Oxygen XML Forum

Hi,
We added responsive Web Help to a couple of products last year. Now there is a new requirement to run products through a security scan before shipping, using a tool called Appscan. Appscan finds many security vulnerabilities with the responsive web help. According to our developer, one issue is that an attacker can use ‘document.write’ to inject scripts codes OR use the ‘http.open(uri)’ to update /delete our database.

Any suggestions on how to resolve this? Otherwise we probably cannot use responsive, which is a shame since otherwise it's great.

Thanks,
Jason

I'd like to see an answer to this as well.

Hello,

We ensure that we do our best to meet the most demanding security standards and we are continuously improving our products.
I cannot identify such a vulnerability in our WebHelp Responsive output published using the latest version of Oxygen XML Editor (v20.1). To further investigate this we need more information and the complete report of the AppScan in order to analyze the specific files/code.
It will be very appreciated if you could provide us the following information on our technical support email:

• what version of Oxygen XML Editor are you using to generate WebHelp Responsive
• what kind of customizations are you using (if you are not using one of the built-in transformation scenarios)
• please also point out which files are reported as being vulnerable in the AppScan report

Regards,
Bogdan