Restrict access to GlideSystemUserSession scriptable API

Release version: Australia

Updated March 12, 2026

1 minute to read

The client callable GlideSystemUserSessionSandbox scriptable API exposes GlideSystemUserSession's addErrorMessageNoSanitization and addInfoMessageNoSanitization methods to the JavaScript sandbox. This allows all users to call this method via script.

The methods gs.addErrorMessageNoSanitizationMessaging() and gs.addInfoMessageNoSanitization() are used within the scripting environment for logging and notifications. Both of these are available in the sandbox if this property is not set to the recommended value of false. The sandbox is a low privileged scripting environment available to unauthenticated and no role users. Both of these methods can be used to display unsanitized input to a user.

Ensure that the glide.sandbox.usersession.allow_unsanitized_messages system property is set to false. If this property does not exist on the System Properties [sys_properties] table, create the property.

Warning:

This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

More information


Attribute	Description
Configuration name	glide.sandbox.usersession.allow_unsanitized_messages
Configuration type	System Properties (/sys_properties_list.do)
Data type	Boolean
Recommended value	false
Default value	true
Fallback value	true
Category	Access control
Security risk	Severity score: 8.1 CVSS rating: High Security risk details: Displaying unsanitized input to the user is dangerous, as unsanitized input may contain dangerous code that runs in the user's browser. This can be utilized for traditional reflected XSS attacks. Reflected XSS attacks can be used in multiple scenarios, including session hijacking.
Functional impact	None
Dependencies and prerequisites	None