Remove version numbers from embeded scripts and generated links

Progress® Telerik® UI for ASP.NET AJAX Feedback Portal

Create an account Log In

Back to Feed

Request a Feature Report a Bug

Completed

Last Updated: 13 Dec 2018 16:58 by ADMIN

Stefan

Created on: 23 Nov 2018 14:54

Category: ScriptManager

Type: Feature Request

Remove version numbers from embeded scripts and generated links

During penetration tests we have to let carry out we allways run into problems with version disclosures originating from the embedded scripts and the Telerik.Web.UI.
To keep updates of the telerik components easy and to stay out of version incompatibilities we would like to keep using the embedded scripts.
Atm this is even more unlucky because the still, or again, used JQuery version 1.12.4 is known to be vulnerable to Cross-site Scripting (XSS) attacks.

Our request would now be to at least remove the version comments from the embedded script files and the exact version of the Telerik.Web.UI in the links created to the Webresource.axd.

Attached Files:

1 comment

ADMIN

Marin Bratanov

Posted on: 13 Dec 2018 16:58

Hi Stefan,
The jQuery version cannot be upgraded further as 1.12.4 is the latest that is in the 1.x branch, and the 3.x branch breaks the MS AJAX framework.
What we did for the upcoming R1 2019 is that we backported the fix the jQuery did into the jQuery we bring (it seems that they had silently removed it in 1.12.3). So, once R1 2019 is out you would have that XSS fix, even though static scans may keep flagging the version - you can then ignore them.
On removing the Telerik version from the rendering - in the latest version, it is removed if the Telerik WebResource URL is encrypted: https://docs.telerik.com/devtools/aspnet-ajax/controls/scriptmanager/encrypt-telerik-webresource-querystring

Create an account Log In

View

Type

Status