Disable JavaScript tags in embedded HTML

  • Release version: Australia
  • Updated March 13, 2026
  • 1 minute to read

    • Use the glide.ui.security.codetag.allow_script property to disable support for embedding HTML JavaScript code created using of the [code] tag.

    If glide.ui.security.codetag.allow_script is not set to the recommended value of false, then this property allows rendered HTML in journal fields and forms which opens room for XSS attacks. Malicious HTML needs to be put between code tags for example [code][/code].

    Ensure that the glide.ui.security.codetag.allow_script property exists in the System Properties [sys_properties] table and is set to false.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Configuration name glide.ui.security.codetag.allow_script
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value false
    Default value <none>
    Fallback value true
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score:
    • CVSS rating:
    • Security risk details: Uncontrolled JavaScript risks Cross-Site Scripting (XSS) attacks, enabling malicious actors to inject and execute harmful scripts in the user's browser. Such attacks can lead to session hijacking, credential theft, and compromise of sensitive data.
    Functional impact None
    Dependencies and prerequisites None