Disable AJAXEvaluate

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use the glide.script.allow.ajaxevaluate to protect the system API from vulnerabilities of Client script execution through AJAX calls.

    The AjaxEvaluator processor executes these scripts in sandbox however there are several additional properties which can allow the scope of activities in the sandbox to expand or be turned off entirely. In a worst case scenario a user can easily execute scripts as an admin privilege.

    Ensure that the glide.script.allow.ajaxevaluate system property is set to false.

    Elevation to the security_admin role is required to edit the property.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Configuration name glide.script.allow.ajaxevaluate
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value false
    Default value <none>
    Fallback value false
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 7.3
    • CVSS rating: High
    • Security risk details: If this property is not set to false, then the system API can be vulnerable to client script execution through AJAX calls.
    Functional impact None
    Dependencies and prerequisites None