui.security.allow_codetag property to disable support for embedding HTML code created using the [code] tag.

The Now Platform mitigates many injection and cross-site attacks by implementing escaping and encoding techniques. As a result, users can't write/submit HTML formatted inputs for journal fields. But journal fields can render text enclosed within code tags as HTML.

However, there is an associated security risk. If set to true, malicious users can write harmful HTML JS code that may be executed on a different client browser after rendering of journal fields.
Set this property to false so that administrators can prevent journal fields from rendering HTML code by disabling support for the [code] tag.

More information


Attribute	Description
Property name	glide.ui.security.allow_codetag
Configuration type	System Properties (/sys_properties_list.do)
Configure in Instance Security Center	Yes
Purpose	Protect against cross-site scripting and malicious script execution
Recommended value	false
Functional impact	(Medium) This remediation enforces HTML encoding to occur on the UI and renders the encoded results to the user. This property is set to `true` by default. In this state, your instance displays rendered HTML in journal fields and forms. If this property is set to `false`, HTML is not rendered properly and HTML tags may appear in journal fields on forms. It can have an adverse impact on functionality, and on user interactions with the resulting data.
Security risk	(Medium) Input validation must occur in the application to defend against cross-site scripting attacks. These attacks enable foreign scripts to execute on a user session in the logged in browser's context. Attackers can use it to steal session information and sensitive data.
References	Restrict the CODE tag in journal fields Render journal field entries as HTML High Security Settings

The default value for the allow_codetag property is true in OOB. If it was not recommended then this default value would be false.

Every instance is different and the only way to find out if there are issues with a feature is to make sure you test your instance thoroughly.

There are other system properties part of the High Security Settings Plugin such as "glide.ui.escape_text" which prevents cross-site scripting.