This article is based on the ServiceNow support article. See the original article on the ServiceNow support site: ServiceNow HI: Escape HTML.
The system property glide.ui.escape_html_list_field escapes HTML for HTML fields in a list view. HTML is one of the types that can be assigned to the dictionary fields. Assigning “HTML” fields to any field type provides functionality to the user to format the content using HTML codes (for example, <p>,<a href>,<b>,<font>,<img> etc.). When you see the table list (for example, /problem_list.do) or view the list of records, these HTML formatted fields may appear if that column is selected in a list view and if this property is set to false.
A malicious user can inject HTML code within the form field to execute unwanted scripts on different client/user sessions. It is recommended to set this property to true so that HTML escaping is performed before the records/fields are rendered in the browser when the table is displayed as a list view.
| Escape HTML | |
|---|---|
| Property Name | glide.ui.escape_html_list_field |
| Configuration Type | System Properties (/sys_properties_list.do) |
| Purpose | To prevent application against cross site scripting attacks |
| Requirement | Mandatory |
| Recommended Value | True |
| Default Behavior | Set to true |
| Revertible behavior | N/A |
| Role required | Security_admin |
| Release Version | Spring 2010 |
| Functional Impact | (Medium) This remediation enforces HTML encoding to occur on the UI at the HTML parser level and thus renders back encoded results to the user. This can have a functionality impact based on the instance user interaction with the resulted data. |
| Security Risk | (High) Input validation has to occur on the application to defend against cross-site scripting attacks that allow foreign scripts to execute on user session in the logged in browser’s context. This can be leveraged by attackers to steal session information and sensitive data. |
| Workaround | If there is a corporate need to allow users to write HTML formatted input, then a custom business rule should be created to escape certain blacklisted HTML characters or tags that can restrict script execution. |
| References | HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content (OWASP website)High Security Settings |
