Escape jelly script [Updated in Security Center 1.3 and 1.5]

Australia Platform security

Release

australia

ft:locale

ja-JP

ft:publication_title

Australia Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Escape jelly script [Updated in Security Center 1.3 and 1.5]

リリースバージョン: Australia

更新日 2026年03月12日

所要時間：4分

Use the glide.ui.escape_all_script property to force escape of all scripts injected into Jelly.

This property escapes all the JS and HTML strings included in <j:jelly> ... </j:jelly> before they are written to the output stream, preventing several XSS issues from occurring. If glide.ui.escape_all_script is not set to the recommended value of true, then escaping of scripts injected into Jelly is disabled. Without this mitigation, the platform becomes widely open to a variety of script injection attacks. An attacker could execute arbitrary Rhino scripts on the instance.

警告:

Be careful when using these tags. If user input is displayed here it can open a security vulnerability.

More information


Attribute	Description
Property name	glide.ui.escape_all_script
Configuration type	System Properties (/sys_properties_list.do)
Data type	Boolean
Category	Validation, sanitization, and encoding
Purpose	If the property is not set to true, developers have to perform several steps on each custom Jelly script to prevent XSS issues. These steps include locating the Jelly variables being sent to output stream to render on web pages, and performing escaping on each of the following tags: `$â {JS:expression}` `$â {HTML:expression}` OR `$â {JS,HTML:expression}`
Recommended value	true
Default value	true
Security risk rating	7.3
Functional impact	This remediation enforces Jelly escaping at the parser level. It can have a functionality impact on user interaction with the resulting data.
Security risk	(High) Input validation has to occur on all the user input being entered on the application. By doing so, injection attacks against the platform can be defended and protected.
Workaround	The UI may be affected because some of the scripts and HTML tags designed for rendering on a web page may appear broken. This remediation sends the output encoded page to the browser to render. For example, instead of `'my string here'`, it might display '`<u>my string here</u>` as the `<u>` tag was properly escaped. In this case, to prevent escaping, add the NOESC prefix to Jelly expression to prevent JS escaping. For example: Before: ($[jvar_context_menus]); After: `($[NOESC:jvar_context_menus]);` Before: $[jvar_ui_policy_scripts] After: `$[NOESC:jvar_ui_policy_scripts]` 警告: Be careful when using these tags. If user input is displayed here it can open a security vulnerability.
References	High Security Settings Jelly tags

To learn more about adding or creating a system property, see Add a system property.