Escape JavaScript [Updated in Security Center 1.3]
Use the glide.html.escape_script property to force escape from
JavaScript (<script></script>) tags in HTML fields during list
views.
The glide property glide.html.escape_script helps sanitize HTML fields. If glide.html.escape_script is not set to the recommended value of true, then inputs will not be sanitized for HTML fields (output encoding) from a backend Java context by removing embedded JavaScript. Javascript in HTML fields can lead to stored and reflected XSS. The ability to have XSS can lead to easily attained privilege escalation to higher roles such as admin where more lateral movement can be taken.
More information
| Attribute | Description |
|---|---|
| Property name | glide.html.escape_script |
| Configuration type | System Properties (/sys_properties_list.do) |
| Category | Validation, sanitization, and encoding |
| Purpose | To prevent cross-site scripting attacks against an application. |
| Recommended value | true |
| Default value | true |
| Security risk rating | 8.8 |
| Functional impact | This remediation enforces JavaScript escaping to occur on the UI and renders encoded results to the user. It can have an impact on functionality, based on the instance user interaction with the resulting data |
| Security risk | (High) Input validation must occur in the application to defend against cross-site scripting attacks. These attacks enable foreign scripts to execute on user session in the logged in browser's context. Attackers can use it to steal session information and sensitive data. |
| References |
To learn more about adding or creating a system property, see Add a system property.