Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Script sandboxing

Script sandboxing

There are two cases within the system that allow the client to send scripts to the server for evaluation.

  • Filters and/or queries: It is legal to send a filter to the server such as: assigned_to=javascript:getMyGroups().
  • System API: The API call AJAXEvaluate allows the client to run arbitrary scripts on the server and receive a response.

If you enable script sandboxing, the script being evaluated via either of these two entry points runs within a reduced rights sandbox with the following characteristics:

  • Only those business rules marked client callable are available within the sandbox.
  • Only script includes marked client callable are available within the sandbox.
  • Certain API calls (largely but not entirely limited to those dealing with direct DB access) are not allowed.
  • Data cannot be inserted, updated, or deleted from within the sandbox. Any calls to current.update(), for example, are ignored.
These methods are not allowed in client scripts when script sandboxing is enabled.
Table 1. Restricted methods
Class Method
GlideRecord deleteMultiple(), deleteRecord(), insert(), update(), updateMultiple()
GlideSystem (gs) addErrorMessage(), addInfoMessage(), addMessage(), eventQueue(), flushMessages(), getEscapedProperty(), getProperty(), setProperty(), setRedirect(), setReturn(), workflowFlush()
ScopedGlideRecord deleteMultiple(), deleteRecord(), insert(), update(), updateMultiple()
ScopedGlideSystem (gs) addErrorMessage(), addInfoMessage(), eventQueue(), executeNow(), getProperty(), getSessionToken(), setRedirect()

If you run the system without script sandboxing enabled, then none of these restrictions apply.

Note: This property is activated by default when you activate the High Security Settings plugin. Do not activate this property outside of the plugin.
Property Default

Run client generated scripts (AJAXEvaluate and query conditions) inside a reduced rights "sandbox."

If enabled, only those business rules and script includes with the Client callable checkbox set to true are available and certain back-end API calls are disallowed.

Enabled (sandbox in use)

This site is scheduled for a small content update on Tuesday, December 18th, between the hours of 4:00pm and 8:00pm Pacific Time (Dec 19 00:00 – Dec 19 4:00 UTC). Access to this site may be slightly delayed during that time.