typeValidation Element Overview

This element was first introduced in the 2024 Q3 (18.2.24.924) Reporting version.

As Telerik Reporting consumes report definitions, they are a potential attack vector and a malicious actor could utilize a modified report to execute an attack against a system that uses Telerik Reporting. To prevent that, the Reporting engine validates the serialization types of the report definition and the expression types used in the report. The typeValidation element defines the configuration settings for this validation.

XML-based configuration file:

<typeValidation validateExpressionTypes="true" validateSerializationTypes="true" />

JSON-based configuration file:

"typeValidation": {
    "validateExpressionTypes": "true",
    "validateSerializationTypes": "true"
}

Attributes and Elements

The following sections describe attributes and parent elements.


Attributes	validateExpressionTypes – optional boolean attribute. Specifies whether expression types should be validated by the Reporting engine. True by default. You can disable the validation of expression types if the expressions in your reports are input by a trusted external source. validateSerializationTypes – optional boolean attribute. Specifies whether serialization types should be validated by the Reporting engine. True by default. If the report definitions consumed by your application are from a trusted source, you can disable the validation of serialization types.
Parent Elements	configuration - Specifies the root element in every configuration file that is used by the common language runtime and the .NET Framework applications. Telerik.Reporting - Configures all settings that Telerik Reporting Engine uses.

Attributes

validateExpressionTypes – optional boolean attribute. Specifies whether expression types should be validated by the Reporting engine. True by default. You can disable the validation of expression types if the expressions in your reports are input by a trusted external source.
validateSerializationTypes – optional boolean attribute. Specifies whether serialization types should be validated by the Reporting engine. True by default. If the report definitions consumed by your application are from a trusted source, you can disable the validation of serialization types.

Parent Elements

configuration - Specifies the root element in every configuration file that is used by the common language runtime and the .NET Framework applications.
Telerik.Reporting - Configures all settings that Telerik Reporting Engine uses.

Example

The following code example demonstrates how to disable the type validation performed by the Reporting Engine.

The type validation of the Reporting engine is an important security feature and disabling it can make you vulnerable to attacks! Proceed at your own risk, only if you are confident in the security of your environment.

XML-based configuration file:

<?xml version="1.0"?>
<configuration>
    <configSections>
        <section name="Telerik.Reporting" type="Telerik.Reporting.Configuration.ReportingConfigurationSection, Telerik.Reporting" allowLocation="true" allowDefinition="Everywhere" />
    </configSections>
    <Telerik.Reporting>
        <typeValidation validateExpressionTypes="false" validateSerializationTypes="false" />
    </Telerik.Reporting>
...
</configuration>

JSON-based configuration file:

"telerikReporting": {
    "typeValidation": {
        "validateExpressionTypes": "false",
        "validateSerializationTypes": "false"
    }
}

When adding the Telerik.Reporting section manually, do not forget to register it in the configSections element of the configuration file. Failing to do so will result in a ConfigurationErrorsException with the following text: Configuration system failed to initialize.

typeValidation Element Overview

Attributes and Elements

Example

See Also

Getting Started

Support Resources

Community