Escape JavaScript [Updated in Security Center 1.3]
-
- UpdatedFeb 1, 2024
- 1 minute read
- Washington DC
- Platform Security
Use the glide.html.escape_script property to force escape from
JavaScript (<script></script>
) tags in HTML fields during list
views.
The glide property glide.html.escape_script helps sanitize HTML fields. If glide.html.escape_script is not set to the recommended value of true, then inputs will not be sanitized for HTML fields (output encoding) from a backend Java context by removing embedded JavaScript. Javascript in HTML fields can lead to stored and reflected XSS. The ability to have XSS can lead to easily attained privilege escalation to higher roles such as admin where more lateral movement can be taken.
More information
To learn more about adding or creating a system property, see Add a system property.