This article is based on the ServiceNow support article. See the original article on the ServiceNow support site: ServiceNow HI: Allow JavaScript tags in Embedded HTML.
The glide.ui.security.codetag.allow_script property disables support for embedding Javascript tags using the [code] tag. ServiceNow mitigates many injection and cross-site attacks by implementing escaping and encoding techniques. As a result, users cannot write/submit JS inputs for journal fields. However, journal fields have the ability to render text enclosed within code tags as HTML.
There is an associated security risk. If this property is set to true, any malicious user can write JS code that may be executed on a different client browser after the journal fields are rendered.
ServiceNow Security recommends setting this property to false so that administrators can prevent journal fields from rendering JS code by disabling support for the [code] tag.
| Allow JavaScript tags in Embedded HTML | |
|---|---|
| Property Name | glide.ui.security.codetag.allow_script |
| Configuration Type | System Properties (/sys_properties_list.do) |
| Purpose | Protects against cross-site scripting and malicious script execution |
| Requirement | Mandatory |
| Recommended Value | False |
| Default Behavior | Set to false |
| Revertible behavior | N/A |
| Role required | Admin |
| Release Version | Winter 2010 |
| Functional Impact | (Medium) This remediation enforces Javascript escaping to occur on the UI and thus renders back encoded results to the user. This can have a functionality impact based on the instance user interaction with the resulted data. |
| Security Risk | (High) Input validation has to occur on the application to defend against cross-site scripting attacks which would allow foreign scripts to execite on the user session in the logged in browser’s context. This can be leveraged by attackers to steal session information and sensitive data. |
| Workaround | No alternate method available. |
| References | Render journal field entries as HTML t_RestrictTheCODETagInJrnalFlds |
