Merge pull request #2995 from telerik/martinivanoff/m-security-useful…

…tips Martinivanoff/m security usefultips
telerik · Dec 13, 2024 · 10d6be4 · 10d6be4
2 parents 46246ab + d1c1377
commit 10d6be4
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 4 deletions.
diff --git a/controls/raddiagram/overview.md b/controls/raddiagram/overview.md
@@ -88,3 +88,4 @@ You can find all the general features of the diagram documented in the [Features
 ## See Also
  * [Structure]({%slug raddiagram-structure%})
  * [Getting Started]({%slug raddiagram-getting-started%})
+ * [Useful Security Tips]({%slug security-tips%})
diff --git a/controls/radpdfviewer/overview.md b/controls/radpdfviewer/overview.md
@@ -81,8 +81,8 @@ Some of the key features coming out-of-the-box with **RadPdfViewer** are:
 * [Telerik UI for WPF Knowledge Base](https://docs.telerik.com/devtools/wpf/knowledge-base)
 {% endif %}
 
-## See Also
-
+## See Also   
  * [Getting Started]({%slug radpdfviewer-getting-started%})
  * [Wiring UI]({%slug radpdfviewer-wiring-ui%})
  * [Showing a File]({%slug radpdfviewer-showing-a-file%})
+ * [Useful Security Tips]({%slug security-tips%})
diff --git a/controls/radpersistenceframework/persistence-framework-overview.md b/controls/radpersistenceframework/persistence-framework-overview.md
@@ -44,3 +44,4 @@ __PersistenceFramework__ allows you to easily save and restore your UI. The fram
 ## See Also
 * [Data Binding Tips]({%slug persistence-framework-data-binding-tips%})
 * [Events]({%slug persistence-framework-events%})
+* [Useful Security Tips]({%slug security-tips%})
diff --git a/controls/radrichtextbox/overview.md b/controls/radrichtextbox/overview.md
@@ -145,3 +145,4 @@ __RadRichTextBox__ is a control that can display and edit rich-text content incl
  * [Getting Started]({%slug radrichtextbox-getting-started%})
  * [Events]({%slug radrichtextbox-events-overview%})
  * [Styles and Templates]({%slug radrichtextbox-styles-and-tempaltes-overview%})
+ * [Useful Security Tips]({%slug security-tips%})
diff --git a/controls/radspreadsheet/overview.md b/controls/radspreadsheet/overview.md
@@ -143,3 +143,4 @@ With RadSpreadsheet you can easily [import and export]({%slug radspreadsheet-imp
 * [Getting Started]({%slug radspreadsheet-getting-started%})
 * [Unsupported Features]({%slug radspreadsheet-unsupported-features%}) 
 * [RadSpreadProcessing Documentation](https://docs.telerik.com/devtools/document-processing/libraries/radspreadprocessing/overview)
+* [Useful Security Tips]({%slug security-tips%})
diff --git a/security/faq.md b/security/faq.md
@@ -5,7 +5,7 @@ description: "Find answers to common questions about Telerik UI for WPF best sec
 slug: security-faq
 tags: telerik, security, wpf, faq, desktop, development
 published: True
-position: 1
+position: 2
 ---
 
 # Frequently Asked Questions (FAQ)
@@ -66,4 +66,4 @@ Once a vulnerability is fixed, we aim to release a patched version of the produc
 
 ## Does Progress/Telerik have any security certifications or accreditations, such as SOC 2 or other industry-recognized standards?
 
-Yes, Progress and DevTools products perform annual SOC 2 compliance, which validates our commitment to security, confidentiality, and privacy. You can find more information about our compliance on the [Progress Trust Center](https://www.progress.com/trust-center). Additionally, we align our security practices with industry-leading frameworks to maintain and continually improve our high security standards.
+Yes, Progress and DevTools products perform annual SOC 2 compliance, which validates our commitment to security, confidentiality, and privacy. You can find more information about our compliance on the [Progress Trust Center](https://www.progress.com/trust-center). Additionally, we align our security practices with industry-leading frameworks to maintain and continually improve our high security standards.
diff --git a/security/useful-tips.md b/security/useful-tips.md
@@ -0,0 +1,53 @@
+---
+title: Security Tips
+page_title: Security Tips
+description: "Learn Telerik's best security practices, vulnerability reporting, and control-specific security guidelines, and useful tips."
+slug: security-tips
+tags: telerik, security, wpf, redistributing, report, tips, useful, vulnerability
+published: True
+position: 1
+---
+
+# Security Tips
+
+In this article, you will find helpful security tips and resources to strengthen the protection of your WPF app that uses Telerik UI for WPF controls.
+
+## Safe Deserialization
+
+Deserialization in the context of WPF often means that XML content gets parsed to CLR objects which are loaded in memory. This carries a security risk related to loading untrusted types, which can be used to abuse the logic of the application. An attacker could use this entry point to deserialize and load malicious content that executes a command on the OS.
+
+Telerik components that support deserialization operations implement a safety method to allow loading only trusted types, thus improving the application security. This feature consists of creating a list of allowed CLR types that can be loaded during deserialization. If the deserialization process reaches a type that is not part of this list, an exception is thrown.
+
+The following resources show which Telerik controls support safe deserialization and how to use it:
+
+* [Diagram - Serialization article]({%slug raddiagrams-features-serialization%}#allowing-safe-types-and-assemblies)
+
+* [PersistenceFramework - Allowed Types article]({%slug persistence-framework-allowed-types%})
+
+* [RichTextBox - XAML Verification article]({%slug radrichtextbox-import-export-xaml-verification%})
+
+## Secure Hyperlink Clicks
+
+In WPF hyperlink navigation actions can start a new process on the user machine. This can execute a malicious command untrusted by the user. Most of the time this can be controlled in the application's logic, where such addresses can be validated, thus mitigating the security risk. 
+
+In cases when the hyperlink is loaded dynamically from an unknown source, like from a document loaded in Telerik PdfViewer or RichTexBox, the link may be insecure. For such scenarios the Telerik's document hyperlink components come with a built-in URI validation logic. If the hyperlink doesn't point to a valid address, the navigation won't work and a message box will be displayed. Additional to that, the Telerik document viewer components that support hyperlinks expose a `HyperlinkClicked` event that can be handled in order to further modify the click action, thus improving the security even more.
+
+The following resources show how to use the `HyperlinkClicked` event in the corresponding controls:
+
+* [PdfViewer - Annotations article]({%slug radpdfviewer-document-model-annotations%}#handling-the-hyperlink-click-navigation)
+
+* [RichTextBox - Hyperlink article]({%slug radrichtextbox-features-document-elements-hyperlink%}#handling-the-hyperlink-click-navigation)
+
+* [Spreadsheet - Events article]({%slug radspreadsheet-events%}#radworksheeteditor-events)
+
+## Additional Resources
+
+* __Security FAQ__: For more answers to common security-related questions, visit the [Security FAQ]({%slug security-faq%}) article.
+* __Upgrade Recommendations__: Regularly updating to the latest version of Telerik UI for WPF is one of the best ways to ensure security. You can find the information on the installation approaches in the [corresponding section in the documentation]({%slug installation-installing-which-file-do-i-need%}).
+
+## See Also  
+* [RadDiagram]({%slug raddiagram-overview%})
+* [RadPdfViewer]({%slug radpdfviewer-overview%})
+* [RadPersistenceFramework]({%slug persistence-framework-overview%})
+* [RadRichTextBox]({%slug radrichtextbox-overview%})
+* [RadSpreadsheet]({%slug radspreadsheet-overview%})