Enable HTML Sanitizer [Updated in Security Center 1.3]
Use the glide.html.sanitize_all_fields property to enable the HTMLSanitizer script include, which sanitizes HTML input based on exclusion listed and inclusion listed attributes configured in a script.
The field types available with dictionary/fields include HTML and Translated HTML. These HTML input fields enable users to write HTML formatted input, for example:
<h1>Test</h1>, using the most basic HTML tags such as <img>, <a href …>, and <iframe>.
It can open a door for a malicious attacker to inject malicious vector with HTML tags such as:
[<IMG SRC="  JavaScript:alert('XSS');">][<IMG
onmouseover="alert('xss')">],[a href="" onclick=alert(/xss/)].
More information
| Attribute | Description |
|---|---|
| Property name | glide.html.sanitize_all_fields |
| Configuration type | System Properties (/sys_properties_list.do) |
| Category | Validation, sanitization, and encoding |
| Purpose | Prevents application against cross site scripting and HTML injection attacks |
| Recommended value | true |
| Default value | true |
| Security risk rating | 8.8 |
| Functional impact | This remediation enforces HTML-output encoding mechanism before the user data is rendered back to the user. If customer has any customization that involves rendering of the HTML attribute or content data, then there is a functionality impact. |
| Security risk | (High) User input should be securely treated when the data is being stored and processed on the application.This reduces client-side cross-site scripting attacks by output encoding the data. |
| Workaround | This property sanitizes all HTML fields in the system. If you must enable HTML sanitization on individual fields, see Enable sanitization on individual fields. You can also configure the inclusion list or exclusion list to sanitize HTML tags and attributes as per your organizations policy. |
| References |
To learn more about adding or creating a system property, see Add a system property.