2 Replies Latest reply on Mar 6, 2016 1:46 AM by Peter Grainge

    A way to not include default.css references in topic pages (or use absolute paths for .css references)?

    RoboDeveloper

      Background:

      • I've been using Robohelp since v5 - we're currently using v9.0.2.
      • We create Microsoft Word user manuals for our product which I have created Robohelp projects for to generate webhelp.
      • I use the "link" feature rather than "import" so that it is easier for me to update the webhelp when the word doc is updated.
      • We use pagination for heading levels 1-3 so it generates 50-200 HTML topic files per webhelp.
      • Everything works fine from a customer point of view.

       

      Earlier this week a developer who was running a Burp security scan on our site sent me a report which showed the following:

       

      Issue detail

      The application may be vulnerable to path-relative style sheet import (PRSSI) attacks. The response contains a path-relative style sheet import, and so condition 1 for an exploitable vulnerability is present (see issue background). The response can also be made to render in a browser's quirks mode. The page does not contain a doctype directive, and so it will always be rendered in quirks mode. This means that condition 3 for an exploitable vulnerability is probably present if condition 2 is present.

      Burp was not able to confirm that the other conditions hold, and you should manually investigate this issue to confirm whether they do hold.

       

      with the following two lines (in every single topic's HTML page) highlighted as the issue:

       

      <link rel="stylesheet" href="SourceDocument.css" type="text/css" />

      <link rel="stylesheet" href="../default.css" type="text/css" />

       

      The developer asked if I could see if there is an option to use absolute path links to the CSS files instead of relative paths.  However, everything I've read about Robohelp recently says that doesn't seem to be a possibility.

       

       

       

      So for the last few days I've been searching and trying different settings/options and I'm currently having the developer run another Burp scan to see if it helps at all.  Changes I made that are being tested:

       

      • Manually removed any references to "../default.css" from all HTML topic files - When I checked the online help doesn't seem to be using any of the styles within the default.css file
      • Manually removed default.css file from webhelp output folder

       

       

      From what I can tell in browsing around the online help after making these changes everything looks good without the default.css file & references.

       

      But I'm concerned the new Burp scan is going to still be upset that the topic HTML pages are referencing the "href=SourceDocument.css" file in the current folder (instead of an absolute path).

       

      So, two questions:

       

      1. First, is there a way to force Robohelp to automatically use absolute paths (or at least when referencing CSS files) that I haven't found yet?
      2. If #1 is not possible is there a way to have Robohelp not use a default.css file for style mapping at all?  All of the styles that are needed for my project are in the SourceDocument.css which is created when importing the source document and is automatically put in the "Webhelp\SourceDocument\" folder where the topic HTML files are exist.  Within Project Settings -> Import tab I am forced to select a "CSS for Style Mapping" and even if I try to select the SourceDocument.css there it will insert two distinct references in each of my HTML topic files linking to ("SourceDocument.css" & "../SourceDocument.css")

       

      I am just learning about relative & absolute paths.  We have several user manuals with the source documents ranging from 50-500 pages which are updated regularly.  So I am trying to avoid manual processes as much as possible.

       

      Any help would be appreciated.

       

       

      James

       

        • 1. Re: A way to not include default.css references in topic pages (or use absolute paths for .css references)?
          Jeff_Coatsworth Adobe Community Professional & MVP

          I don’t believe there’s any way to set an absolute path in your HTML pages because RH doesn’t know where its output is going to end up. I suspect that you’d have to employ a find & replace tool to strip out the vulnerabilities. First, you should alert Adobe about this potential issue (use the Bugbase reporting tool on the RH main page) & second, don’t expect to see any fix for your RH9 – it’s too far out of date for patches from the RH team.

          • 2. Re: A way to not include default.css references in topic pages (or use absolute paths for .css references)?
            Peter Grainge Adobe Community Professional (Moderator)

            To add to Jeff's response, every so often we see posts along the lines of yours where someone has used a security tool and it has reported some vulnerability. What I have never seen is anyone report that they or a client has suffered any successful attack using the vulnerability. That doesn't mean it hasn't happened but it does cast doubt on how real the threat is.

             

            I am having an extension added to my house. The building control inspector has indicated that regs now require a clip to be fitted to the ridge tiles to make them extra secure. My builder has been in the trade for 50 years has never had one of his ridge tiles blown off when they have just been bedded with mortar.

             

            Theoretical risk or real risk?

             

            I cannot say you should ignore the warning but it might be worth a face to face chat with the developer to ask just how concerned he or she is. Ultimately it is your risk and your call. Hope those thoughts help.

             


            See www.grainge.org for RoboHelp and Authoring tips

             

             

            @petergrainge