Escape XML (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • The glide.ui.escape_text property forces escape of XML values at the parser level before transmitting them to the client's browser.

    Note:
    This property is set to true by default in Vancouver and later releases, and can't be changed by administrators. For a use case where the property has to be changed, contact customer support.
    Cross-site scripting occurs when an attacker injects malicious JavaScript into an entry point. The platform/application fails to escape the malicious JavaScript before transmitting it to the victim's browser for execution. Escaping in this context means the following:
    • & --> &
    • < --> &lt;
    • > --> &gt;
    • " --> &quot;
    • ' --> &#x27;
    • / --> &#x2F;

    Example: <script>alert('XSS Attack');</script>

    Escaping: &lt;script&gt;alert(&#39;XSS Attack&#39;);&lt;/script&gt;

    More information

    Attribute Description
    Property name glide.ui.escape_text
    Configuration type System Properties (/sys_properties_list.do)
    Configure in Instance Security Center Yes
    Purpose Escaping XML ensures that browsers do not parse the malicious JavaScript embedded in untrusted data, and execute it as JavaScript.
    • A malicious user may try XSS attack to either hijack other users' session or redirect the user to a malicious website.
    • The ServiceNow AI Platform contains code to secure cookies, but escaping it relies on this property being set to true.
    Recommended value true
    Functional ImpactThis remediation enforces XML encoding at the XML parser level on the UI. It renders the encoded results for the user, which can have a functionality impact based on the instance user interaction with the resulted data.
    Security risk (High) Input validation must occur on the application to defend against cross-site scripting attacks. These attacks enable foreign scripts to execute on user session in the logged in browser's context. Attackers can use it to steal session information and sensitive data.
    Workaround

    After you set this property to true, rendering stops on the HTML tags in the catalog item description or in the catalog item variable help text. You may not be able to use HTML formatting for some fields.

    However, if the glide.ui.escape_text property is turned of, all JEXL expressions would be prefixed with an output encoder:

    $⁠{JS:expression}

    $⁠{HTML:expression}

    or

    $⁠{JS,HTML:expression}
    References

    High Security Settings

    To learn more about adding or creating a system property, see Add a system property.