Allow embedded HTML code (instance security hardening)
-
- UpdatedAug 3, 2023
- 2 minutes to read
- Vancouver
- Platform Security
The Vancouver release is no longer supported. As such, the product documentation and release notes are provided for informational purposes only, and will not be updated.
Use the glide.ui.security.allow_codetag property to disable support for embedding HTML code created using the [code] tag.
The Now Platform mitigates many injection and cross-site attacks by implementing
escaping and encoding techniques. As a result, users can't write/submit HTML formatted
inputs for journal fields. But journal fields can render text enclosed within code tags as
HTML.
- However, there is an associated security risk. If set to true, malicious users can write harmful HTML JS code that may be executed on a different client browser after rendering of journal fields.
- Set this property to false so that administrators can prevent
journal fields from rendering HTML code by disabling support for the
[code]
tag.
More information
To learn more about adding or creating a system property, see Add a system property.