What is Jelly?
Jelly is a scripting language used by ServiceNow, which combines Java and XML elements. It has roots in the Apache Foundation.
In the context of ServiceNow, Jelly scripting processes XML-based documents containing a mix of static and dynamic HTML content using special Jelly tags. The output generated by Jelly scripting is typically HTML.
Why is this an issue?
The glide.ui.escape_all_script system property plays a crucial role in enforcing the escape of all scripts injected into Jelly. When its value is set to false, it opens the door to potential problems within <j:jelly> ... </j:jelly> tags.
One prominent issue that arises is Cross-Site Scripting (XSS), a security vulnerability that empowers attackers to compromise user interactions within a vulnerable application.
This is particularly crucial in ServiceNow, especially when managing clients across multiple companies, as the risk of unauthorized access and potential information leakage is a concern.
How do I fix it?
To fix this issue, it is necessary to set the glide.ui.escape_all_script property to true. To do so, follow these steps:
In the Filter Navigator, type and enter sys_properties.list.
Search for
glide.ui.escape_all_script.Set Value column to true.
Mind that the User Interface (UI) could be impacted as scripts and HTML tags intended for web page rendering might display inaccurately. To prevent JavaScript escaping in Jelly expressions, it is recommended to add the NOESC prefix. For instance:
Before:
$[jvar_ui_policy_scripts]After:
$[NOESC:jvar_ui_policy_scripts]