Disable embedded HTML code [Updated in Security Center 1.3]
-
- UpdatedFeb 1, 2024
- 2 minutes to read
- Washington DC
- Platform Security
Use the glide.ui.security.allow_codetag property to disable support for embedding HTML code created using the [code] tag.
The ServiceNow AI Platform mitigates many injection and cross-site attacks by implementing escaping and encoding techniques. As a result, users can't write/submit HTML formatted inputs for journal fields. But journal fields can
render text enclosed within code tags as HTML.
- However, there is an associated security risk. If set to true, malicious users can write harmful HTML JS code that may be executed on a different client browser after rendering of journal fields.
- Set this property to false so that administrators can prevent journal fields from rendering HTML code by disabling support for the
[code]
tag.