Enable the script sandbox property (glide.script.use.sandbox) to run client-generated scripts inside a sandbox that has restricted rights.

Note: This property is enabled by default when you activate the High Security Settings plugin. Don’t enable this property outside of the plugin.

There are two cases within the system that allow the client to send scripts to the server for evaluation.

  • Filters or queries: It’s legal to send a filter to the server such as: assigned_to=javascript:getMyGroups().
  • System API: The API call AJAXEvaluate allows the client to run arbitrary scripts on the server and receive a response.
If you enable the script sandbox property (glide.script.use.sandbox), the script being evaluated via either of these two entry points runs within a reduced-rights sandbox with the following characteristics:
  • Only those business rules marked Client callable are available within the sandbox.
  • Only script includes marked Sandbox enabled are available within the sandbox.
  • Certain API calls (largely but not entirely limited to those dealing with direct DB access) aren’t allowed.
  • Data can’t be inserted, updated, or deleted from within the sandbox. Any calls to current.update(), for example, are ignored.
Note: Beginning with the Xanadu release, script includes marked as Glide AJAX enabled (previously named Client callable) aren’t accessible within the sandbox. Only those marked Sandbox enabled are available within the sandbox. When upgrading to the Xanadu release from the Washington DC release or earlier, any script includes marked as Client callable are also marked as Sandbox enabled.
Property Description
glide.script.use.sandbox Run client-generated scripts (AJAXEvaluate and query conditions) inside a reduced-rights "sandbox."

If true, only those business rules with the Client callable option selected and script includes with the Sandbox enabled option selected are available and certain back-end API calls are disallowed.

Restricted methods with sandbox enabled

These methods aren’t supported in client-generated scripts when script sandboxing is enabled.

Note: The GlideSystem (gs) methods log(), logError(), and logWarning() can be enabled with script sandboxing by setting the glide.security.sandbox_no_logging system property to false.

If you run the system without script sandboxing enabled, then none of these restrictions apply.

Table 1. Restricted methods
ClassMethod
GlideRecord
  • deleteMultiple()
  • deleteRecord()
  • getRowCount()
  • insert()
  • update()
  • updateMultiple()
GlideSystem (gs)
  • addErrorMessage()
  • addInfoMessage()
  • addMessage()
  • eventQueue()
  • flushMessages()
  • getEscapedProperty()
  • getProperty()
  • log()
  • logError()
  • logWarning()
  • setProperty()
  • setRedirect()
  • setReturn()
  • workflowFlush()
ScopedGlideRecord
  • deleteMultiple()
  • deleteRecord()
  • insert()
  • update()
  • updateMultiple()
ScopedGlideSystem (gs)
  • addErrorMessage()
  • addInfoMessage()
  • debug()
  • eventQueue()
  • executeNow()
  • getProperty()
  • getSessionToken()
  • info()
  • setRedirect()
GlideDate

GlideDateTime

GlideTime
  • add()
  • addDays()
  • addDaysLocalTime()
  • addDaysUTC()
  • addMonthsLocalTime()
  • addMonths()
  • addSeconds()
  • addWeeks()
  • addYears()
  • compareTo()
  • getByFormat()
  • getDate()
  • getDayOfWeek()
  • getDayOfWeekUTC
  • getDayOfWeekLocalTime()
  • getDayOfMonth()
  • getDayOfMonthLocalTime()
  • getDayOfMonthNoTZ()
  • getDayOfWeek()
  • getDayOfWeekLocalTime()
  • getDayOfWeekUTC()
  • getHourOfDayLocalTime()
  • getHourOfDayUTC()
  • getDaysInMonth()
  • getDaysInMonthUTC()
  • getDaysInMonthLocalTime()
  • getDisplayValueInternal()
  • getDisplayValue()
  • getHourLocalTime()
  • getLocalDate()
  • getLocalTime()
  • getMinutesLocalTime()
  • getMinutesUTC()
  • getMonthLocalTime()
  • getMonthNoTZ()
  • getMonthUTC()
  • getNumericValue()
  • getSeconds()
  • getTime()
  • getTZOffset()
  • getValue()
  • getYear()
  • getUserTimeZone()
  • getWeekOfYearLocalTime()
  • getWeekOfYearUTC()
  • getYearUTC()
  • getYearLocalTime()
  • isDST()
  • onOrAfter()
  • onOrBefore()
  • setDayOfMonthUTC()
  • setDisplayValue()
  • setMonth()
  • setNumericValue()
  • setTZ()
  • setValue()
  • setValueUTC()
  • subtract()
  • toString()
GlideSchedule
  • add()
  • isInSchedule()
  • Load()
  • whenNext()