Enable Jelly JS Interpolation Protection

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use the glide.ui.jelly.js_interpolation.protect property to ensure that any JavaScript about to be executed on a Jelly page is protected from injection with the help of Jelly interpolation.

    The glide.ui.jelly.js_interpolation.protect system property allows you to turn on or off interpolation protection. Interpolation protection ensures that when Jelly expressions are used in JavaScript, they must be deemed safe by either falling under certain categories OR being marked as SAFE in the expression itself. Without this mitigation enabled, a malicious actor can send a crafted GET parameter to a Jelly page and cause the contents of that parameter to be evaluated as server-side JavaScript with admin privileges.

    Ensure that the property glide.ui.jelly.js_interpolation.protect is set to true.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Configuration name glide.ui.jelly.js_interpolation.protect
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value <none>
    Fallback value false
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 9.0
    • CVSS rating: Critical
    • Security risk details: Dangerous jelly expressions interpolated in JavaScript are allowed and user can execute code using jelly template.
    Functional impact None
    Dependencies and prerequisites None