Enable Jelly JS Interpolation Protection
- UpdatedJul 31, 2025
- 2 minutes to read
- Zurich
- Platform Security
Use the glide.ui.jelly.js_interpolation.protect property to ensure that any JavaScript about to be executed on a Jelly page is protected from injection with the help of Jelly interpolation.
- Escapes their results to be safe, or
- If their safety can't be guaranteed, generates a SecurityException because the expression that was going to be evaluated represents a possible security issue.
Warning: This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.
More information
| Attribute | Description |
|---|---|
| Property name | glide.ui.jelly.js_interpolation.protect |
| Configuration type | System Properties (/sys_properties_list.do) |
| Category | Validation, sanitization, and encoding |
| Purpose | To mitigate against malicious code execution attacks that can occur using Jelly Injection. |
| Recommended value | true |
| Default value | false |
| Security risk rating | 9 |
| Functional impact | This property makes a best guess at whether an expression is quoted. It may wrongly quote legitimate expression. In that case manually marking an expression as safe may be necessary. |
| Security risk | (Moderate) JEXL injection is a form of input injection unique to the ServiceNow AI Platform that can lead to both cross-site request forgery and code execution. Completely turning off the protection may potentially open many P1 security vulnerabilities. |
| Workaround | To manually mark an expression as safe add SAFE prefix to Jelly expression:
Blindly adding SAFE to each expression is the wrong way to approach the problem,
because it may open a security vulnerability.
|
| References | Jelly tags |
To learn more about adding or creating a system property, see Add a system property.