Escape JavaScript (instance security hardening)
Use the glide.html.escape_script property to force escape from
JavaScript (<script></script>) tags in HTML fields during list
views.
HTML is one of the types that can be assigned to the dictionary fields. Assigning HTML
fields to any field type provides functionality to the user to format the content using HTML
codes (for example, <p>, <a href>,
<b>, <font>, <img>). If you set
glide.html.escape_script to false, the
(<script></script>) tags may appear when you select that column in
a list view while viewing a table or record listing.
A malicious attacker can insert JavaScript code by embedding it within the
(<script></script>) tags. The attacker can take advantage by
injecting a sophisticated JS vector that may execute when any user opens the table
record.
More information
| Attribute | Description |
|---|---|
| Property name | glide.html.escape_script |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | To prevent cross-site scripting attacks against an application. |
| Recommended value | true |
| Functional Impact | This remediation enforces JavaScript escaping to occur on the UI and renders encoded results to the user. It can have an impact on functionality, based on the instance user interaction with the resulting data |
| Security risk | (High) Input validation must occur in the application to defend against cross-site scripting attacks. These attacks enable foreign scripts to execute on user session in the logged in browser's context. Attackers can use it to steal session information and sensitive data. |
| References |
To learn more about adding or creating a system property, see Add a system property.