"Allow Javascript tags in Embedded HTML" property should be disabled

Rule ID

Impact

Journal fields have the ability to render text enclosed within code tags as HTML. There is an associated security risk, since any malicious user can write JS code that may be executed on a different client browser after the journal fields are rendered.

Remediation

Set the glide.ui.security.codetag.allow_script property to false to disable support for embedding Javascript tags using the [code] tag.

Time to fix

15 min

References

This rule is linked to Common Weakness Enumeration CWE-150 Improper Neutralization of Escape.