Enable Jelly JS interpolation protection for nested expressions [Updated in Security Center 2.0]

Manage the interpolation protection on your instance.

Use the glide.ui.jelly.js_interpolation.protect_nested_expressionsproperty to manage interpolation protection. Interpolation protection ensures that when Jelly expressions are used in JavaScript, that they must be deemed as safe by either falling under certain categories or being marked as SAFE in the expression itself. Without this mitigation enabled, a bad actor can send a GET parameter to a Jelly page and cause the contents of that parameter to be evaluated as server-side JavaScript with admin privileges. If this property is not set to the recommended value of true, malicious Jelly expressions interpolated in JavaScript are allowed and a user can execute code using a Jelly template.

Warning: This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

More information

AttributeDescription
Configuration name glide.ui.jelly.js_interpolation.protect_nested_expressions
Configuration type System Properties (/sys_properties_list.do)
Data type boolean
Recommended value true
Default value false
Category Validation, sanitization, and encoding
Security risk
  • Severity score: 9
  • CVSS score: Critical
  • Security risk details: If the property is set to false, then malicious Jelly expressions are allowed.
Dependencies and prerequisites None