Is the "Check Unsanitized HTML" feature mentioned in "Instance Security Hardening" still valid?

Leonard Ambos
Mega Sage

While running through the Instance Security Hardening guide (/isc?id=security_hardening), our instance was identified as being non-compliant for "Check Unsanitized HTML". The ISC guide says that this property is controlled by 'com.glide.security.check_unsanitized_html', which is a safe db property and can't be reverted once changed. The ISC guide indicates that the property is currently set to 'log_only' (recommendation is 'enforced'), but that property doesn't actually appear on the sys_properties table.

ServiceNow doesn't seem to have much information about this system property; the only page that mentioned the property directly is the "High Security Settings" doc page, which says the property "Enforces sanitization behavior of translated_html fields on a global level for field assignments."
https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/concept/c_HighSecuritySettings.html

Additionally, the Safe override doc page doesn't appear to list "Check Unsanitized Html" as a non-revertible property:
https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/safe-override.html

The ISC link for "Check Unsanitized Html" appears broken, but "HTML sanitizer" seems to be similar in purpose. However, this feature appears to use the 'glide.html.sanitize_all_fields' and 'glide.translated_html.sanitize_all_fields' properties, both of which we already have set.
https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/concept/c_HTMLSanitizer.html

1. Is "Check Unsanitized Html" still a supported feature?
2. Is "Check Unsanitized Html" actually non-revertible?
3. How is "Check Unsanitized Html" different from "HTML sanitizer"?
4. If "Check Unsanitized Html" is actually different from "HTML sanitizer", is there a way to see a what translated_html the "Check Unsanitized Html" feature is currently logging, but would alter if the feature were enforced?

1 ACCEPTED SOLUTION

It looks like the ISC link for "Check Unsanitized Html" has been fixed since I originally posted this, and goes to the link you'd provided. I was still confused, as that doc page doesn't have much info, and contains a link to HTML Sanitizer which already mentions Translated HTML.

I ran a few tests to get a better understanding of the difference between "Check Unsanitized Html" and "HTML sanitizer", which I'll attempt to summarize here.

glide.html.sanitize_all_fields (HTML sanitizer) ONLY affects HTML fields, not translated HTML; the html_sanitize=true attribute can override this on a per-variable basis
com.glide.security.check_unsanitized_html (Check Unsanitized Html) ONLY affects Translated HTML fields; the html_sanitize=true attribute can NOT be used to override Translated HTML fields on a per-variable basis
glide.html_sanitize.discarded_log.enable logs ANY HTML/Translated HTML fields that would be sanitized based on the HTMLSanitizerConfig script, even if the field is not set to sanitize

The config in the HTMLSanitizerConfig script include affects BOTH HTML and Translated HTML sanitization. As noted in the HTML sanitizer doc page, this config file is not exhaustive; there's a BUILTIN_HTML_WHITELIST included on the doc page which isn't accessible by users on the instance. The config file indicates that any items added to the black list override the white list, but the config file doesn't mention the builtin whitelist it's not clear if those can be overridden.

There's a second level of sanitization that appears to only happen on Translated HTML fields, even when com.glide.security.check_unsanitized_html is not set to enforce. I'm not sure what tags are affected, but any <script> and </script> tags in Translated HTML fields are escaped and replaced with lt;script&gt and &lt;/script&gt;.

Despite the Check Unsanitized Html doc page which lists the recommended value of "true", the only valid value for the com.glide.security.check_unsanitized_html property is "enforce"; trying to set any other value (true, false, log_only, etc) results in the error message "Not allowing set of unsafe property value: com.glide.security.check_unsanitized_html=log_only". It IS still possible to delete the sys_property record, which prevents sanitization of Translated HTML fields.

Sanitization is applied on field write, so any sanitized tags/attributes that were set before enabling HTML/Translated HTML are NOT altered when displaying the record.


In case anyone wants to try to reproduce these results, I ran all these tests against kb_knowledge.text (Translated HTML) and kb_template_faq.kb_question (HTML). The WYSIWYG editor already limits what HTML you can add and the list view doesn't let you edit those fields, so all field updates were done through GlideRecord updates in a background script.

 

So to answer my original questions:

  1. "Check Unsanitized Html" is a supported feature
  2. The com.glide.security.check_unsanitized_html property can be reverted by deleting the system property, but not by changing the value of the property
  3. "Check Unsanitized Html" is a subset of HTML Sanitizer, but the com.glide.security.check_unsanitized_html property is entirely separate from the glide.html.sanitize_all_fields property, as one only handles Translated HTML and the other only handles HTML
  4. There's no great way to see what fields would be impacted by "Check Unsanitized Html", since the glide.html_sanitize.discarded_log.enable property enables logging for both HTML and Translated HTML fields. The logs indicate the table and column name, but not whether the column is HTML or Translated HTML. You can probably write a script to look up that information, but it isn't readily available.

View solution in original post

13 REPLIES 13

Ashok Doddam
Kilo Explorer

Hi All, 

 

Does anyone have more infor about com.glide.security.check_unsanitized_html property , please help.

Swetha Guligari
Tera Contributor

@Leonard Ambos : Do you have any update on this? I have similar requirement. Your input will be helpful.

Brian Lancaster
Tera Sage

If you go thought the instance security center and set it to enforce there it will created the system property.

find_real_file.png

My question was more of why it says "log_only" for us if the sys_property is not set, and if it is logging, where is it logging to?