validation rule Unsafe jelly statement

varunagarwal83
Tera Contributor

i have a UI page, where i am using jelly statement (below is the code) along with some hidden fields,

<div class="modal-body">
            <p style="font-size: 16px;padding: 0px;margin: 0px;">Click Yes to set the following CIs to non-operational.</p>
            <j:forEach var="jvar_words" items="${CIs}">
  <p> ${jvar_words} </p>
</j:forEach>
<input type="hidden" id="sys_id" value="$[CIsys]" />
<input type="hidden" id="record_sid" value="$[record_sid]" />
<input type="hidden" id="parent_record_sid" value="$[parent_record_sid]" />
<input type="hidden" id="cis" value="$[cisValue]" />
<input type="hidden" id="HCLARtable" value="$[HCLARtable]" />
<input type="hidden" id="sysparm_sysID" value="$[sysparm_sysID]" />
<input type="hidden" id="sysparm_table" value="$[sysparm_table]" />
<input type="hidden" id="sysparm_contact_sysID" value="$[sysparm_contact_sysID]" />
          </div>
 
when i run app scan to validate my application i am getting 'Unsafe jelly statement' error.
varunagarwal83_0-1741692784253.png

 

Please suggest a solution

1 REPLY 1

Ankur Bawiskar
Tera Patron
Tera Patron

@varunagarwal83 

it's because one or more ui macros or ui pages contains unsafe jelly statements that may make them vulnerable to XSS attacks.

Solution: Please ensure "HTML and/or JS escape" for all those jelly statements as appropriate. You can find details here.  

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader