How to Avoid “Unsafe” Prefix on Links

If you’ve ever tried creating a dynamic link with a non-standard protocol or prefix (e.g. file, sms, tel, ftp, local) in Service Portal, you may have noticed that it prepends the url with “unsafe” rendering it unusable.

The sanitization is a security measure aimed at preventing XSS attacks via html links and is coming from Angular.js which maintains a whitelist of safe urls.

To fix this you will need to override the default whitelist by passing in a regular expression to the application configuration. You can do this by creating a “js_include” in your portal theme and include the following script:

Where you see https?|ftp|mailto, etc… that is the regular expression you will want to update to include your url prefixes.

8 comments

  1. Hi Nathan,

    I’m not exactly sure what I should be doing to include this js_include in one of my themes.

    I’ve created a UI Script, titled it compileProvider and included it within the js_includes. In addition, I’ve also included |sip|im within the regex, to no avail.

    Can you provide a few more steps elaborating on this point: You can do this by creating a “js_include” in your portal theme and include the following script.

    Thanks,

    Edward

    1. Can you check in Chrome developer tools if that JavaScript is being included in your portal? It should be as simple as going to your portals theme record, and if the script is included in the js_includes related list, it should be getting loaded. Also maybe validate that your regex is valid.

      1. Hi Nathan,

        I have followed the same approach by adding the js.include in the related list but still i can see the unsafe prefix in the url.
        URL : unsafe:CISCOTEL://+123

        Is there I’m missing anything.

        Regards,
        Bhavin

        1. Did you modify the Regular Expression to include the CISCOTEL prefix? The above solution modifies the “whitelist”, but does not disable sanitization, so you’ll need to modify the script to include any prefixes that you’re using within the portal.

          1. Hi Nathan,

            Yes, I have included the prefix as below

            angular.module(‘sn.$sp’).config([‘$compileProvider’,function( $compileProvider ){
            $compileProvider.aHrefSanitizationWhitelist(/^\s*(https?|ftp|mailto|file|skype|CISCOTEL):/) ;
            }]);

  2. Hi Nathan,

    Any updates on the unsafe link, still I’m facing the issue, I have included the code as mentioned above..

    Let me know if any other modification I need to make here.

  3. Hi Nathan,
    Are all those prefixes mandatory : ftp|mailto|file
    Or we could only put
    /^\s*(https?|skype):/
    without trouble ?

  4. Hello Nathan, how do you overcome ServiceNow’s word editor – example: Knowledge article not accepting the notes:// protocol and just wipes it out as not being a link on saving?

Leave a Reply

Your email address will not be published. Required fields are marked *