Security API for Building Block Developers

Blackboard has integrated with a best practices open source security library from the Open Web Application Project's (OWASP) Enterprise Security API (ESAPI). This security library ships by default installed on Blackboard Learn through a Building Block called "ESAPI Security Module" and is required for system operation. Blackboard strongly recommends all Building Block developers leverage this new Security API based on OWASP ESAPI for Java and ESAPI for JavaScript. These Security API changes not only include best practice implementations, but also increase the ease of using the methods through consistent nomenclature.

In later releases, the ESAPI Security Module Building Block API is part of Blackboard Learn’s core code and is available by default.

As part of secure coding practices, input that may be influenced by users, whether trusted or not, should be validated on the server-side before processing (input validation) as well as prior to display (output validation or escaping). This helps ensure system resiliency and prevents security issues such as cross-site scripting.

Input validation

When receiving input from the request, always validate and always validate server-side. Blackboard has implemented several popular use cases requiring validation. A few examples are provided below.

• blackboard.platform.security.ValidationUtility.isValidDirectoryPath( String )
• blackboard.platform.security.ValidationUtility.isValidGuid( String )
• blackboard.platform.security.ValidationUtility.isValidEnumeratedType( Enum, String )

Output validation/encoding/escaping

When displaying any input, always ensure it is displayed in the correct context that it will be embedded in:

Java methods

• blackboard.platform.security.EscapeUtility.escapeForHTML ( String )
• blackboard.platform.security.EscapeUtility.escapeForHTMLAttribute ( String )
• blackboard.platform.security.EscapeUtility.escapeForJavascript ( String )
• blackboard.platform.security.EscapeUtility.escapeForUrl ( String )
• blackboard.platform.security.EscapeUtility.escapeForCSS ( String )
• blackboard.platform.security.EscapeUtility.escapeForXML ( String )
• blackboard.platform.security.EscapeUtility.escapeForXMLAttribute ( String )

JSP methods

• ${bbNG:EscapeForHTML( String )}
• ${bbNG:EscapeForJavascript( String )}
• ${bbNG:EscapeForURL( String )}
• ${bbNG:EscapeForCSS( String )}
• ${bbNG:EscapeForXML( String )}
• ${bbNG:EscapeForXMLAttribute( String )}

JavaScript methods

All ESAPI for JavaScript methods are available for use. A list of more commonly used methods:

• $ESAPI.encoder().canonicalize( String )
• $ESAPI.encoder().encodeForHTML( String )
• $ESAPI.encoder().encodeForHTMLAttribute( String )
• $ESAPI.encoder().encodeForCSS( String )
• $ESAPI.encoder().encodeForJavaScript( String )
• $ESAPI.encoder().encodeForURL( String )