Escape HTML (instance security hardening)
Use the glide.ui.escape_html_list_field property to force HTML escapes for HTML fields in a list view.
HTML is one of the types that can be assigned to the dictionary fields. Assigning HTML
fields to any field type provides the functionality to format content using HTML codes (for
example,
<p>, <a href>, <b>,
<font>, <img>). A malicious user can inject HTML
code within the form field to execute unwanted scripts on different client/user sessions.
- Set this property to true to perform an HTML escaping before the records/fields are rendered in the browser when the table appears as a list view.
- If set to false, and you select that column in a list view when viewing a table or record listing, these HTML formatted fields may appear.
More information
| Attribute | Description |
|---|---|
| Property name | glide.ui.escape_html_list_field |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | To prevent application against cross-site scripting attacks |
| Recommended value | true |
| Functional Impact | This remediation enforces HTML encoding to occur on the UI at the HTML parser level and thus renders back encoded results to the user. It can have a functionality impact based on the instance user interaction with the resulted data. |
| Security risk | (High) Input validation must occur on the application to defend against cross-site scripting attacks. These attacks enable foreign scripts to execute on user sessions in the logged in browser's context. Attackers can use it to steal session information and sensitive data. |
| References |
To learn more about adding or creating a system property, see Add a system property.