Jelly/JS interpolation (instance security hardening)
Use the glide.ui.jelly.js_interpolation.protect property to ensure that any JavaScript about to be executed on a Jelly page is protected from injection with the help of Jelly interpolation.
- Escapes their results to be safe, or
- If their safety can't be guaranteed, generates a SecurityException because the expression that was going to be evaluated represents a possible security issue.
More information
| Attribute | Description |
|---|---|
| Property name | glide.ui.jelly.js_interpolation.protect |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | To mitigate against malicious code execution attacks that can occur using Jelly Injection. |
| Recommended value | True |
| Functional Impact | This property makes a best guess at whether an expression is quoted. It may wrongly quote legitimate expression. In that case manually marking an expression as safe may be necessary. |
| Security risk | (Medium) JEXL injection is a form of input injection unique to the ServiceNow AI Platform that can lead to both cross-site request forgery and code execution. Completely turning off the protection may potentially open many P1 security vulnerabilities. |
| Workaround | To manually mark an expression as safe add SAFE prefix to Jelly expression:
Blindly adding SAFE to each expression is the wrong way to approach the problem,
because it may open a security vulnerability.
|
| References | Jelly tags |
To learn more about adding or creating a system property, see Add a system property.