ADA Compliance Issue - ComboBox, DropDownList, DatePicker, DateTimePicker and TimePicker Buttons must have discernible text
The problem is described in this code library
The repro markup can be found below
<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head runat="server"> <title></title> <!-- Bootstrap CSS --> <link rel="stylesheet"href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css"integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm"crossorigin="anonymous"> <!-- Optional JavaScript --> <!-- jQuery first, then Popper.js, then Bootstrap JS --> <script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script> <scriptsrc="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js"integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q"crossorigin="anonymous"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js"integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl"crossorigin="anonymous"></script></head><body> <form id="form1" runat="server"> <asp:ScriptManager runat="server" /> <telerik:RadAsyncUpload ID="RadAsyncUpload1" runat="server" Skin="Bootstrap"RenderMode="Lightweight"></telerik:RadAsyncUpload> </form></body></html>
Progress Telerik seems to be more focused on pursuing technology we’re not using, and There haven’t been major upgrades to the Windows Forms and ASP.NET controls that we use in our legacy apps.
The tools are great and we use them extensively, even in newer upgrades to our legacy apps.
But we haven’t seen a whole lot of improvements where we’d like to see them, so it’s not worth the maintenance cost.
On the Windows Forms side, we spend a lot of time navigating through the multi-layer structures of the tools, a set-wide consistent change that was implemented over 5 years ago. It’s good for consistency, but makes certain properties and events unintuitive. (E.g., “Why won’t this drop down list work handle the ENTER key being pressed?” “Well, that’s actually the enter event in the embedded control.”)
Our biggest usage on Windows Forms tools are RadButton, RadPageView, RadToggleButton, RadTextBox, and RadSpinEditor – and THAT’S IT.
And they are fairly stable and unchanged in the Progress Telerik line.
On the ASP.NET/AJAX side, it’s frustrating not to have things like cascading drop boxes without getting into a whole lot of Javascript and AJAX coding… which sort of defeats the point of buying a product that proposes to do all that for you. That’s been the only thing we hoped to see updated, some kind of way to preload multiple combos and have it auto-filter based on linked selections, and it never happened.
Our biggest usage on ASP.NET/AJAX tools are RadComboBox, RadDatePicker, RadEditor and RadSpell – and THAT’S IT.
These are also fairly stable and have been mostly unchanged in the Progress Telerik line.
Progress Telerik is rightfully focused on more emerging technologies – we don’t fault the company for that – but most of our work is legacy software we built 10-20 years ago and still maintain, or new clients wanting similar products (so it makes financial sense to use the legacy platform as a basis). If we had an unlimited budget and R&D time, we’d LOVE to explore all the newer technologies and platforms… but it’s just not compatible with our business model (which serves small and mid-range companies with VERY tight budgets).
That makes it hard to justify the thousand or multi-hundred dollar maintenance fee to get periodic patches, when the existing versions are stable and working just fine for us.
If seems like Progress Telerik almost treats these tools as legacy products, and that it’s really not focused on them as much. (Again, we understand, that makes sense.)
Greetings!
Description:
I have found a Cross-Site Scripting issue in the rich text editor, RadEditor. This is not in a body where user provides certain strings, rather it's in the text properties which gets sent along with the user input, such as font-style. The developers were able to follow the filtering mechanisms given in at https://docs.telerik.com/devtools/aspnet-ajax/controls/editor/managing-content/prevent-cross-site-scripting-(xss), but it provides protection for the inputs given in <textarea>, and for the properties values. Hence XSS is still possible
Steps for Reproduction:
1. Open up the text editor {{Screenshot 2020-09-23 at 12.08.51 PM.png}}
2. Input a string and change its font style.
3. Click on submit and intercept the request. {{Screenshot 2020-09-23 at 12.14.45 PM.png}}
4. Now we need to modify the request body for parameter of texteditor's ID. You may notice that the font-style is set and sent by using a <span>.
RadEditor1=%253cspan%20style%253d%2522font-family%253a%20%2527MS%20Sans%20Serif%2527%253b%2522%253etextexttext%253c%2Fspan%253e
Change parameter 'RadEditor1's value with the following:
RadEditor1=%253cspan%20onmouseover%253d%2522document.body.innerHTML%253d%2527ioioioioioioioioo%2527%252bdocument.cookie%2522%20style%253d%2522font-family%253a%20%2527MS%20Sans%20Serif%2527%253b%2522%253etextexttext%253c%2Fspan%253e
5. Submit and notice the 200 OK response. Now go to the text editor and notice that the string texttexttext can be seen. {{Screenshot 2020-09-23 at 12.24.18 PM.png}}
6. Put a mouse cursor on the string and notice that it gets changed to ioioioioioioioioo<domainCookies>.
##################
Please let me know if given information doesn't suffice the abilities for reproduction.
Thanks,
Dhiraj
Currently, the asp:Label and telerik:RadLabel are rendering the AssociatedControlID of the ComboBox as for="RadComboBox1" while it should be for="RadComboBox1_Input"
FROM ADMIN:
1) Use Sys.Application.Load event to fix all labels associated with RadComboBoxes:<script type="text/javascript">
function fixLabelFor() {
$telerik.$("label[for]").each(function () {
var lbl = $telerik.$(this)
if ($telerik.$("#" + lbl.attr("for")).hasClass("RadComboBox")) {
lbl.attr("for", lbl.attr("for") + "_Input");
}
})
// Sys.Application.remove_load(fixLabelFor);
}
Sys.Application.add_load(fixLabelFor);
</script>2) Use OnClientLoad of the ComboBox you want to apply the fix to:
<script>
function OnClientLoad(sender, args) {
var ariasettings = JSON.parse(sender._ariaSettings)
if (ariasettings && ariasettings["aria-describedby"]) {
var lbl = $get(ariasettings["aria-describedby"]);
lbl.setAttribute("for", lbl.getAttribute("for") + "_Input")
}
}
</script>
Hello,
I have noticed the changes in your website, demos and documentation, but not all seems to work well on IE 11.
