Telerik Forums / Kendo UI for jQuery

How to address CSP 'unsafe-eval'

0 Answers 24 Views
DropDownList
Juan
Top achievements
Rank 1
Juan asked on 12 Mar 2025, 03:38 AM

Hi,

 

My CSP settings on the server-side:

Response.AddHeader("Content-Security-Policy", "default-src 'self'; script-src 'self' https://code.jquery.com 'nonce-kendoInlineScript' https://kendo.cdn.telerik.com; connect-src 'self'; img-src 'self' 'unsafe-inline' blob: data: gap:; style-src 'self' 'unsafe-inline' https://kendo.cdn.telerik.com; font-src 'self' data:;");

My CSP settings on the front-end:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-kendoInlineScript' https://kendo.cdn.telerik.com https://code.jquery.com/;" />

 

And I get the following error:

Now of course, when I add 'unsafe-eval' in the CSP settings/config, the errors will be gone but it's not ideal since at the end of the day, it's still a security risk however low.

BTW, I'm using CDN to load the JQuery and Kendo js:

I would greatly appreciate if you can give some assistance.

 

Thanks,

JT

 

 

Nikolay
Telerik team
commented on 14 Mar 2025, 05:50 PM

Hi JT,

It looks like your Kendo UI template is not CSP-compliant due to the use of inline event handlers and unescaped expressions. Here’s how you can fix it.

 - The syntax `data-#=data.ns#field="..."` is not CSP-safe because it injects dynamic content directly.
 - The `href="\#"` inline link might also be triggering the issue.
 - The `${data.title || "" }` expression should be properly escaped.

const groupIndicatorTemplate = (data) => `
    <div class="k-group-indicator"
         data-field="${kendo.htmlEncode(data.field)}"
         data-title="${kendo.htmlEncode(data.title || '')}">
        <a class="k-link">${kendo.htmlEncode(data.title || '')}</a>
    </div>
`;
....
const data = { field: "category", title: "Category" };
const html = groupIndicatorTemplate(data);

$("#targetContainer").html(html);

Please rewrite the whole template to follow the above approach.

Regards,

Nikolay

Juan
Top achievements
Rank 1
commented on 17 Mar 2025, 07:16 AM

Hi Nikolay,

I'm using Telerik UI for ASP.Net MVC and NOT for JQuery. I believe your previous answer is for JQuery.

Regards,

JT

 

Eyup
Telerik team
commented on 17 Mar 2025, 09:42 PM

Hi Juan,

Thank you for reaching out.

Your questions are addressed in your formal support ticket:

1681965: CSP-compliant Kendo UI for ASP.Net MVC

The technical conversation can continue in the mentioned thread.

No answers yet. Maybe you can help?

Tags
DropDownList
Asked by
Juan
Top achievements
Rank 1
Share this question
or