Sanitize HTML in the Description Fields of the Impact Workspace Module [New in Security Center 7.0]

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Sanitize the HTML in the description fields by removing HTML tags that are sources of HTML injection attacks with the sn_impact_common.blacklist_tags_HTML_injection property.

    The Impact Workspace module allows HTML in the following description fields:
    • The customer_notes field of the sn_impact_common_capabilities_map and sn_impact_common_par_version_phase_app_mapping tables.
    • The manual_description field of the sn_impact_common_manual_capability_description table.

    When this system property contains a comma-separated list of HTML tags (for example, scripts), those tags and their contents are removed from the HTML portions of the listed fields. Removing these tags helps sanitize the HTML in the description fields by removing HTML tags that are sources of HTML injection attacks. If this property isn’t set in the System Properties [sys_properties] table, the value defaults to a default list of denied HTML tags. If the property is empty, all HTML tags are allowed.

    Use the sn_impact_common.blacklist_tags_HTML_injection provide a comma-separated list of HTML tags which are removed from the description fields for the Impact Workspace module. This removal helps to prevent HTML injection attacks. At minimum, this list should contain the contents of the default list. If the property isn’t set in the System Properties [sys_properties] table, it defaults to the list script,iframe,object,embed,form,onerror,onload,style,img,video,audio,source,button.

    More information

    Attribute Description
    Property name sn_impact_common.blacklist_tags_HTML_injection
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Purpose Sanitize the HTML in the description fields by removing HTML tags that are sources of HTML injection attacks.
    Recommended value At minimum, the default value of script,iframe,object,embed,form,onerror,onload,style,img,video,audio,source,button
    Default value script,iframe,object,embed,form,onerror,onload,style,img,video,audio,source,button
    Security risk rating 4.4
    Functional impact If an HTML tag is added to default list, it may limit the required HTML functionality of the description fields. The exact impact is dependent on the customer instance.
    Security risk (Medium)
    References

    High Security Settings

    To learn more about adding or creating a system property, see Add a system property.