From f605ea56433c7bdbf4efec634706879f6172b7b3 Mon Sep 17 00:00:00 2001 From: petar-i-todorov Date: Tue, 21 Oct 2025 19:22:30 +0300 Subject: [PATCH] docs: add section in uf article on discoverability --- .../expressions/extending-expressions/user-functions.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/designing-reports/connecting-to-data/expressions/extending-expressions/user-functions.md b/designing-reports/connecting-to-data/expressions/extending-expressions/user-functions.md index 994fad9da..a96e461b5 100644 --- a/designing-reports/connecting-to-data/expressions/extending-expressions/user-functions.md +++ b/designing-reports/connecting-to-data/expressions/extending-expressions/user-functions.md @@ -45,6 +45,12 @@ As of 2025 Q1 (19.0.25.211), the __User Function__ resolution behavior has been * If a type is decorated with the `Function` attribute and has its [IsVisible](/api/telerik.reporting.expressions.functionattribute#Telerik_Reporting_Expressions_FunctionAttribute_IsVisible) property set to `False`, none of the methods in this class will be loaded. * If a type is decorated with the `Function` attribute and has its [IsVisible](/api/telerik.reporting.expressions.functionattribute#Telerik_Reporting_Expressions_FunctionAttribute_IsVisible) property set to `True`, all methods in it, except for the ones decorated with `IsVisible = False`, will be loaded. +## User Function Discovery + +The automatic user function discovery applies only to assemblies that are explicitly configured through [assemblyReferences]({%slug telerikreporting/using-reports-in-applications/export-and-configure/configure-the-report-engine/assemblyreferences-element%}) or [typeReferences]({%slug telerikreporting/using-reports-in-applications/export-and-configure/configure-the-report-engine/typereferences-element%}) in the application configuration. This behavior prevents potential security vulnerabilities where malicious actors could exploit report definitions to invoke unintended methods from the host application. + +Even functions defined directly in the executing assembly are not automatically discovered. This behavior is intentional to prevent issues in scenarios where the Reporting engine is embedded in applications with many publicly accessible classes and methods. For example, in applications that host the Web Report Designer, automatically loading all functions from the executing assembly could clutter the function list with unintended methods. + ## Providing metadata for functions You can provide descriptive metadata about your user functions through attributes. Attributes are specialized classes that are applied to code elements. At compile time, attributes are emitted into metadata that is available to the common language runtime and reporting engine.