Enabling External Links via Embed in ServiceNowIssue A customer inquired about embedding an external URL into their ServiceNow instance and whether doing so could pose a security risk, such as HTML or script injection.SymptomsUncertainty about whether embedded external URLs are safe.Concern about exposing the instance to security vulnerabilities via iframes or script injections.Specific request involves embedding authenticated third-party links.ReleaseAll ReleasesCauseEmbedding external content (e.g., via <iframe> or <embed>) can introduce risks if proper sanitization is not enforced. These risks include: Cross-site scripting (XSS)Unauthorized data accessContent spoofingCredential leaks if session tokens or login credentials are inadvertently sharedResolutionTo manage the inclusion of external links safely: Use the HTML Sanitizer Configuration Navigate to System UI > HTML Sanitizer.Configure whitelist tags and attributes for embedding (e.g., iframe, src, width, height).Optionally, blacklist specific domains or attributes that should never be allowed. Review Security Policies with Internal Teams Evaluate the business need for embedding the content.Involve Security SMEs or your organization's risk team to assess the potential attack vectors.Verify whether embedded content requires authentication or contains sensitive information. Best Practices Limit embedded URLs to trusted sources.Avoid passing sensitive data via URL parameters.Use sandboxed iframes if embedding is necessary, and restrict permissions (e.g., sandbox, allow-scripts). Support Scope ServiceNow Support can assist in configuring the HTML sanitizer but cannot validate business-specific security risks. Related LinksExploring HTML sanitizer Recommendations for developing widgets