| Property name |
glide.ui.escape_all_script |
| Configuration type |
System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center |
Yes |
| Purpose |
If the property is not set to true, developers have to
perform several steps on each custom Jelly script to prevent XSS issues. These
steps include locating the Jelly variables being sent to output stream to render
on web pages, and performing escaping on each of the following tags:
$â {JS:expression}
$â {HTML:expression}
OR
$â {JS,HTML:expression}
|
| Recommended value |
true |
| Functional impact |
(Medium) This remediation enforces Jelly escaping at the parser level. It can
have a functionality impact on user interaction with the resulting data. |
| Security risk |
(High) Input validation has to occur on all the user input being entered on the
application. By doing so, injection attacks against the platform can be defended and
protected. |
| Workaround |
The UI may be affected because some of the scripts and HTML tags designed for
rendering on a web page may appear broken. This remediation sends the output
encoded page to the browser to render.
For example, instead of 'my string here', it might display
' <u>my string here</u> as the <u> tag
was properly escaped. In this case, to prevent escaping, add the NOESC prefix to
Jelly expression to prevent JS escaping. For example:
- Before: ($[jvar_context_menus]);
- After:
($[NOESC:jvar_context_menus]);
- Before: $[jvar_ui_policy_scripts]
- After:
$[NOESC:jvar_ui_policy_scripts]
|
| References |
High Security Settings Jelly tags |
