docs(security): regex timeout configuration to security best practices

Author: Jekata

getting-started/installation/web-config-settings-overview.md

@@ -185,6 +185,7 @@ You can add any of the following available `appSettings` keys for the Telerik UI
 |`Telerik.EnableEmbeddedBaseStylesheet`|Lets you disable the embedded base stylesheets for all Telerik controls in the application by setting it to `false`. The [How Skins Work]({%slug introduction/radcontrols-for-asp.net-ajax-fundamentals/controlling-visual-appearance/how-skins-work%}) article explains what the base stylesheet is. For more information on disabling the embedded resources, refer to the [Disabling Embedded Resources]({%slug introduction/radcontrols-for-asp.net-ajax-fundamentals/performance/disabling-embedded-resources%}) article.
 |`Telerik.EnableEmbeddedScripts`|Lets you disable the embedded scripts for all Telerik controls in the application by setting it to `false`. For more information, refer to the [Disabling Embedded Resources]({%slug introduction/radcontrols-for-asp.net-ajax-fundamentals/performance/disabling-embedded-resources%}) article.
 |`Telerik.EnableEmbeddedSkins`|Lets you disable the embedded skin-specific stylesheets for all Telerik controls in the application by setting it to `false`. The [How Skins Work]({%slug introduction/radcontrols-for-asp.net-ajax-fundamentals/controlling-visual-appearance/how-skins-work%}) article explains what the skin-specific stylesheet is. For more information, refer to the [Disabling Embedded Resources]({%slug introduction/radcontrols-for-asp.net-ajax-fundamentals/performance/disabling-embedded-resources%}) article.
+|`Telerik.RegexMatchTimeout`|Allows you to configure the timeout for regular expressions across Telerik controls. By default, this timeout is set to 3 seconds, but it can be customized via this setting in the web.config. Set the value in seconds. This helps prevent potential performance issues and ReDoS (Regular Expression Denial of Service) attacks.
 |`Telerik.ScriptManager.EnableEmbeddedjQuery`|Lets you disable the embedded jQuery that comes with the Telerik controls by setting it to `false`. For more information, refer to the [Disabling the Embedded jQuery]({%slug scriptmanager/disabling-the-embedded-jquery%}) article.
 |`Telerik.ScriptManager.EnableHandlerEncryption`|Lets you enable the Telerik WebResource request `querystring` encryption as well as hides the `Telerik.Web.UI <!-- 20xx.x.xxx.xx -->` version in the rendered output. For more information, refer to the [Encrypt Telerik WebResource Querystring]({%slug scriptmanager/encrypt-telerik-webresource-querystring%}) article.
 |`Telerik.ScriptManager.TelerikCdn`|Lets you globally enable the scripts CDN support in the ScriptManager for the application by setting it to `true`. For more information, refer to the [Scripts CDN Overview]({%slug scriptmanager/cdn-support/overview%}) article.
@@ -225,6 +226,7 @@ The following example demonstrates how to set all of the available `appSettings`
         <add key="Telerik.EnableEmbeddedBaseStylesheet" value="true" />
         <add key="Telerik.EnableEmbeddedScripts" value="true" />
         <add key="Telerik.EnableEmbeddedSkins" value="true" />
+        <add key="Telerik.RegexMatchTimeout" value="5" />
         <add key="Telerik.ScriptManager.EnableEmbeddedjQuery" value="true" />
         <add key="Telerik.ScriptManager.TelerikCdn" value="disabled" />
         <add key="Telerik.ScriptManager.TelerikCdn.BaseSecureUrl" value="https://my.favorite.cdn" />

security/security.md

@@ -35,6 +35,17 @@ These tips apply across many Telerik controls and help secure your application h
 
 * **Encrypt Telerik WebResource Querystring**: For extra security, encrypt the Telerik WebResource querystring by enabling the `Telerik.ScriptManager.EnableHandlerEncryption` setting. This hides product version information in the page markup. Follow the steps here: [Encrypt Telerik WebResource Querystring]({%slug scriptmanager/encrypt-telerik-webresource-querystring%}).
 
+* **Regular Expression Timeout Settings** : To mitigate potential performance issues or vulnerabilities in regular expressions, a default timeout of 3 seconds is applied. You can customize this timeout by adding the `Telerik.RegexMatchTimeout` setting in your web.config file. Specify the timeout duration (in seconds) to suit your application needs:
+
+   ```XML
+   <appSettings>
+      <add key="Telerik.RegexMatchTimeout" value="5"/>
+   </appSettings>
+   ```
+
+   This ensures that long-running regular expressions do not hang indefinitely, helping to protect your application from potential ReDoS (Regular Expression Denial of Service) attacks.
+
+
 * **Embedded jQuery Security**: Telerik ASP.NET AJAX components embed a custom, secure version of jQuery. Learn about the security enhancements and modifications made to ensure safe usage of jQuery within Telerik controls: [Embedded jQuery Security]({%slug introduction/radcontrols-for-asp.net-ajax-fundamentals/using-jquery/using-jquery%}#embedded-jquery-security).