This article is based on the ServiceNow support article. See the original article on the ServiceNow support site: ServiceNow HI: Client Generated Scripts Sandbox.
Cross-site scripting occurs when an attacker injects malicious JavaScript into an entry point and the platform/application fails to escape the malicious JavaScript before transmitting it to the victim’s browser for execution. The glide.ui.escape_text property, when enabled, escapes the XML values at parser level before transmitting it to client’s browser.
Escaping here means the following:
& –> &
< –> <
> –> >
” –> "
‘ –> '
/ –> /
Example: <script>alert(‘XSS Attack’);</script>
Escaping: <script>alert('XSS Attack');</script>
| Escape XML | |
|---|---|
| Property Name | glide.ui.escape_text |
| Configuration Type | System Properties (/sys_properties_list.do) |
| Purpose | Escaping ensures that browsers do not parse the malicious JavaScript embedded in untrusted data as JavaScript and execute it. A malicious user may try XSS attack to either hijack other users’ session or redirect the user to a malicious website. ServiceNow has an implementation in place to secure cookies, but escaping it relies on this property to be set to true. |
| Requirement | Mandatory |
| Recommended Value | True |
| Default Behavior | Set to true |
| Revertible behavior | N/A |
| Role required | Security_admin |
| Release Version | 2011 June |
| Functional Impact | (Medium) This remediation would enforce XML encoding to occur on the UI at the XML parser level thus rendering back encoded results to the user. This can have a functionality impact based on the instance user interaction with the resulted data. |
| Security Risk | (High) Input validation has to occur on the application to defend against cross-site scripting attacks which would allow foreign scripts to execute on user session in the logged in browser’s context. This can be leveraged by attackers to steal session information and sensitive data. |
| Workaround | After property set to true, Service Now stops rendering HTML tags written in description of catalog item or HTML tags in help text of catalog item variable. You may not be able to use HTML formatting for some fields.However, some customers require glide.ui.escape_text property to be turned off. When this is the case, all JEXL expressions would be prefixed with an output encoder as shown below:${JS:expression}${HTML:expression}or${JS,HTML:expression} |
| References | XMLUtilJS |
