Enable Jelly JS interpolation protection for nested expressions [Updated in Security Center 2.0]

Australia Platform security

Release

australia

ft:locale

fr-FR

ft:publication_title

Australia Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Enable Jelly JS interpolation protection for nested expressions [Updated in Security Center 2.0]

Rversion finale: Australia

Mis à jour 12 mars 2026

1 minute de lecture

Manage the interpolation protection on your instance.

Use the glide.ui.jelly.js_interpolation.protect_nested_expressionsproperty to manage interpolation protection. Interpolation protection ensures that when Jelly expressions are used in JavaScript, that they must be deemed as safe by either falling under certain categories or being marked as SAFE in the expression itself. Without this mitigation enabled, a bad actor can send a GET parameter to a Jelly page and cause the contents of that parameter to be evaluated as server-side JavaScript with admin privileges. If this property is not set to the recommended value of true, malicious Jelly expressions interpolated in JavaScript are allowed and a user can execute code using a Jelly template.

Avertissement :

This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

More information


Attribute	Description
Configuration name	glide.ui.jelly.js_interpolation.protect_nested_expressions
Configuration type	System Properties (/sys_properties_list.do)
Data type	Boolean
Recommended value	true
Default value	true
Category	Validation, sanitization, and encoding
Security risk	Severity score: 9 CVSS score: Critical Security risk details: If the property is set to false, then malicious Jelly expressions are allowed.
Dependencies and prerequisites	None