validation rule Unsafe jelly statement
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2025 04:35 AM
i have a UI page, where i am using jelly statement (below is the code) along with some hidden fields,
<div class="modal-body">
<p style="font-size: 16px;padding: 0px;margin: 0px;">Click Yes to set the following CIs to non-operational.</p>
<j:forEach var="jvar_words" items="${CIs}">
<p> ${jvar_words} </p>
</j:forEach>
<input type="hidden" id="sys_id" value="$[CIsys]" />
<input type="hidden" id="record_sid" value="$[record_sid]" />
<input type="hidden" id="parent_record_sid" value="$[parent_record_sid]" />
<input type="hidden" id="cis" value="$[cisValue]" />
<input type="hidden" id="HCLARtable" value="$[HCLARtable]" />
<input type="hidden" id="sysparm_sysID" value="$[sysparm_sysID]" />
<input type="hidden" id="sysparm_table" value="$[sysparm_table]" />
<input type="hidden" id="sysparm_contact_sysID" value="$[sysparm_contact_sysID]" />
</div>
when i run app scan to validate my application i am getting 'Unsafe jelly statement' error.
Please suggest a solution
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2025 04:46 AM
it's because one or more ui macros or ui pages contains unsafe jelly statements that may make them vulnerable to XSS attacks.
Solution: Please ensure "HTML and/or JS escape" for all those jelly statements as appropriate. You can find details here.
If my response helped please mark it correct and close the thread so that it benefits future readers.
Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader