Script sandbox environment

  • Release version: Australia
  • Updated May 5, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Script sandbox environment

    The script sandbox environment in ServiceNow provides a restricted execution context for running untrusted, client-generated server-side scripts securely. When scripts are sent to the server, a server-side evaluator classifies them as trusted or untrusted. Trusted scripts run normally, while untrusted scripts execute within this sandbox to enforce security restrictions.

    Show full answer Show less

    This environment applies specifically to untrusted scripts sent via filter/query parameters or system APIs like AJAXEvaluate. It does not apply to script includes, which run outside the sandbox in the application scope, nor to client-side scripts.

    Key Restrictions in the Sandbox

    • Only business rules marked as Client callable and script includes marked as Sandbox enabled can be invoked.
    • Direct database modifications are blocked; for example, calls to current.update() are ignored.
    • Certain system APIs related to direct database access are disallowed.
    • Starting with the Australia release, only script includes explicitly marked Sandbox enabled are accessible within the sandbox, replacing previous use of the Client callable designation.

    Evaluators Used in the Sandbox

    From the Australia Patch 2 release onward, two evaluators enforce sandbox restrictions:

    • Guarded Script Evaluator: Uses a domain-specific language to allow only certain simple JavaScript expressions and calls. It enhances security by rejecting incompatible untrusted scripts and fully enforces guest transactions.
    • Script Sandbox Evaluator: Supports more JavaScript features but limits API access to prevent unsafe operations. It evaluates untrusted scripts with guarded-script exemptions or during detection phases for authenticated users.

    Practical Impact for ServiceNow Customers

    • Untrusted client-generated scripts are safely executed without risking instance integrity or unauthorized data changes.
    • Administrators can control which scripts run in the sandbox by marking script includes as Sandbox enabled to allow their use.
    • Understanding the two evaluators helps in troubleshooting script execution issues related to sandbox restrictions and planning script design accordingly.

    The script sandbox environment is a restricted execution context in which untrusted, client-generated scripts run on the server using one of two evaluators: the guarded script evaluator or the script sandbox evaluator.

    Script sandbox environment overview

    When a script is sent to the server, a server-side script evaluator determines whether the script is trusted. Trusted scripts run in the JavaScript engine. Untrusted scripts run in the restricted sandbox environment instead.

    Note:
    The sandbox does not apply to script includes, which run in the application scope outside of the sandbox, or to client-side scripts.
    Untrusted scripts are client-generated and sent to the server for evaluation in the following ways:
    • Filter or query parameters: Filter and query parameters in URLs can send scripts to the server with HTTP requests, such as when a logged-out user follows a link containing a javascript: filter parameter.
    • System APIs: The AJAXEvaluate API call allows the client to run arbitrary scripts on the server and receive a response.
    Within the sandbox, the following restrictions apply to scripts:
    • Only business rules marked Client callable can be called.
    • Only script includes marked Sandbox enabled can be called.
    • Certain API calls, mostly limited to ones dealing with direct database access, aren’t allowed.
    • Data can’t be inserted, updated, or deleted from within the sandbox. For example, any calls to current.update() are ignored.
    Note:
    Beginning with the Xanadu release, script includes marked as Glide AJAX enabled (previously named Client callable) aren’t accessible within the sandbox. Only those marked Sandbox enabled are available within the sandbox. When upgrading to the Australia release from the Washington DC release or earlier, any script includes marked as Client callable are also marked as Sandbox enabled.

    Script sandbox evaluators

    Beginning with the Australia Patch 2 release, the sandbox uses two evaluators to enforce different levels of restrictions:

    • Guarded script evaluator: Enhances instance security by supporting only a restricted scripting language and rejecting untrusted scripts that are incompatible. Guest transactions are fully enforced immediately. Scripts sent by authenticated users are evaluated differently depending on the instance type.
    • Script sandbox evaluator: Helps prevent executing untrusted scripts on an instance by limiting the APIs available to scripts.
    Table 1. Comparison of the guarded script evaluator and script sandbox evaluator
    Characteristic Guarded script evaluator Script sandbox evaluator
    Purpose Provides enhanced security for scripts that run in the sandbox. Uses a domain-specific language (DSL) that permits only a small set of JavaScript features. Supports additional JavaScript but restricts certain APIs for scripts.
    JavaScript support Only a single simple expression or function call and only certain APIs. Features supported by the JavaScript engine except for certain API and method restrictions.
    When it runs Evaluates untrusted scripts that haven't been granted a guarded-script exemption. Evaluates untrusted scripts under the following conditions:
    • A script has been granted a guarded-script exemption (manually or automatically).
    • When guarded script is in Phase 1: Detection, and a script is sent to the server by an authenticated user.
    Script includes Not applicable: script includes run outside the sandbox in the application scope Not applicable: script includes run outside the sandbox in the application scope

    For details about each evaluator, including JavaScript restrictions, see the following topics and the Server-Side Sandbox Runtime Replacement [KB2944435] article on the Now Support Knowledge Base.