Escape XML (instance security hardening)

Release version:
Washington DC
Vancouver
UpdatedFeb 1, 2024
2 minutes to read

Washington DC
Platform Security

The glide.ui.escape_text property forces escape of XML values at the parser level before transmitting them to the client's browser.

Note: This property is set to true by default in Vancouver and later releases, and can't be changed by administrators. For a use case where the property has to be changed, contact customer support.

Cross-site scripting occurs when an attacker injects malicious JavaScript into an entry point. The platform/application fails to escape the malicious JavaScript before transmitting it to the victim's browser for execution. Escaping in this context means the following:

& --> &
< --> <
> --> >
" --> "
' --> '
/ --> /

Example: <script>alert('XSS Attack');</script>

Escaping: <script>alert('XSS Attack');</script>

More information

Search:


Attribute	Description
Property name	glide.ui.escape_text
Configuration type	System Properties (/sys_properties_list.do)
Configure in Instance Security Center	Yes
Purpose	Escaping XML ensures that browsers do not parse the malicious JavaScript embedded in untrusted data, and execute it as JavaScript. A malicious user may try XSS attack to either hijack other users' session or redirect the user to a malicious website. The ServiceNow AI Platform contains code to secure cookies, but escaping it relies on this property being set to true.
Recommended value	true
Functional Impact	This remediation enforces XML encoding at the XML parser level on the UI. It renders the encoded results for the user, which can have a functionality impact based on the instance user interaction with the resulted data.
Security risk	(High) Input validation must occur on the application to defend against cross-site scripting attacks. These attacks enable foreign scripts to execute on user session in the logged in browser's context. Attackers can use it to steal session information and sensitive data.
Workaround	After you set this property to true, rendering stops on the HTML tags in the catalog item description or in the catalog item variable help text. You may not be able to use HTML formatting for some fields. However, if the glide.ui.escape_text property is turned of, all JEXL expressions would be prefixed with an output encoder: `$⁠{JS:expression}` `$⁠{HTML:expression}` or `$⁠{JS,HTML:expression}`
References	High Security Settings

To learn more about adding or creating a system property, see Add a system property.

Washington DC Platform security

Filters

Versions

Products