Allow embedded HTML code (instance security hardening)
Use the glide.ui.security.allow_codetag property to disable support for embedding HTML code created using the [code] tag.
The ServiceNow AI Platform mitigates many injection and cross-site attacks by implementing
escaping and encoding techniques. As a result, users can't write/submit HTML formatted
inputs for journal fields. But journal fields can render text enclosed within code tags as
HTML.
- However, there is an associated security risk. If set to true, malicious users can write harmful HTML JS code that may be executed on a different client browser after rendering of journal fields.
- Set this property to false so that administrators can prevent
journal fields from rendering HTML code by disabling support for the
[code]tag.
More information
| Attribute | Description |
|---|---|
| Property name | glide.ui.security.allow_codetag |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | Protect against cross-site scripting and malicious script execution |
| Recommended value | false |
| Functional Impact | This remediation enforces HTML encoding to occur on the UI and renders
the encoded results to the user. This property is set to true by default. In this state, your instance displays rendered HTML in journal fields and forms. If this property is set to false, HTML is not rendered properly and HTML tags may appear in journal fields on forms. It can have an adverse impact on functionality, and on user interactions with the resulting data. |
| Security risk | (Medium) Input validation must occur in the application to defend against cross-site scripting attacks. These attacks enable foreign scripts to execute on a user session in the logged in browser's context. Attackers can use it to steal session information and sensitive data. |
| References | Restrict the CODE tag in journal fields |
To learn more about adding or creating a system property, see Add a system property.