Sanitizing non HTML field

Go to solution
PavelP
Mega Sage

‎10-16-2018 12:14 AM

We are trying to sanitze feedback from web page, that is comming into a Comment field (string). The documentation mentiones the html_sanitize attribute can be used on all fields to fix that, however still after activating the attribute in dictionary, the field triggers unwanted code.

Am I missing some steps, or will it be necessary to change format of the field?

Thanks for your help.

0 Helpfuls
  • 1,790 Views
1 ACCEPTED SOLUTION

Go to solution
Alex Cox
ServiceNow Employee
ServiceNow Employee
In response to PavelP

‎10-17-2018 01:15 PM

Hi Pavel,

I played around in my dev instance a bit and I believe the documentation may be incorrect - specifically the part that it can be on any kind of field.  When I went into the dictionary entry for a string field and added the html_sanitize attribute - the record for the html_sanitize attribute itself explicitly stated that it is only applicable to HTML and Translated HTML fields in the "Applies to description" field.

I'll pass this discrepancy along as a Problem on HI. Either way - one of the two areas is incorrect.

In any event, I might suggest using a Business Rule to parse that field as it is updated, and remove any undesired tags.

Best of luck!

Alex

View solution in original post

6 REPLIES 6

Go to solution
Alex Cox
ServiceNow Employee
ServiceNow Employee

‎10-16-2018 09:21 AM

Hi PavelP,

Could you please described the unwanted effect in a little more detail? 

In case it helps, here is some additional documentation on the HTML Sanitizer at the instance level:

https://docs.servicenow.com/bundle/london-platform-administration/page/administer/security/concept/c_HTMLSanitizer.html

Note that there are lower level pages that show how to configure the behavior.

Alex

0 Helpfuls

Go to solution
PavelP
Mega Sage
In response to Alex Cox

‎10-17-2018 05:19 AM

Currently, we use as unwanted effect for testing onmouseover link. Onmouseover is under blacklisted attributes, but the link is still functional.

0 Helpfuls

Go to solution
Alex Cox
ServiceNow Employee
ServiceNow Employee
In response to PavelP

‎10-17-2018 01:15 PM

Hi Pavel,

I played around in my dev instance a bit and I believe the documentation may be incorrect - specifically the part that it can be on any kind of field.  When I went into the dictionary entry for a string field and added the html_sanitize attribute - the record for the html_sanitize attribute itself explicitly stated that it is only applicable to HTML and Translated HTML fields in the "Applies to description" field.

I'll pass this discrepancy along as a Problem on HI. Either way - one of the two areas is incorrect.

In any event, I might suggest using a Business Rule to parse that field as it is updated, and remove any undesired tags.

Best of luck!

Alex

Go to solution
PavelP
Mega Sage
In response to Alex Cox

‎10-17-2018 11:23 PM

Okay, good to know. Thanks so much for your help.

Can you please post here the number of HI ticket, or its result.

0 Helpfuls