ASP.NET MVC 2021.3.1109 Security

1 Answer 31 Views
Grid Security
David
Top achievements
Rank 1
David asked on 03 Jan 2022, 09:00 PM | edited on 06 Jan 2022, 03:47 PM

A security scan caught security vulnerabilities on several javascript files included with ASP.NET MVC version 2021.3.1109:

[1] kendo 2021.3.1109 kendo.dataviz.map.min.js

"The application's tileTitle:this._tileTitle}},wrapIndex:function embeds untrusted data in the generated output with location, at line 26"

[2] kendo 2021.3.1109 kendo.data.min.js

"The application's e},destroyed:function embeds untrusted data in the generated output with wrapAll, at line 26"

[3] kendo 2021.3.1109 kendo.aspnetmvc.min.js

"The application's !function embeds untrusted data in the generated output with href, at line 25"

[4] kendo 2021.3.1109 kendo.mobile.min.js

"The application's r.rightElement=n embeds untrusted data in the generated output with inArray, at line 35"

Can I safely exclude these files from my project?

Thanks.

1 Answer, 1 is accepted

Sort by
0
Georgi
Telerik team
answered on 06 Jan 2022, 03:48 PM | edited on 06 Jan 2022, 03:52 PM

 

Hello David,

Looking at the reports, I believe it is safe to say that they are false positives. Below I will give some explanation for every file:

1. The report says that untrusted data is embedded, actually, the data comes from your configuration:


Even if someone modifies the setting in their browser, the change will not persist, thus it is not possible to harm another user.

2. Similar to the first point, the destroyed data is not untrusted as it is created by the dataSource.

3. The report point to the usage of location.href code logic. This part of the code is used only in one scenario, a grid with server binding, and in this case, we do need to alter the parameters in order to reflect the changes to the UI. The URL is generated depending on the grid's state, thus the data is again safe. Nevertheless, if you are not using server binding, this piece of code will never run.

4. In this scenario the untrusted data is actually a few dom elements created by us.

Finally, removing these files is not an option for you. Removing the map script means that you will be no longer able to use the Map component. The aspnetmvc script contains a handler that every single component uses, data,js contains the dataSource, so every data bound component needs it.

I hope this answers your question.

 

Regards,
Georgi
Progress Telerik

Love the Telerik and Kendo UI products and believe more people should try them? Invite a fellow developer to become a Progress customer and each of you can get a $50 Amazon gift voucher.

David
Top achievements
Rank 1
commented on 25 Jan 2022, 09:06 PM

Here are additional items picked up by the security report that are related to the kendo 2021.3.1109 library. Are these items considered false positives?

Client_Potential_XSS (57 items)
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.bottomnavigation.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.toolbar.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.toolbar.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.toolbar.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.toolbar.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.slider.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's Lt.LinearGradient embeds untrusted data in the generated output with append, at line 26 of \kendo\2021.3.1109\kendo.dataviz.core.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's url:t.discover}:t.discover|| embeds untrusted data in the generated output with html, at line 27 of \kendo\2021.3.1109\kendo.pivotgrid.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.list.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with appendTo, at line 25 of \kendo\2021.3.1109\kendo.groupable.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with appendTo, at line 25 of \kendo\2021.3.1109\kendo.groupable.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with appendTo, at line 25 of \kendo\2021.3.1109\kendo.filtercell.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.filtercell.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.filtermenu.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.scheduler.recurrence.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's render:Ae embeds untrusted data in the generated output with appendTo, at line 26 of \kendo\2021.3.1109\kendo.core.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with prepend, at line 25 of \kendo\2021.3.1109\kendo.wizard.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.dropdownlist.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.filtermenu.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with insertBefore, at line 25 of \kendo\2021.3.1109\kendo.treeview.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with appendChild, at line 25 of \kendo\2021.3.1109\kendo.treeview.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with insertBefore, at line 25 of \kendo\2021.3.1109\kendo.dropdowntree.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.dropdowntree.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.timepicker.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.dataviz.treemap.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.dataviz.treemap.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.dataviz.treemap.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.dropdowntree.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's tileTitle:this._tileTitle}},wrapIndex:function embeds untrusted data in the generated output with append, at line 26 of \kendo\2021.3.1109\kendo.dataviz.map.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.filtercell.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.filemanager.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.filemanager.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with prepend, at line 25 of \kendo\2021.3.1109\kendo.panelbar.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with prepend, at line 25 of \kendo\2021.3.1109\kendo.panelbar.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.dataviz.treemap.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.dataviz.treemap.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.upload.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's e},destroyed:function embeds untrusted data in the generated output with wrapAll, at line 26 of \kendo\2021.3.1109\kendo.data.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.popover.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.popover.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.bottomnavigation.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.groupable.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.dropdownlist.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.imageeditor.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with replaceWith, at line 25 of \kendo\2021.3.1109\kendo.validator.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.breadcrumb.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.breadcrumb.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with prepend, at line 25 of \kendo\2021.3.1109\kendo.listbox.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's file embeds untrusted data in the generated output with append, at line 26 of \kendo\2021.3.1109\kendo.filemanager.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.scheduler.view.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.scheduler.view.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.scheduler.view.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with replaceWith, at line 25 of \kendo\2021.3.1109\kendo.validator.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.virtuallist.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.dataviz.treemap.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.wizard.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.treeview.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

