Enable Jelly JS interpolation protection for nested expressions [Updated in Security Center 2.0]

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • Manage the interpolation protection on your instance.

    Use the glide.ui.jelly.js_interpolation.protect_nested_expressionsproperty to manage interpolation protection. Interpolation protection ensures that when Jelly expressions are used in JavaScript, that they must be deemed as safe by either falling under certain categories or being marked as SAFE in the expression itself. Without this mitigation enabled, a bad actor can send a GET parameter to a Jelly page and cause the contents of that parameter to be evaluated as server-side JavaScript with admin privileges. If this property is not set to the recommended value of true, malicious Jelly expressions interpolated in JavaScript are allowed and a user can execute code using a Jelly template.

    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Configuration name glide.ui.jelly.js_interpolation.protect_nested_expressions
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value false
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 9
    • CVSS score: Critical
    • Security risk details: If the property is set to false, then malicious Jelly expressions are allowed.
    Dependencies and prerequisites None