We generate WebHelp using RoboHelp HTML. The security teams contantly runs security checks on the applications and the whtopic.js file that RoboHelp generates was identified as a security threat becuase of "DOM ocde injection". The comment was that the document.location.href is controllable and, at a minimum, ought to be run through some html encoding.
Any one else ever run into security analysis of the RoboHelp generated files?
Anything we can do about it?
Just to add, we are using Robohelp 220.127.116.111.
Vulnerability identifier: APSB11-23
CVE number: CVE-2011-2133
but it seems to be realted to an earlier version and should be OK in the version that we have.
I tried to replace the mentioned files but could not see the change.
These security things sometimes come up in tools. As the code here doesn’t have anything to do with cross frame scripting, so I very much doubt this is an XSS vulnerability. I have asked the people who know about this to look it over.