Escape HTML in list views [Updated in Security Center 1.3 and 1.5]
Use the glide.ui.escape_html_list_field property to force HTML escapes for HTML fields in a list view.
Set glide.ui.escape_html_list_field to true to prevent HTML from being rendered in HTML fields in list view. Leaving HTML sanitization inactive platform wide (via system property) or by field (via a schema attribute), may lead to XSS style attacks. XSS attacks may allow a low privileged user to hijack the session of a high privileged user or interfere in standard web application behaviors, including redirects or defacement.
Warning:
This is a safe harbor property, meaning the value can't be altered once it's changed. It’s non-revertible.
More information
| Attribute | Description |
|---|---|
| Property name | glide.ui.escape_html_list_field |
| Configuration type | System Properties (/sys_properties_list.do) |
| Category | Validation, sanitization, and encoding |
| Purpose | To help prevent application against cross-site scripting attacks |
| Recommended value | true |
| Default value | true |
| Security risk rating | 3.1 |
| Functional impact | This remediation enforces HTML encoding to occur on the UI at the HTML parser level and thus renders back encoded results to the user. It can have a functionality impact based on the instance user interaction with the resulted data. |
| Security risk | (High) Input validation must occur on the application to defend against cross-site scripting attacks. These attacks enable foreign scripts to execute on user sessions in the logged in browser's context. Attackers can use it to steal session information and sensitive data. |
| References |
To learn more about adding or creating a system property, see Add a system property.