HTML/JavaScript Codetag Properties

adementiev · a month ago

Hey community,

Has anybody been able to properly identify the implications/risks involved with enabling the following two properties? Specifically focusing on the first one which focuses on HTML embedding according to ServiceNow documentation.

glide.ui.security.allow_codetag
glide.ui.security.codetag.allow_script

The documentation (as well as ServiceNow support's response in a case) suggests that both of these properties make you vulnerable to JavaScript client script attacks. However, you would assume that the first property only allows for HTML embedding, while the second allows for JavaScript.

We recently disabled these properties and are noticing some undesired behavior in journal entries. We would like to re-enable the first property if it only allows for HTML codetags but still disables JavaScript, however we can't seem to find an answer or whether or not this is actually how it works.

Any feedback would be helpful. Thanks in advance!

GlideFather · 4 weeks ago

Hi @adementiev,

and what's that undesired behaviour?

OOTB these properties are set accordingly:

———
/* If my response wasn’t a total disaster ↙️ ⭐ drop a Kudos or Accept as Solution ✅ ↘️ Cheers! */

Mark Manders · 4 weeks ago

That first property is set to true, but running the OOB instance scan related to security will flag it, because the recommendation is to turn it off.

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

GlideFather · 4 weeks ago

@Mark Manders okay, didn't know that, thanks for sharing this

———
/* If my response wasn’t a total disaster ↙️ ⭐ drop a Kudos or Accept as Solution ✅ ↘️ Cheers! */

adementiev · 4 weeks ago

As @Mark Manders mentioned correctly, that's how we arrived at this situation. It got flagged as a recommended security hardening configuration to disable this property, which we did, and then we immediately got negative feedback from our Service Desk team on some output behavior.

Some of the side effects that we've seen so far:
- Attaching knowledge articles in the customer comments/journal entries no longer links directly to the KB.
- The Now Assist work note summarization is unable to use markdown HTML to format journal entries, so it's outputting messy text with <br><br> and &emsp; codetags all over the output.