I have a question about the jquery version that is bundled with kendo UI. According to what I've read, there were several vulnerabilities in jquery that were patched in later jquery releases (CVE-2020-11022, CVE-2020-11023, CVE-2015-9251, CVE-2019-11358). Do these vulnerabilities exist in the jquery.min.js file that is included with the product download?
I saw a post here that said it was fixed for the ASP.NET AJAX version: https://www.telerik.com/forums/bundled-jquery-library-version-1-12-4-is-vulnerable
Did the MVC version also get this fix or was that just for ASP.NET AJAX?
I'm not sure if I should have posted this here or in the Kendo UI for jquery because we use the MVC helper and the jquery syntax for creating widgets.
Hi all,
due to my age (hmm, it sounded like a good excuse at least) I've been clawing myself to the WebForms paradigm for far too long and have decided to take the leap to the ASP.NET MVC (Core and Blazor would be fun, but unfortunately many of the hosting services I have to work with don't support it yet).
One question that struck me though is regarding security and authentication?
How do one make sure that the calls for instance the .Read, .Update or .Destroy on the Kendo UI Grid is only accessible if a user is logged on?
I am currently implementing Kendo UI for ASP.Net MVC.
My application has detected a vulnerability with the latest version of JQuery so there is no version to move to to resolve this vulnerability.
As Kendo comes with JQuery in the package is there work on-going to work with the JQuery community to fix this issue?
While Security testing of application through OWASP Zap tool, Medium risk level issue as 'Absence of Anti-csrf Token' in kendo.all.min.js is popping up
Even I tried to upgrade kendo.all.min.js from 2021 to 2022 latest version
are there any ways to resolve it ?
A security scan caught security vulnerabilities on several javascript files included with ASP.NET MVC version 2021.3.1109:
[1] kendo 2021.3.1109 kendo.dataviz.map.min.js
"The application's tileTitle:this._tileTitle}},wrapIndex:function embeds untrusted data in the generated output with location, at line 26"
[2] kendo 2021.3.1109 kendo.data.min.js
"The application's e},destroyed:function embeds untrusted data in the generated output with wrapAll, at line 26"
[3] kendo 2021.3.1109 kendo.aspnetmvc.min.js
"The application's !function embeds untrusted data in the generated output with href, at line 25"
[4] kendo 2021.3.1109 kendo.mobile.min.js
"The application's r.rightElement=n embeds untrusted data in the generated output with inArray, at line 35"
Can I safely exclude these files from my project?
Thanks.
Hello,
We are using the Content-Security-Policy in our ASP.NET MVC application and also using the Kendo UI controls.
Here are the details of the Content-Security-Policy:
<customHeaders>
<add name="Content-Security-Policy" value="default-src https:;
object-src 'none';
script-src 'self' 'unsafe-eval' 'nonce-03148CFC65E74341814490514E0CEDD8';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data:;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://api.zoomcharts-cloud.com;
form-action 'self';"></add>
</customHeaders>
Note:
Please help us out.
Thanks & Regards
Raju Chauhan