HTML/JavaScript Codetag Properties

adementiev · a month ago

Hey community,

Has anybody been able to properly identify the implications/risks involved with enabling the following two properties? Specifically focusing on the first one which focuses on HTML embedding according to ServiceNow documentation.

glide.ui.security.allow_codetag
glide.ui.security.codetag.allow_script

The documentation (as well as ServiceNow support's response in a case) suggests that both of these properties make you vulnerable to JavaScript client script attacks. However, you would assume that the first property only allows for HTML embedding, while the second allows for JavaScript.

We recently disabled these properties and are noticing some undesired behavior in journal entries. We would like to re-enable the first property if it only allows for HTML codetags but still disables JavaScript, however we can't seem to find an answer or whether or not this is actually how it works.

Any feedback would be helpful. Thanks in advance!

adementiev · 4 weeks ago

Thanks for taking a look Raghav,

Yeah unfortunately we kind of approached the health scan recommendations a bit too aggressively and changed everything that we assumed wouldn't be a big impact, with one of the properties essentially killing all functionality in this particular area. It's a shame, but I understand that ServiceNow's job isn't really to advise company by company so they propose all security hardening settings across the line.

Either way, something for us to now see if we can manage a feasible workaround for.

Have a great weekend thank you.