Welcome Dialog

Welcome to the Community!

We have a brand new look! Take a tour with us and explore the latest updates on Adobe Support Community.


Cross-scripting errors in WebHelp output (RoboHelp 2015)

New Here ,
Jun 28, 2016 Jun 28, 2016

Copy link to clipboard

Copied

After running a security scan of the product, the application developers reported DOM cross-scripting errors resulting from the online help. This is what the scan turned up:

DOM XSS Issue in the following files:
• Whstart.js -> document.location=document.location;
• whtbar.js -> top.location = strURL;
• whtopic.js -> window.location = strUrl
• whtopic_nc.js -> window.location = strMainPage.substring(0, indx+1) + "whcsh_home.htm#topicurl=" + strMainPage.substring(indx+1);

And also an open redirect issue in the following file:

whtbar.js -> top.location = strURL;

I am generating WebHelp using RoboHelp 2015 (version 12.0.2.384).

I was under the impression that the cross-site scripting errors existed in earlier versions of RoboHelp (8 and 9) and had been corrected in subsequent releases. My search of the RoboHelp forums did turn up a more recent post about similar issues with Responsive HTML 5 output, but that's not the output format I'm using.

Has anyone else recently experienced these errors in WebHelp? Does Adobe have a fix for this issue?

TOPICS
WebHelp

Views

320

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jun 28, 2016 Jun 28, 2016

Copy link to clipboard

Copied

Are you claiming these are errors that need addressing or possible security issues?

I've seen reports in the past where folks were wringing their hands because their IT or other folks were saying there were security threats from these cross-scripting issues. And to be honest, I've never once ever in my 20+ years of using the product heard of anyone actually successfully exploiting things. But I do understand it's a concern.

Personally, I'd file a bug on it or contact Adobe Support directly and see what they may say about it.

Cheers... Rick

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 28, 2016 Jun 28, 2016

Copy link to clipboard

Copied

LATEST

Sorry, perhaps "error" was the wrong word. The security scan flagged these issues and the application developers want us to correct them.

I'm hoping someone from Adobe might chime in here, but I will also try the other channels you suggest.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
RoboHelp Documentation
Download Adobe RoboHelp