Escape XML markup

  • Release version: Australia
  • Updated March 13, 2026
  • 1 minute to read

    • Use the glide.ui.escape_text property to force escape of XML values at the parser level before transmitting them to the client's browser.

    Use the glide.ui.escape_text system property to escape XML values at the parser level for the user interface. It prevents reflected and stored cross-site scripting attacks. This property is not applicable in Service Portal.

    Cross-site scripting occurs when an attacker injects malicious JavaScript into an entry point. The platform/application fails to escape the malicious JavaScript before transmitting it to the victim's browser for execution. Escaping in this context means the following:
    • & --> &
    • < --> &lt;
    • > --> &gt;
    • " --> &quot;
    • ' --> &#x27;
    • / --> &#x2F;

    Example: <script>alert('XSS Attack');</script>

    Escaping: &lt;script&gt;alert(&#39;XSS Attack&#39;);&lt;/script&gt;

    Ensure the glide.ui.escape_text property exists in the System Properties [sys_properties] table and is set to true.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Configuration name glide.ui.escape_text
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value <none>
    Fallback value false
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 8.8
    • CVSS rating: High
    • Security risk details:

      If glide.ui.escape_text is not set to the recommended value of true, then XML values will not be escaped at the parser level for the user interface; this will leave jelly templates susceptible to reflected and stored cross site scripting attacks.
    Functional impact None
    Dependencies and prerequisites None