In the new interface of
the left menu dissapear after more clicks (IE11)
However, in ASP.net AJAX demos, the new interface is not looking good on IE 11
For example, https://demos.telerik.com/aspnet-ajax/orgchart/examples/expandcollapse/defaultcs.aspx
The old interface was looking great, I had no problems at all, any control
I hope I will not have the same problems in my ASP.net application...
Editor is not maintaining the Format of text, specifically the bullet numbers, when copied from MS word.
You can use the attached content to reproduce the problem in the Overview demo of the control.
Hi Team,
I received this from Khurram,
One small suggestion is for your ASP.net AJAX library to include two themes outside the box i.e. Windows 10 Dark and Windows 10 Light theme.
We recently went to address a vulnerability finding in our application whereby a user could exploit a vulnerability in the Telerik.Web.UI version 2015.3.1111.45. Unfortunately after applying the patched version of this assembly, when running the exploit by calling [site root]/Telerik.Web.UI.DialogHandler.aspx?DialogName=DocumentManager&renderMode=2&Skin=Default&Title=Document%20Manager&dpptn=&isRtl=false&dp={xxxxxxx}. The page returns a response of:
Error Message:The hash is not valid!
Our security team feels this error message is revealing, and would prefer to have a generic error message. We have a custom static generic html error message page for our site to catch all unhandled exceptions. Unfortunately, this error from Telerik.Web.UI does not fall through to the application level and there is apparently no way to override this error message. Please provide some kind of API or means to change the contents of this error message.
An error will occur when the Index equals the number of items in the collection
private static ClientOperation<T> Remove(ControlItemCollection items, int index)
{
if (index < 0 || index > items.Count) // should be >= instead
return null;
var item = items[index];
items.RemoveAt(index);
var operation = new ClientOperation<T> {Item = (T) item, Type = ClientOperationType.Remove};
return operation;
}
.jpg){kind=avatar}
Hi ,
Why is your combobox does not support BOTH multiple select AND LoadOnDemand ?
It would be so convenient to have .
I see a lot of questions like that, but all the answers explain why its not supported.
I tried all other recommendations ( like using RadAutoCompleteBox or searchbox ) , but it's not displaying any items in the drop down list ,so the user has to know what he is looking for, withuy having ability to select it from the list.
PLEase let me know if you have ANY Telerik control which allows both features .
If you do not have , I would like to submit a feature request for that .
I really do not care what control it will be .
All i need is to be able to select from the list ( with option to select all ) , OR to start typing , and then it will prompt for a matches .
Thanks ,
Orit.
Error message:
at $IE.Print.dispose (<anonymous>:90:18)
Workaround:
Enable the external dialogs of the Editor/ImageEditor and modify dispose() function of the Print.ascx dialog:
Print.ascx
dispose: function ()
{
this._attachHandlers(false);
this._printBtn.dispose();
this._cancelBtn.dispose();
$IE.Print.callBaseMethod(this, "dispose");
},
Hi
Our O365 users see 'Excel on the screen' so it should behave the same, its Excel in a the browser - which means the Ajax controls are competing with this.
Which means our code is crap because there is a difference in investment between us and Microsoft, we are also burdened with the feature that uses are lazy and dont want to think for themselves, the computer is meant to do thier job for them (so why employ them).
We also use MS Teams here that allows Excel documents to be used in the Browser, Teams joins sharepoint and skype.
It would be nice to you to look how your controls might integrate with Office 365 tooling, there is enormous traction in the market with MS Teams and O365 so I imagine the AJAX document sources would need O365/azure examples soon.
It matters that you have a skin that allows users to perceive that this app is just like O365, and the same assumptions can be made about the UX, this lifts a lot of the burden for the developers in training, when the affordance of O365 App and Telerik Apps are the same.
I would appreciate a set of demo examples that connect in to Azure/O365 and equally Dynamics365 (BizTalk) because of the traction in the O365 space, the amount of process automation in businesses across the UK and Europe. So many of the Telerik controls looks like desktop controls, many are better it would be useful to show just how easy it is connect into O365, maybe create a Graph Query connector or a sample O365 connector that covers the CRUD operations for office docs.
Thanks in advance
We are evaluating whether to use Telerik to redesign a legacy web app written using an old version of Telerik.
After downloading Trial version on fresh install of windows, I can't add ajax control to form. `I am using visual studio 2019, this is the first version of Telerik installed on this computer. I just get the "Error Creating Control RadScriptManager1. They do show up in the toolbox so this surprises me.
Very latest version.
7/28/2019
Could it be a license issue?
The current colors, #0082CC and #FFFFFF that are used for forecolor and backcolor, have 4.14:1 color contrast ratio: https://webaim.org/resources/contrastchecker/?fcolor=FFFFFF&bcolor=0082CC
The minimum required color contrast ratio is 4.5:1 for AA Compliance, and 7:1 for AAA Compliance.
A possible alternative color for the #0082CC blue can be #007CC.