This article is based on the ServiceNow support article. See the original article on the ServiceNow support site: ServiceNow HI: Enable AJAXEvaluate.
The glide.script.allow.ajaxevaluate property belongs to the same family as 2.5 (glide.script.use.sandbox) and 3.9 (glide.script.secure.ajaxgliderecord), that secures and restricts execution of scripts originating from the client. There are two cases within the system that allow the client to send scripts to the server for evaluation:
- Filters and/or queries: It is legal to send a filter to the server such as: assigned_to=javascript:getMyGroups().
- System API: The API call AJAXEvaluate allows the client to run arbitrary scripts on the server and receive a response.
When this property is set to false, the system does not allow the use of AJAXEvaluate API call from the client script.
| Enable AJAXEvaluate | |
|---|---|
| Property Name | glide.script.allow.ajaxevaluate |
| Configuration Type | System Properties (/sys_properties_list.do) |
| Purpose | Restrict arbitrary client script execution using the system API on the server side |
| Requirement | Mandatory |
| Recommended Value | False |
| Default Behavior | Set to false |
| Revertible behavior | N/A |
| Role required | Security_admin |
| Release Version | Fall 2009 |
| Functional Impact | (Medium) This remediation would enforce AJAEvaluate processor to be turned off and could impact functionality is customer is explicitly using the AJAX evaluate processor as part of any customized scripts. For more information, see GlideAjax. |
| Security Risk | (High) AJAXEvaluate can allow arbitrary javascript to execute on the client browser by leveraging the server side objects. |
| Workaround | No other workaround available. |
| References | ScriptSandboxingGlideAjax |