Client_Potential_XSS (57 items)
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.bottomnavigation.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.toolbar.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.toolbar.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.toolbar.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.toolbar.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.slider.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's Lt.LinearGradient embeds untrusted data in the generated output with append, at line 26 of \kendo\2021.3.1109\kendo.dataviz.core.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's url:t.discover}:t.discover|| embeds untrusted data in the generated output with html, at line 27 of \kendo\2021.3.1109\kendo.pivotgrid.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.list.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with appendTo, at line 25 of \kendo\2021.3.1109\kendo.groupable.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with appendTo, at line 25 of \kendo\2021.3.1109\kendo.groupable.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with appendTo, at line 25 of \kendo\2021.3.1109\kendo.filtercell.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.filtercell.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.filtermenu.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.scheduler.recurrence.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's render:Ae embeds untrusted data in the generated output with appendTo, at line 26 of \kendo\2021.3.1109\kendo.core.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with prepend, at line 25 of \kendo\2021.3.1109\kendo.wizard.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.dropdownlist.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.filtermenu.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with insertBefore, at line 25 of \kendo\2021.3.1109\kendo.treeview.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with appendChild, at line 25 of \kendo\2021.3.1109\kendo.treeview.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with insertBefore, at line 25 of \kendo\2021.3.1109\kendo.dropdowntree.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.dropdowntree.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.timepicker.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.dataviz.treemap.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.dataviz.treemap.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.dataviz.treemap.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.dropdowntree.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's tileTitle:this._tileTitle}},wrapIndex:function embeds untrusted data in the generated output with append, at line 26 of \kendo\2021.3.1109\kendo.dataviz.map.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.filtercell.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.filemanager.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.filemanager.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with prepend, at line 25 of \kendo\2021.3.1109\kendo.panelbar.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with prepend, at line 25 of \kendo\2021.3.1109\kendo.panelbar.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.dataviz.treemap.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.dataviz.treemap.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.upload.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's e},destroyed:function embeds untrusted data in the generated output with wrapAll, at line 26 of \kendo\2021.3.1109\kendo.data.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.popover.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.popover.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.bottomnavigation.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.groupable.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.dropdownlist.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.imageeditor.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with replaceWith, at line 25 of \kendo\2021.3.1109\kendo.validator.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.breadcrumb.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.breadcrumb.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with prepend, at line 25 of \kendo\2021.3.1109\kendo.listbox.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's file embeds untrusted data in the generated output with append, at line 26 of \kendo\2021.3.1109\kendo.filemanager.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.scheduler.view.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.scheduler.view.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with append, at line 25 of \kendo\2021.3.1109\kendo.scheduler.view.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with replaceWith, at line 25 of \kendo\2021.3.1109\kendo.validator.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.virtuallist.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.dataviz.treemap.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.wizard.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.
• The application's !function embeds untrusted data in the generated output with html, at line 25 of \kendo\2021.3.1109\kendo.treeview.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

Unchecked_Input_For_Loop_Condition (16 items)
• Method e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js gets user input from element data . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.data.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js gets user input from element length . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.data.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js gets user input from element length . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.data.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js gets user input from element length . This element's value flows through the code without being validated, and is eventually used in a loop condition in e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js gets user input from element length . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.data.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js gets user input from element length . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.data.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js gets user input from element length . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.data.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js gets user input from element length . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.data.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js gets user input from element data . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.data.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method F at line 26 of \kendo\2021.3.1109\kendo.pivotgrid.min.js gets user input from element data . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.pivotgrid.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method F at line 26 of \kendo\2021.3.1109\kendo.pivotgrid.min.js gets user input from element data . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.pivotgrid.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method !function at line 25 of \kendo\2021.3.1109\kendo.dataviz.chart.min.js gets user input from element data . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.dataviz.chart.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method !function at line 25 of \kendo\2021.3.1109\kendo.dataviz.chart.min.js gets user input from element data . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.dataviz.chart.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js gets user input from element data . This element's value flows through the code without being validated, and is eventually used in a loop condition in e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js gets user input from element data . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.data.min.js. This constitutes an Unchecked Input for Loop Condition.
• Method e},destroyed:function at line 26 of \kendo\2021.3.1109\kendo.data.min.js gets user input from element data . This element's value flows through the code without being validated, and is eventually used in a loop condition in !function at line 25 of \kendo\2021.3.1109\kendo.data.min.js. This constitutes an Unchecked Input for Loop Condition.
Georgi
Telerik team
commented on 31 Jan 2022, 12:31 PM

Hi, David,

I noticed that you have asked the same question in a ticket, we have answered you there, please check your reply.

Nevertheless, in short, yes, the alerts from the provided report are false positive.

Tags
Grid Security
Asked by
David
Top achievements
Rank 1
Answers by
Georgi
Telerik team
Share this question
or