Enable Jelly JS interpolation protection for nested expressions

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Manage the interpolation protection on your instance.

    Use the glide.ui.jelly.js_interpolation.protect_nested_expressions system property to turn on or off interpolation protection specifically for nested Jelly expressions. Interpolation protection ensures that when Jelly expressions are used in JavaScript, they must be deemed safe by either falling under certain categories OR being marked as SAFE in the expression itself. This property was added to protect against possibly dangerous Jelly expressions which are nested in another Jelly expression.

    Ensure that the glide.ui.jelly.js_interpolation.protect_nested_expressions system property exists and is set to the value true. If the property does not appear in the System Properties [sys_properties] table, add a new record.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Configuration name glide.ui.jelly.js_interpolation.protect_nested_expressions
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value true
    Fallback value false
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 9
    • CVSS score: Critical
    • Security risk details: Unprotected interpolated jelly expression may result in a malicious actor sending a crafted GET parameter to a Jelly page and cause the contents of that parameter to be evaluated as server-side JavaScript with admin privileges.
    Functional impact None
    Dependencies and prerequisites None