Allow HTML Links to Trusted Domains in the Description Fields of the Impact Workspace Module [New in Security Center 7.0]

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 5분

    • Use a system property to help sanitize the HTML allowed in the descriptions fields. This property limits the allowed links to only those from the trusted domains listed in the property.

    주:
    This hardening setting is not a part of the hardening baseline. It does not appear in Security Center hardening pages and affect your hardening score.

    The Impact Workspace module allows HTML in a number of description-related fields. When configured, the sn_impact_common.whitelisted.url_HTML_injection system property contains a comma-separated list of domain names. Description fields for the Impact Workspace module are allowed to contain HREFs with URLs only from the domains listed in the property.

    Ensure the sn_impact_common.whitelisted.url_HTML_injection system property is set to a comma-separated list of domain names that represent the domains allowed in HTTP reference URLs of description fields for the Impact Workspace module.

    To disallow HREFs in these fields, set the property to an empty string. If the property doesn’t exist on the System Properties [sys_properties] table, it defaults to this list: servicenow.com, service-now.com, youtube.com, google.com, youtu.be, soti.net, dpdhl.sharepoint.com, documentation.avaya.com, www.juniper.net, servicenow.sharepoint.com, servicenow-my.sharepoint.com, scaledagileframework.com.

    More information

    Attribute Description
    Configuration name sn_impact_common.whitelisted.url_HTML_injection
    Configuration type System Properties (/sys_properties_list.do)
    Data type String list
    Recommended value servicenow.com, service-now.com, youtube.com, google.com, youtu.be, soti.net, dpdhl.sharepoint.com, documentation.avaya.com, www.juniper.net, servicenow.sharepoint.com, servicenow-my.sharepoint.com, scaledagileframework.com
    Default value servicenow.com, service-now.com, youtube.com, google.com, youtu.be, soti.net, dpdhl.sharepoint.com, documentation.avaya.com, www.juniper.net, servicenow.sharepoint.com, servicenow-my.sharepoint.com, scaledagileframework.com
    Fallback value servicenow.com, service-now.com, youtube.com, google.com, youtu.be, soti.net, dpdhl.sharepoint.com, documentation.avaya.com, www.juniper.net, servicenow.sharepoint.com, servicenow-my.sharepoint.com, scaledagileframework.com
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 4.4
    • CVSS score: Medium
    • If an untrusted domain is added to the property, this opens these fields up to containing links to risky sources which can lead HTML injection attacks. The exact risk is dependent on the customer instance.
    Functional impact If the property is empty, no HREFs are allowed in the field text and all HREFs are removed. Any links using domains not listed in the property are removed. An improper value for this field could result in corrupted data for the affected fields.
    Dependencies and prerequisites If the sn_impact_common.blacklist_tags_HTML_injection system property contains HTML tags that surround HREF links, then all links within those tags will be removed.

    To learn more about adding or creating a system property, see Add a system property.