Is Javascript a security threat?

Explorer ,
Mar 19, 2013 Mar 19, 2013

Copy link to clipboard

Copied

The IT dept of a potential client has identified some of the Javascript in my Webhelp output as a potential security threat for cross-site scripting.

Could someone please answer the following questions about the following code block?

  • What is its purpose?

  • Can all, or part of it be deleted? (And if so, please provide excruciatingly detailed instructions for removing javascript or minimising it in my output files.)

  • Do you think that the javascript in webhelp constitutes a security threat?

I am using RoboHelp 8 & don't know nothin' bout no javascript. This objection has never arisen before.

The code block (and especially the if statements about two different windows)

if (window.gbWhTopic)
{
var strUrl = document.location.href;
var bc = 0;
var n = strUrl.toLowerCase().indexOf("bc-");
if(n != -1)
{
  document.location.href = strUrl.substring(0, n);
  bc = strUrl.substring(n+3);
}

if (window.addTocInfo)
{

}
if (window.writeBtnStyle)
  writeBtnStyle();

if (window.writeIntopicBar)
  writeIntopicBar(0);


if (window.setRelStartPage)
{
setRelStartPage("Acco_3.htm");

  autoSync(1);
  sendSyncInfo();
  sendAveInfoOut();
}
}
else
if (window.gbIE4)
  document.location.reload();

Thanks for any enlightenment,

John

Views

1.7K

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Mar 19, 2013 Mar 19, 2013

Copy link to clipboard

Copied

Hi John

Here's the deal. With RoboHelp, you create HTML topic pages. And when it's time to create output, you choose the output type and create it. From what I've seen of your code, I'm guessing that you created WebHelp output. In WebHelp output, as the WebHelp is generated each topic is copied from the hard drive into memory and modified. Exactly HOW the topics are modified depends on the options you have selected in the Single Source Layout (SSL) recipe. The options govern which different bits of JavaScript code are added and inserted into the topic. The modified version of the topic is then saved to the folder location specified in the SSL recipe.

One of the options is called "Show Navigation Pane Link in Topics".

tmp1.PNG

With this option enabled, the JavaScript code written into the topic performs a "sniff test" to ask: "Am I being presented within my WebHelp frameset?" and if the answer is no, code is written into the topic that provides the end user a link that reloads the topic within the WebHelp frameset when the user clicks it.

I do know that a year or two back, some sort of "cross site scripting vulnerability" was discovered, but I believe Adobe issued a patch shortly after the discovery that addressed it.

My guess here is that while it may look bad, what you are seeing is pretty innocuous and nothing to be concerned about.

Cheers... Rick

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Mar 19, 2013 Mar 19, 2013

Copy link to clipboard

Copied

OK, thanks for your info Rick.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Mar 20, 2013 Mar 20, 2013

Copy link to clipboard

Copied

You can avoid the use of frames using the new Multiscreen HTML5 output in Rh10.

Use one of the desktop layouts there.


See www.grainge.org for RoboHelp and Authoring tips

@petergrainge

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Mar 20, 2013 Mar 20, 2013

Copy link to clipboard

Copied

Great! Thanks Peter.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 05, 2013 Apr 05, 2013

Copy link to clipboard

Copied

Hello,

We too are experiencing this problem and need to get it to turn off.  I have looked at the past discussions surrounding this topic and it seems that this document.location.href code has something to do with breadcrumbs? I don't have breadcrumbs or the navigation pane link turned on anywhere in my system (using RH 10), so I am not too sure why RH is adding this code to all my topics.

Regardless, do you know where this code is originating from? I can see reference to it in the whutil.js but according to our javascript developer I need to find  the file that inserts the code (document.write or something similar).

Any help would be appreciated.  I have a number of webhelp and webhelp pro systems and don't want to have to change every file in every generated help system with security code each time I generate and release. Peter's suggestion to  multscreen HTML5 output is a good one, but the change would be a bit more wide reaching than just my help systems so at the moment not the immediate option.

Thank you,

Tannis

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Apr 06, 2013 Apr 06, 2013

Copy link to clipboard

Copied

I believe that this code checks whether there is a breadcrumb available on the current page. This code is added on generation. This is part of the generation process and I'm not sure if it can be changed.

Is it a potential risk? Is taking your car downtown a risk? I'm not a security expert, but this sounds a bit paranoia to me.

RoboHelp 10 WebHelp has changed the way it works and it uses safe cross-frame communication. That might be a solution for you. Otherwise the Multiscreen HTML5 output may help

Greet,

Willam

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 08, 2013 Apr 08, 2013

Copy link to clipboard

Copied

Thank you Willam,

Do you know if it is just RH 10 Web Help that has this safe cross-frame communication? Does WebHelp Pro also have it? I am currently outputting to WebHelp Pro using RoboHelp 10.

As to your comment whether or not this code is a security risk or not, I do understand your point, however, as I have no control over what the customer perceives as a security risk in their highly secure and extremely regulated environment, I have little choice other than to try and fix the problem.

Thank you,

Tannis

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Apr 08, 2013 Apr 08, 2013

Copy link to clipboard

Copied

Nope, the code is still there in WebHelp Pro.

I understand that you have to live with your customer. Life could be so much easier 😉

What you can try is using a find and replace in your output changing all occurances of

var strUrl = document.location.href;

to

var strUrl = "";

I don't believe it'll break anything (important). This may save you a major headache.

Greet,

Willam

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Aug 16, 2018 Aug 16, 2018

Copy link to clipboard

Copied

A security audit has identified the JavaScript in my Responsive HTML output, too. The difference is that I'm using RoboHelp 2015.

Yes, I've read through the thread. What is the correct way to turn it off in RH2015, and what are the consequences?

Thank you,

Cindy

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Aug 16, 2018 Aug 16, 2018

Copy link to clipboard

Copied

LATEST

AFAIK there's no way to turn off JavaScript being in your HTML5 output - disabling it in the browser would just make it not work. Is there some particular code that the audit is having an issue with? Maybe you need to check with Adobe about it and see if they have an option for you.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
RoboHelp Documentation
Download Adobe RoboHelp