- I've been using Robohelp since v5 - we're currently using v9.0.2.
- We create Microsoft Word user manuals for our product which I have created Robohelp projects for to generate webhelp.
- I use the "link" feature rather than "import" so that it is easier for me to update the webhelp when the word doc is updated.
- We use pagination for heading levels 1-3 so it generates 50-200 HTML topic files per webhelp.
- Everything works fine from a customer point of view.
Earlier this week a developer who was running a Burp security scan on our site sent me a report which showed the following:
The application may be vulnerable to path-relative style sheet import (PRSSI) attacks. The response contains a path-relative style sheet import, and so condition 1 for an exploitable vulnerability is present (see issue background). The response can also be made to render in a browser's quirks mode. The page does not contain a doctype directive, and so it will always be rendered in quirks mode. This means that condition 3 for an exploitable vulnerability is probably present if condition 2 is present.
Burp was not able to confirm that the other conditions hold, and you should manually investigate this issue to confirm whether they do hold.
with the following two lines (in every single topic's HTML page) highlighted as the issue:
<link rel="stylesheet" href="SourceDocument.css" type="text/css" />
<link rel="stylesheet" href="../default.css" type="text/css" />
The developer asked if I could see if there is an option to use absolute path links to the CSS files instead of relative paths. However, everything I've read about Robohelp recently says that doesn't seem to be a possibility.
So for the last few days I've been searching and trying different settings/options and I'm currently having the developer run another Burp scan to see if it helps at all. Changes I made that are being tested:
- Manually removed any references to "../default.css" from all HTML topic files - When I checked the online help doesn't seem to be using any of the styles within the default.css file
- Manually removed default.css file from webhelp output folder
From what I can tell in browsing around the online help after making these changes everything looks good without the default.css file & references.
But I'm concerned the new Burp scan is going to still be upset that the topic HTML pages are referencing the "href=SourceDocument.css" file in the current folder (instead of an absolute path).
So, two questions:
- First, is there a way to force Robohelp to automatically use absolute paths (or at least when referencing CSS files) that I haven't found yet?
- If #1 is not possible is there a way to have Robohelp not use a default.css file for style mapping at all? All of the styles that are needed for my project are in the SourceDocument.css which is created when importing the source document and is automatically put in the "Webhelp\SourceDocument\" folder where the topic HTML files are exist. Within Project Settings -> Import tab I am forced to select a "CSS for Style Mapping" and even if I try to select the SourceDocument.css there it will insert two distinct references in each of my HTML topic files linking to ("SourceDocument.css" & "../SourceDocument.css")
I am just learning about relative & absolute paths. We have several user manuals with the source documents ranging from 50-500 pages which are updated regularly. So I am trying to avoid manual processes as much as possible.
Any help would be appreciated.