What is embedding HTML in a document?
Embedding HTML code is the process of incorporating HTML, the universal language for constructing web pages, into another document or platform. This involves the insertion of HTML elements or tags into a given document or system. To meet the needs of different clients and add different types of customization, ServiceNow provides a System Property called glide.ui.security.allow_codetag. This property allows developers to add HTML tags into the system.
Why is this an issue?
Even within ServiceNow, these tags can be manipulated by attackers to illicitly access a user’s account or steal confidential information. A common example is Cross-site scripting attacks, often abbreviated as XSS attacks. These are a form of injection assault that introduces harmful code into websites that are otherwise considered secure.
In a client instance, for instance, such attacks can lead to unauthorized access, providing the attacker with an opportunity to access sensitive data.
How do I fix it?
To fix this issue and enhance the security of your instance, follow these steps:
In the Filter Navigator, type and enter sys_properties.list.
Search for
glide.ui.security.allow_codetag.Set Value column to false.