Participating Frequently

Question

Adobe RoboHelp 2019 - Source Code Disclosure Issue

Forum|Forum|5 years ago
November 11, 2020
4 replies
650 views

Hello,

We had a small security run on our application as a part of our security check-up cycle. It was informed to our team (Tech Writing team) that the potential security issue is identified in the online help file generated using Adobe RoboHelp 2019. The below mentioned specifics of the issue are quoted from the test report:

OWASP Vulnerability Identified: Source code disclosure.

The application appears to disclose some server-side source code written in PHP which is provided below:

<?rh-msp-search-results-start widgettype="searchresult" class="wSearchResults" id="searchresults" role="navigation" ?>

                   <?rh-msp-search-highlight-control id="highlightsearch" widgettype="highlightsearch" type="checkbox"
               checked class="wSearchHighlight" id="highlightsearch" textcolorval="#000000" bgcolorval="#FCFF00"
               aria-labelledby="highlightlabel" ?>

<?rh-lng-string lngname="EndOfResults" lngvalue="End of search results." ?>

<?rh-msp-search-results-end ?>

They seem to be appearing in more than one file.

Are there any ways to eliminate these codes while generating the output files?

If there are no solutions, we will also be fine if we get a confirmation from Adobe team ensuring that the above-mentioned codes do not possess any threat to our application.

This topic has been closed for replies.

Jeff_Coatsworth

Community Expert

I would try generating with the sample project supplied with RH to see if the output created by that has the same lines you note. If it doesn't, then that means that there's something else going on in your project that's creating those lines.

Also make sure you are all patched up - you didn't mention what exact version of RH2019 you're running.

A

Amebr

Community Expert

@Stefan Gentz Does that code appear in the output? I thought it was only in the source skin files? The OP says "in the online help file generated using Adobe RoboHelp 2019".

S

Stefan Gentz

Community Manager

I have never seen it in the output.

S

Stefan Gentz

Community Manager

You're security tool is missinterpreting this. This is not PHP. These are standard XML processing instructions.

RoboHelp output is not using any PHP.

A

ayyasskhanAuthor

Participating Frequently

Since we used the Responsive HTML5 output format, we expected the results to be only as HTML files.

Why are the XML instructions part of the HTML files?

S

Stefan Gentz

Community Manager

Do you have an example where PIs appear in the Responsive HTM5 output?

I just tested it with a couple of sample projects I have and could not find any PIs in the published output except for the XML declaration itself in line 1.

That said: RoboHelp does not only produce simple HTML5, but HTML5 in an XML notation. That is, the output is not only HTML5 compliant, but also 100% XML compliant.

Processing Instructions are a normal part of the XML standard. You can read more about PIs here and in the spec here.

Peter Grainge

Community Expert

This is something you will have to take up with Support.

See https://helpx.adobe.com/contact/enterprise-support.other.html#robohelp for your support contact options.

Use the menu (bottom right) to mark the Best Answer or Highlight particularly useful replies. Found the answer elsewhere? Share it here.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded