HTML/JavaScript Codetag Properties
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a month ago
Hey community,
Has anybody been able to properly identify the implications/risks involved with enabling the following two properties? Specifically focusing on the first one which focuses on HTML embedding according to ServiceNow documentation.
glide.ui.security.allow_codetag
glide.ui.security.codetag.allow_script
The documentation (as well as ServiceNow support's response in a case) suggests that both of these properties make you vulnerable to JavaScript client script attacks. However, you would assume that the first property only allows for HTML embedding, while the second allows for JavaScript.
We recently disabled these properties and are noticing some undesired behavior in journal entries. We would like to re-enable the first property if it only allows for HTML codetags but still disables JavaScript, however we can't seem to find an answer or whether or not this is actually how it works.
Any feedback would be helpful. Thanks in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
That's why it's default 'on'. Most of my customers have just accepted it, because the use of code tags in work notes and comments really helps in communicating.
I don't know if you are using Workspaces, but there is a system property (glide.ui.journal.use_html) that makes the journal fields HTML fields on the workspace. Then you don't need code tags for journal fields, because the field already provides it.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Thank you @Mark Manders, appreciate your feedback and taking a look. I don't think this property will bring us to a resolution that our teams want, but it's interesting none the less and I was not aware of it. Poked around with it a bit, and it certainly has a use in at least perhaps advertising Workspaces more (which we are actively trying to do).
Thank you for the tips and have a great weekend.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Upon testing around with this property, it actually turns out that the final result of a pasted comment or work note is still going to give the broken text without the HTML formatting since we have that other property disabled. Was worth a try I suppose!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Well... using code tags to embed a dangerous link into the comments/work notes of a ticket, would be a risk, right? That it's just for HTML doesn't mean it's safe. Adding the code to make text bold/italic is great, but you can do a whole lot more with HTML than just that.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
@adementiev There are quite a lot of recommendations in healthscan, it depends on how vulnerable your organisation is? Some orgs accept the risk and move forward , some do not.
The Orgs which do accept the risk has to setup the process and let their users know that certain things wont work.
This is totally dependent on your organization's process.
