Iframe src attribute is getting discarded by HTMLSanitizer even after whitelisting it in script include HTMLSanitizerConfig

Steps to Reproduce

  • Make sure that the system properties are set to true
    • glide.html.sanitize_all_fields - true
    • glide.translated_html.sanitize_all_fields - true
  • Whitelist iframe src and other attributes in script include "HTMLSanitizerConfig" as below:
    • iframe: {
      attribute: ["width", "height", "controls", "autoplay", "loop", "muted", "poster", "preload", "allow","allowfullscreen", "frameborder","src"],
      attributeValuePattern: {}
  • Create any knowledge article and add below code in the HTML Source code of the "Article body"
    • <iframe src= "https://www.google.com" width="800" height="600" allowfullscreen="allowfullscreen"></iframe>
  • Save the form and check the HTML Source code of the "Article body"

Actual behavior: src attribute is stripped off and showing as <iframe width="800" height="600" allowfullscreen="allowfullscreen"></iframe>
Expected behavior: Source code remains as <iframe src= "https://www.google.com" width="800" height="600" allowfullscreen="allowfullscreen"></iframe>

Debug shows:
HTMLSanitizer: Context:tableName=kb_knowledge,columnName=text,displayValue=,sys_id=2417dd4fdb455010502b16f35b961971 Element:iframe Discard attribute(s):src,


Workaround 1:

Disable HTML sanitize at field level as below:

  • Open the dictionary entry of the HTML Field (in this case, Article body)
  • Under Related lists > Attributes > Add a new attribute "HTML Sanitize" and set it to "false"

Workaround 2:

Any website that you want in an iFrame has to be listed in the `sys_properties` -> `glide.html.enable_media_sites`

Related Problem: PRB1407495

Seen In

SR - IRM - Audit Management - New York 2019 Q3
SR - IRM - GRC Profiles - Madrid 2019 Q2
SR - IRM - GRC Workbench - New York 2019 Q3
SR - IRM - Policy and Compliance - Madrid 2019 Q2
SR - IRM - Risk Management - New York 2019 Q3
SR - IRM - SIG Assessment Legacy - Madrid 2019 Q1
SR - IRM - Vendor Risk Management - Madrid 2019 Q1

Intended Fix Version


Fixed In

Orlando Patch 8
Paris Patch 1

Safe Harbor Statement

This "Intended Fix Version" information is meant to outline ServiceNow's general product direction and should not be relied upon in making a purchasing decision. The information provided here is for information purposes only and may not be incorporated into any contract. It is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at ServiceNow's sole discretion.

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2020-11-06 02:56:44