Escape XML markup [Updated in Security Center 1.3]
Use the glide.ui.escape_text property to force escape of XML values at the parser level before transmitting them to the client's browser.
- & -->
& - < -->
< - > -->
> - " -->
" - ' -->
' - / -->
/
Example: <script>alert('XSS Attack');</script>
Escaping: <script>alert('XSS
Attack');</script>
Ensure the glide.ui.escape_text property exists in the sys_properties table and is set to true.
More information
| Attribute | Description |
|---|---|
| Property name | glide.ui.escape_text |
| Configuration type | System Properties (/sys_properties_list.do) |
| Category | Validation, sanitization, and encoding |
| Purpose | Escaping XML ensures that browsers do not parse the malicious JavaScript
embedded in untrusted data, and execute it as JavaScript.
|
| Recommended value | true |
| Security risk rating | 8.8 |
| Functional impact | This remediation enforces XML encoding at the XML parser level on the UI. It renders the encoded results for the user, which can have a functionality impact based on the instance user interaction with the resulted data. |
| Security risk | (High) Input validation must occur on the application to defend against cross-site scripting attacks. These attacks enable foreign scripts to execute on user session in the logged in browser's context. Attackers can use it to steal session information and sensitive data. |
| Workaround | After you set this property to true, rendering stops on the HTML tags in the catalog item description or in the catalog item variable help text. You may not be able to use HTML formatting for some fields. However, if the glide.ui.escape_text property is turned of, all JEXL expressions would be prefixed with an output encoder:
or
|