Notifications

463 views

Description

When defining a UI Page variable, its client script gets escaped if the glide.ui.escape_text and glide.ui.escape_all_script properties are set to true.

Steps to Reproduce

 

  1. Go to sys_properties.LIST and verify that the glide.ui.escape_all_script and glide.ui.escape_text system properties are set to true.

    This is the OOB value.

  2. Import the attached UI Page.

  3. Replace a line in the HTML UI Page Jelly code to make a call to the function callme() in the client script field.

    Change the line from:

        <g:sc_button id="test" title="title" label="testLabel" onclick="alert('test')" />

    to

        <g:sc_button id="test" title="title" label="testLabel" onclick="callme();" />

  4. In the client script field, add the following code:

    function callme(){
    var isDoctype = document.documentElement.getAttribute('data-doctype');
    alert("This page uses DocType: "+ isDoctype);
    }
  5. Navigate to Maintain Catalog Items > Access and create a new variable called [test_page] of Type UI Page.

    For more information, see the product documentation topic Types of Service Catalog variables.

  6. Under the Type Specification tab, select the UI Page: [TestButton] > Update.

    This places a test button on the catalog item Access.

  7. Try the Catalog Item by clicking on the test button.

    Note that that alert from the client script callme() does not work.

    Also note the following error in the browser console: "Uncaught ReferenceError: callme is not defined"

  8. Go to sys_properties.LIST and set the value for the glide.ui.escape_text or glide.ui.escape_all_script system properties to false.

  9. Create the new variable again.

    Note that the alert from the client script callme() now works.

Workaround

This is the intended behavior of UI Page variables. Escaping the script of the UI Page variable would make the catalog vulnerable to potential security attacks.


Related Problem: PRB653635

Seen In

Eureka Patch 10
Eureka Patch 11 Hot Fix 2

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2018-10-10 12:51:06
Published:2018-04-30
sys_ui_page_ea516d62d7532100f2d224837e610398.xml