Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

The script sandbox property

Log in to subscribe to topics and get notified when content changes.

The script sandbox property

Enable the script sandbox property (glide.script.use.sandbox) to run client generated scripts inside a sandbox that has restricted rights.

There are two cases within the system that allow the client to send scripts to the server for evaluation.
  • Filters and/or queries: It is legal to send a filter to the server such as: assigned_to=javascript:getMyGroups().
  • System API: The API call AJAXEvaluate allows the client to run arbitrary scripts on the server and receive a response.

If you enable the script sandbox property (glide.script.use.sandbox), the script being evaluated via either of these two entry points runs within a reduced rights sandbox with the following characteristics:

  • Only those business rules marked client callable are available within the sandbox.
  • Only script includes marked client callable are available within the sandbox.
  • Certain API calls (largely but not entirely limited to those dealing with direct DB access) are not allowed.
  • Data cannot be inserted, updated, or deleted from within the sandbox. Any calls to current.update(), for example, are ignored.
These methods are not allowed in client scripts when script sandboxing is enabled.
Table 1. Restricted methods
Class Method
GlideRecord deleteMultiple(), deleteRecord(), insert(), update(), updateMultiple()
GlideSystem (gs) addErrorMessage(), addInfoMessage(), addMessage(), eventQueue(), flushMessages(), getEscapedProperty(), getProperty(), setProperty(), setRedirect(), setReturn(), workflowFlush()
ScopedGlideRecord deleteMultiple(), deleteRecord(), insert(), update(), updateMultiple()
ScopedGlideSystem (gs) addErrorMessage(), addInfoMessage(), eventQueue(), executeNow(), getProperty(), getSessionToken(), setRedirect()

If you run the system without script sandboxing enabled, then none of these restrictions apply.

Note: This property is activated by default when you activate the High Security Settings plugin. Do not activate this property outside of the plugin.
Property Default

Run client generated scripts (AJAXEvaluate and query conditions) inside a reduced rights "sandbox."

If enabled, only those business rules and script includes with the Client callable checkbox set to true are available and certain back-end API calls are disallowed.

Enabled (sandbox in use)