Last Updated: 13 Dec 2018 16:58 by ADMIN
Created on: 23 Nov 2018 14:54
Category: ScriptManager
Type: Feature Request
Remove version numbers from embeded scripts and generated links
During penetration tests we have to let carry out we allways run into problems with version disclosures originating from the embedded scripts and the Telerik.Web.UI.
To keep updates of the telerik components easy and to stay out of version incompatibilities we would like to keep using the embedded scripts.
Atm this is even more unlucky because the still, or again, used JQuery version 1.12.4 is known to be vulnerable to Cross-site Scripting (XSS) attacks.

Our request would now be to at least remove the version comments from the embedded script files and the exact version of the Telerik.Web.UI in the links created to the Webresource.axd.

1 comment
Marin Bratanov
Posted on: 13 Dec 2018 16:58
Hi Stefan,
The jQuery version cannot be upgraded further as 1.12.4 is the latest that is in the 1.x branch, and the 3.x branch breaks the MS AJAX framework.
What we did for the upcoming R1 2019 is that we backported the fix the jQuery did into the jQuery we bring (it seems that they had silently removed it in 1.12.3). So, once R1 2019 is out you would have that XSS fix, even though static scans may keep flagging the version - you can then ignore them.
On removing the Telerik version from the rendering - in the latest version, it is removed if the Telerik WebResource URL is encrypted: