Function of com.glide.csp.self_script_src_svg

VibhaSastry
Tera Expert

What is the function of the com.glide.csp.self_script_src_svg property, and how can we accurately verify whether the property is working fine?

Additionally, what are the implications of enabling/disabling this property

9 REPLIES 9

When I said loading I was referring to external SVG images that you load into the instance, not the OOB ones. The vulnerability that was fixed was part of loading an external SVG image.

I have tried loading an external svg image into the images table as well in both cases when the property was true and false, in both cases I am able to load the images into servicenow instance. Please let me know how can I accurately validate this property as this method is not working in my PDI

 

Hi @VibhaSastry 

 

The vulnerability referred to a way of crafting Javascript inside the SVG image which would be executed when image is rendered in ServiceNow, therefore loading a normal SVG image would work irrespective of the property value. I cannot disclose the full vulnerability. 

If I enable the property, how can I unit test?

I cannot tell you how to unit test since I cannot disclose the full vulnerability as I mentioned before.