Vulnerability in the Webhelp Index - Upgraded to 6.5.1

[Craig Clarke]

Hi All,

We are about to upgrade from Version 6.2.3 to 6.5.1. It taken a while to get agreements for this.

We have customised skins and wonder how we go about upgrading skins to fix the vulnerability in the Webhelp index page script?
The fix is for default/standard templates so I assume it will not make it through to our customised skins?

Any guidance/help apprecitated.

Kind Regards
Craig

[Tim Green]

Hi Craig,

There are two issues here you need to fix if your customized skin is based on an older skin: Fixing the XXS vulnerability and making the adjustments to adjust for the changes in the Google algorithm that prevents your site from being indexed if the automatic reload for topics accessed with topic.htm instead of index.html?topic.htm is turned on. For the vulnerability fix I would ask you to mail me a copy of your skin at support AT ec-software.com (replace the AT with @) and I will help you out, because I prefer not to post that in the clear on the forum.

Before you do that, if you are using your own skins based on an older version you need to turn the off the automatic redirects and add an automatic link for users so that they can open the TOC manually if they get a topic page on its own.

1) Turn off the automatic redirects

Open your project (if you are not using a skin) or the .hmskin skin file (if you are using a skin) in Help & Manual. Then in the Project Explorer on the left go to Configuration > Publishing Options > WebHelp > Navigation. Locate the option "When a topic is loaded outside the navigation frame, force it to reload the navigation frame" and turn it OF.

2) Add the link to be displayed for topics both with and without headers:

For the version for topics with headers add this above the breadcrumbs navigation code (note that the "sync-toc" and "crumbs" class references are important):

Code: Select all

<IF_HTML><p class="sync-toc"><< <a rel="nofollow" href="<%HREF_TOP_PAGE%>?<%HREF_CURRENT_PAGE%>" target="_top">Click to Display Table of Contents</a> >></p>
 <p class="crumbs" id="idnav"><b>Navigation:</b>&nbsp; 
..... rest of code here</IF_HTML>

For the version for topics without headers add this directly above the opening <IF_TOPIC_HEADER> condition:

Code: Select all

<IFNOT_TOPIC_HEADER><IF_HTML><p class="sync-toc" style="color:#ff0000; margin-top: 5px; margin-left: 5px;"><< <a rel="nofollow" href="<%HREF_TOP_PAGE%>?<%HREF_CURRENT_PAGE%>" style="color:#ff0000;" target="_top">Click to Display Table of Contents</a> >></p></IF_HTML></IFNOT_TOPIC_HEADER>

3) Add the CSS for the new link to the <style> block in the <head> section of the page.
The only really important attribute here is "display:none" so that the link is NOT normally displayed. Everything else can be formatted as you like:

Code: Select all

.sync-toc { color: #ffffff; font-size: 8pt; font-weight: bold; display: none; }
.sync-toc a { color: #ffffff; text-decoration: none; font-weight: bold;}
.sync-toc a:visited { color: #ffffff; }
.sync-toc a:hover { text-decoration: underline; }

4) Add a script snippet that displays the link and hides the breadcrumbs in a position where it will be executed AFTER the page has loaded.
For example in a <script> section down just before the closing </body> tag, or in a jQuery $(document).ready() function block:

Code: Select all

<IF_HTML>if ((!parent.hmNavigationFrame) && (parent.location) && (parent.location.href)) { $('.sync-toc').show();$('p.crumbs').hide();}</IF_HTML>

That is basically it. If you have problems with implementing this in your skin just let me know when you mail me the skin for the vulnerability fix.

[Craig Clarke]

Hi Tim,

Thanks for your kind offer of help.
I'll send you a copy of our skin. I think that we don't need to fix the other issues. Our site is not index by google (help is hosted on a secure server) and we do not provide access to the project without using the index.html? method.

I'll drop you an email.

thanks again
Craig