Notifications

31 views

Description

Iframe src attribute is getting discarded by HTMLSanitizer even after whitelisting it in script include HTMLSanitizerConfig

Steps to Reproduce

  • Make sure that the system properties are set to true
    • glide.html.sanitize_all_fields - true
    • glide.translated_html.sanitize_all_fields - true
  • Whitelist iframe src and other attributes in script include "HTMLSanitizerConfig" as below:
    • iframe: {
      attribute: ["width", "height", "controls", "autoplay", "loop", "muted", "poster", "preload", "allow","allowfullscreen", "frameborder","src"],
      attributeValuePattern: {}
      },
  • Create any knowledge article and add below code in the HTML Source code of the "Article body"
    • <iframe src= "https://www.google.com" width="800" height="600" allowfullscreen="allowfullscreen"></iframe>
  • Save the form and check the HTML Source code of the "Article body"


Actual behavior: src attribute is stripped off and showing as <iframe width="800" height="600" allowfullscreen="allowfullscreen"></iframe>
Expected behavior: Source code remains as <iframe src= "https://www.google.com" width="800" height="600" allowfullscreen="allowfullscreen"></iframe>

Debug shows:
HTMLSanitizer: Context:tableName=kb_knowledge,columnName=text,displayValue=,sys_id=2417dd4fdb455010502b16f35b961971 Element:iframe Discard attribute(s):src,

Workaround

Workaround 1:

Disable HTML sanitize at field level as below:

  • Open the dictionary entry of the HTML Field (in this case, Article body)
  • Under Related lists > Attributes > Add a new attribute "HTML Sanitize" and set it to "false"

Workaround 2:

Any website that you want in an iFrame has to be listed in the `sys_properties` -> `glide.html.enable_media_sites`


Related Problem: PRB1407495

Seen In

There is no data to report.

Intended Fix Version

Quebec

Safe Harbor Statement

This "Intended Fix Version" information is meant to outline ServiceNow's general product direction and should not be relied upon in making a purchasing decision. The information provided here is for information purposes only and may not be incorporated into any contract. It is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at ServiceNow's sole discretion.

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2020-06-18 00:04:54
Published:2020-06-15