Help & Manual 4.5 released

[Tim Green]

Help & Manual 4.5 is now available for download from the EC Software website. It is free for all registered users and recommended for everyone. It introduces a couple of new features and some fixes, including an important fix for a cross-browser scripting vulnerability issue in Browser-based Help.

Impict adds XML export & import for image translation

Impict 2.40, which is included in the latest update of Help & Manual, now supports XML export of text objects and callouts in images. When saving an image in Impict in the native IPP format, Impict optionally exports an additional XML file that contains the text objects only. The XML file can be translated externally and then imported again to update the text in objects. The files use the standard H&M XML schema, so they can be edited with a translation program like Trados or Across as well as regular XML editors or normal text editors.

Cross-browser scripting vulnerability in Browser-based Help

The current version of Browser-based Help has a Javascript vulnerability that allows an attacker to inject and execute external Javascript code. If you create Browser-based help, we strongly recommend that you install this update. The vulnerability is in the frame script and is automatically replaced with a safe version of the script, if you use standard templates. If you have manually edited the frame template for browser-based help, please reset the template to update the script changes.

Creating topics with Drag & Drop

This is a new convenience function: Currently it is possible to drag selected text from the topic editor to the table of contents (TOC), to create a link. This function has now been extended - if you drop the text between two TOC entries, H&M now creates a new topic and inserts a link to the new topic at the current position in one operation.

Inserting special characters

The insert command for symbols and special characters on the Tools menu now has its own menu with some additional options to make insertion of frequently-used characters easier: You can now insert hyphens, soft line breaks and soft hyphens directly. Soft line breaks are breaks that do not begin a new paragraph, hence space before and after a paragraph is not applied. Soft hyphens are invisible hyphens designed to mark a possible word break.

Miscellaneous fixes and enhancements

HTML: Several small enhancements for HTML export for both HTML Help and Browser-based Help.

XML Import: Two small bug fixes for raised table borders and bulleted lists. Importing button links without captions has also been improved.
Insert Hyperlink dialog box: This dialog box now has a better text recognition to preselect the target topic more accurately.

PDF Export: Improved printing for topics with multiple references in the table of contents – the multiple references are now printed as separate chapter entries in the TOC.

[Dean Whitlock]

Hi Tim,
Regarding the javascript vulnerability
I've edited my main template to use a non-scrolling header (as described in the DHTML example). I've also made the fix for the IE horizontal scrolling bug. If I reset my template, I'm going to have to redo all of this. Is there an easier way?

Thanks,
Dean

[Tim Green]

Dean,

The vulnerability was not in the Topic Pages template but in the frameset layout template (Project Properties > Browser-based Help > Layout), so unless you edited that you are OK.

[Laura Look]

Is there anywhere where we can find a list of the bug fixes included in 4.5? The list at http://www.ec-software.com/products_hm_v45.html is rather sparse, and I can't find a more complete list.

Thanks,

[Alexander Halser]

Laura,

The bug fixes were indeed sparse. Except for the cross-scripting vulnerability, there were really only tiny fixes:

* Copy & paste of TOC entries into a topic as links: In some cases, a chapter without text became a link, too.

* XML Import: button links without caption became a button with a blank caption, making it slightly larger. Tables with sunken cell borders were imported incorrectly, the cell border became raised.

* HTML Export: the (R) symbol was exported incorrectly and single spaces with a colored text background were wrong. Furthermore, we fixed
this problem.

* HTML Help: text popups in Asian and East-European help files did not include a dedicated charset and were displayed with the wrong font for that reason. That was easy to change manually, now it's automated.

* Table selection in the editor: if multiple cells were selected from bottom to top, font changes across cells did not work.

[Alexander Halser]

Dean,

You need to change only one detail in the frame template (if you edited the frame template manually).

Change the following line in the frame template:

Code: Select all

if (top.location.href.lastIndexOf("?") > 0) 
  defaulttopic=top.location.href.substring(top.location.href.lastIndexOf("?")+1,top.location.href.length);

To this line:

Code: Select all

if (top.location.href.lastIndexOf("?") > 0) 
  defaulttopic=top.location.href.substring(top.location.href.lastIndexOf("?")+1,top.location.href.length).replace(/:/g,"");

The vulnerability lied in the fact that the part after the question mark was interpreted literally, making it possible to insert and execute arbitrary Javascript code in the users's browser. The vulnerability was not really dangerous, since a Javascript can only execute code on the client, not on the server. It was unlikely that an attacker would take the effort to use your website to execute his own code on a client machine - he could much more easily do that with a Javascript on his own web page. Only if your website is a trusted website (e.g. with a https:// protocol), it could be used to elevate the rights for external Javascripts that would not be a trusted source otherwise. It was a nuisance though. The script now parses the page url and filters invalid characters.

[Laura Look]

Furthermore, we fixed this problem.

Fantastic. That's exactly what I needed to know.

Thanks,

[Michele Hugo]

When installing 4.3, it was recommended that Help & Manual be uninstalled and then installed again. Is that still being recommended?

What do you recommend for installation of this upgrade?

Thanks

[Tim Green]

Hi Michele,

This was only necessary in 4.3 because the directory structure for the Templates and Samples folders had been changed -- actually, it was also possible to update 4.3 without any errors, you would just have got some duplicate files in the old folders.

Now this is definitely not necessary at all. Just install on top of your existing version, everything is automatic.

[Michele Hugo]

I needed to be on the safe side before you replied so I went the route of uninstalling 4.2 and the instructions for 4.3 and that worked too.

Thanks for your reply.