Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
When defining a UI Page variable, its client script is escaped - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Known Error (Knowledge Base)
  • >
  • When defining a UI Page variable, its client script is escaped
KB0685296

When defining a UI Page variable, its client script is escaped


4706 Views Last updated : Aug 24, 2024 public Copy Permalink
KB Summary by Now Assist

Description

When defining a UI Page variable, its client script gets escaped if the glide.ui.escape_text and glide.ui.escape_all_script properties are set to true.

Steps to Reproduce

  1. Go to sys_properties.LIST and verify that the glide.ui.escape_all_script and glide.ui.escape_text system properties are set to true.

    This is the OOB value.

  2. Import the attached UI Page.

  3. Replace a line in the HTML UI Page Jelly code to make a call to the function callme() in the client script field.

    Change the line from:

        <g:sc_button id="test" title="title" label="testLabel" onclick="alert('test')" />

    to

        <g:sc_button id="test" title="title" label="testLabel" onclick="callme();" />

  4. In the client script field, add the following code:

    function callme(){
    var isDoctype = document.documentElement.getAttribute('data-doctype');
    alert("This page uses DocType: "+ isDoctype);
    }
  5. Navigate to Maintain Catalog Items > Access and create a new variable called [test_page] of Type UI Page.

    For more information, see the product documentation topic Types of Service Catalog variables.

  6. Under the Type Specification tab, select the UI Page: [TestButton] > Update.

    This places a test button on the catalog item Access.

  7. Try the Catalog Item by clicking on the test button.

    Note that that alert from the client script callme() does not work.

    Also note the following error in the browser console: "Uncaught ReferenceError: callme is not defined"

  8. Go to sys_properties.LIST and set the value for the glide.ui.escape_text or glide.ui.escape_all_script system properties to false.

  9. Create the new variable again.

    Note that the alert from the client script callme() now works.

Workaround

This is the intended behavior of UI Page variables. Escaping the script of the UI Page variable would make the catalog vulnerable to potential security attacks.


Related Problem: PRB653635

The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

Attachments

Attachments

  • sys_ui_page_ea516d62d7532100f2d224837e610398.xml

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.