This article is based on the ServiceNow support article. See the original article on the ServiceNow support site: ServiceNow HI: Escape Jelly.
The glide.ui.escape_all_script property, when set to true, forces all scripts injected in Jelly to be escaped by default. It escapes all the JS and HTML strings included within <j:jelly> … </j:jelly> before being written to the output stream and prevents a number of XSS issues.
| Escape Jelly | |
|---|---|
| Property Name | glide.ui.escape_all_script |
| Configuration Type | System Properties (/sys_properties_list.do) |
| Purpose | If the property is not set to true, then to prevent XSS, developers have to go through an exercise for each custom Jelly script, locate the Jelly variables that are being sent to output stream to render on the webpage, and perform escaping on each of those using the following tags:${JS:expression}${HTML:expression}OR${JS,HTML:expression} |
| Requirement | Mandatory |
| Recommended Value | True |
| Default Behavior | Set to true |
| Revertible behavior | N/A |
| Role required | Security_admin |
| Release Version | 2011 October |
| Functional Impact | (Medium) This remediation enforces Jelly escaping at the parser level, thus rendering back encoded results to the user. This can have a functionality impact based on the instance user interaction with the resulted data. |
| Security Risk | (High) Input validation has to occur on all the user input being entered on the application. By doing so, injection attacks against the platform can be defended and protected. |
| Workaround | The UI may be affected as some of the scripts and HTML tags designed to be rendered on a webpage may seem to be broken. This remediation sends the output encoded page to the browser to render. For example, instead of ‘my string here ‘, it might display ‘<u>my string here</u> as the <u> tag was properly escaped.In that case, to prevent escaping add NOESC prefix to Jelly expression in order to prevent JS escaping. For example, Before: ($[jvar_context_menus]); | After: ($[NOESC:jvar_context_menus]); Before: $[jvar_ui_policy_scripts] | After: $[NOESC:jvar_ui_policy_scripts] |
| References | How_to_Escape_in_Jelly |
