Disable embedded HTML code [Updated in Security Center 1.3]

  • Release version: Australia
  • Updated May 15, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Disable embedded HTML code [Updated in Security Center 1.3]

    This feature addresses security risks associated with embedding HTML code using the [code] tag in journal fields and forms within ServiceNow. The [code] tag allows rendered HTML to display, which can lead to cross-site scripting (XSS) attacks. These attacks enable malicious scripts to execute in a user's browser session, potentially stealing sensitive data and session information. The glide.ui.security.allowcodetag system property controls whether HTML rendering via the [code] tag is permitted.

    Show full answer Show less

    Key Features

    • glide.ui.security.allowcodetag: When set to false, this property disables rendering of embedded HTML in journal fields and forms, helping prevent XSS attacks by enforcing HTML encoding and displaying HTML tags as text.
    • Default setting is true, allowing rendered HTML in journal fields, which may pose security risks.
    • To balance security and functionality, if disabling the property causes issues (e.g., loss of necessary HTML rendering), you can keep glide.ui.security.allowcodetag set to true but set glide.ui.security.codetag.allowscript to false. This disables script execution within [code] tags while preserving HTML rendering, although some residual risk remains due to reliance on script sanitization.
    • The ServiceNow AI Platform enhances security by escaping and encoding inputs to prevent injection and cross-site attacks, but journal fields can still render HTML within [code] tags unless controlled by these properties.
    • This property can be configured in the Instance Security Center under System Properties.

    Key Outcomes

    • Setting glide.ui.security.allowcodetag to false significantly reduces the risk of XSS attacks by preventing rendered HTML in journal fields, enhancing the security posture of your ServiceNow instance.
    • Disabling HTML rendering may affect functionality or user experience, as HTML tags will display as text rather than rendered content.
    • Using the combination of glide.ui.security.allowcodetag = true and glide.ui.security.codetag.allowscript = false offers a compromise by maintaining HTML rendering without allowing script execution, though with some residual risk.
    • Administrators should evaluate the impact of these settings on their instance functionality and security requirements to select the appropriate configuration.

    Use the glide.ui.security.allow_codetag property to disable support for embedding HTML code created using the [code] tag.

    Disable support for displaying HTML code embedded using the [code] tag. This tag allows rendered HTML to display in journal fields and may lead to cross-site scripting (XSS) attacks. These attacks can enable foreign scripts to execute on a user session in the logged in browser's context. Attackers can use these scripts to steal session information and sensitive data. The HTML language was not designed to separate script from formatting, so allowing user-controlled HTML in any system has inherent risk.

    If setting glide.ui.security.allow_codetag to false disrupts instance functionality, for example, if your instance uses a feature that relies on HTML rendering in journal fields, you can maintain a compliant security posture by keeping glide.ui.security.allow_codetag set to true and setting glide.ui.security.codetag.allow_script to false. This change disables script execution within [code] tags while preserving HTML rendering. Note that this approach carries some residual risk, as it relies on sanitizing all known script conventions within HTML rather than prohibiting HTML code tags entirely.

    Set the glide.ui.security.allow_codetag system property to false to completely prohibit journal fields and forms from displaying rendered HTML.

    The ServiceNow AI Platform mitigates many injection and cross-site attacks by implementing escaping and encoding techniques. As a result, users can't write/submit HTML formatted inputs for journal fields. But journal fields can render text enclosed within code tags as HTML.
    • However, there is an associated security risk. If set to true, malicious users can write harmful HTML JS code that may be executed on a different client browser after rendering of journal fields.
    • Set this property to false so that administrators can prevent journal fields from rendering HTML code by disabling support for the [code] tag.

    More information

    Attribute Description
    Property name glide.ui.security.allow_codetag
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Configure in Instance Security Center Yes
    Purpose Protect against cross-site scripting and malicious script execution
    Recommended value false
    Default value true
    Security risk rating 4.2
    Functional impact This remediation enforces HTML encoding to occur on the UI and renders the encoded results to the user.

    This property is set to true by default. In this state, your instance displays rendered HTML in journal fields and forms.

    If this property is set to false, HTML is not rendered properly and HTML tags may appear in journal fields on forms. It can have an adverse impact on functionality, and on user interactions with the resulting data.

    If this property negatively affects functionality, set glide.ui.security.codetag.allow_script to false to disable script execution within [code] tags while preserving HTML rendering.
    Security risk (Medium) Input validation must occur in the application to defend against cross-site scripting attacks. These attacks enable foreign scripts to execute on a user session in the logged in browser's context. Attackers can use it to steal session information and sensitive data.