Use the glide.html.escape_script property to force escape from JavaScript (<script></script>) tags in HTML fields during list views.

The glide property glide.html.escape_script helps sanitize HTML fields. If glide.html.escape_script is not set to the recommended value of true, then inputs will not be sanitized for HTML fields (output encoding) from a backend Java context by removing embedded JavaScript. Javascript in HTML fields can lead to stored and reflected XSS. The ability to have XSS can lead to easily attained privilege escalation to higher roles such as admin where more lateral movement can be taken.

Warning: This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

More information

To learn more about adding or creating a system property, see Add a system property.