Escape HTML should be enabled

Rule ID

Impact

Setting the type of a table column to HTML allows its contents to be displayed with HTML formatting tags. However it also opens up a cross-site script attack vector since a malicious user could inject HTML code to execute unauthorised scripts when these fields are rendered.

Remediation

Set the system property "glide.ui.escape_html_list_field" to true.

Time to fix

15 min

References

This rule is linked to Common Weakness Enumeration CWE-150 Improper Neutralization of Escape.