Telerik Forums / UI for ASP.NET AJAX

RadFilter change in persist logic in AJAX 2024 Q4

1 Answer 13 Views
Filter Persistence Framework
Ole Oscar
Top achievements
Rank 1
Ole Oscar asked on 03 Jul 2025, 02:04 PM | edited on 03 Jul 2025, 02:09 PM

Hi,

We have been using the LoadSettings() and SaveSettings() functions to persist the expression in a database. 

We discovered that you have changed the internal format of this when we upgraded to Telerik UI for ASP.NET AJAX 2024 Q4 from Telerik UI for ASP.NET AJAX R1 2023. The old version used ViewState and the new one uses Json. The result of this is that the old expressions are not working anymore. This is a blocker for us. Do you have any solution to detect/convert the old persisted expressions in the new version? We have many expressions saved in the old format and it breaks the application.  

The main reason for upgrading is that we are using your PDF document library to detect if files contains javascript actions and you introduced support for this after the 2023 version. We are checking files for Javascript in compination with your RadAsyncUplad since we do not want users to upload PDF files with javascript due to security reasons. It would have been nice to have access to the Javascript collection that are private. We had to use reflection to get to it. The reason for this is that the javascript is connected to OnOpen action. That one is not supported by public access.

Regards

Ole Oscar

 

1 Answer, 1 is accepted

Sort by
0
Attila Antal
Telerik team
answered on 04 Jul 2025, 02:21 PM

Hello Ole,

I have replied to your support ticket but I will share the answer in this forum post as well, in case someone else stumbles upon the same issue.

That is correct. We have improved the security of our components and eliminated a potentially vulnerable code and as a result the filter expressions are now in a different format. We tried to avoid introducing the breaking changed, but that was not possible.

This issue was reported earlier where we discussed that we will not return back the vulnerable code, instead, developers can use an extension to convert the old expressions to the new format and when they are done, to remove the extension too.

Please visit the following public item and try the workaround we shared to help you convert the old expressions to new format: Add the ability to convert old versions of FilterExpressions to work with the latest security improvements.

I would also like to bring to your attention that we have identified a vulnerability in our code in May 2025 and we sent out a couple of emails about it. You should have received the email, but in case you have not, I recommend you follow the instructions from the following KB article to upgrade or apply the mitigations, see Unsafe Reflection Vulnerability (3600).

Please let me know if you have any questions.

Regards,
Attila Antal
Progress Telerik

Stay tuned by visiting our public roadmap and feedback portal pages! Or perhaps, if you are new to our Telerik family, check out our getting started resources
Ole Oscar
Top achievements
Rank 1
commented on 09 Jul 2025, 08:06 AM

That solution only transfer the security weakness into our code.
Tags
Filter Persistence Framework
Asked by
Ole Oscar
Top achievements
Rank 1
Answers by
Attila Antal
Telerik team
Share this question
or