Users can enter HTML in Blackboard Learn in a variety of ways. For example, users can enter HTML using the content editor in blogs and discussion boards, and through HTML file uploads. In the past, a security threat was introduced because users could enter potentially dangerous tags, such as script tags. Such tags could be used to execute malicious script in Blackboard Learn, exposing other users to attacks. This is referred to as cross scripting, which allows a user to have control over other user browsers.

Safe HTML filters provide you with more control over the type of HTML students can enter, making user-supplied HTML safer to use in Blackboard Learn. The feature replaces an earlier HTML sanitizer with the open-source security library from the Open Web Application Security Project's AntiSamy API. The new API ensures that user-supplied HTML complies with an application's rules.

Blackboard Learn provides administrators with a default-policy.xml file containing Safe HTML rules. Administrators can define the HTML tags and attributes in the default-policy.xml file that are allowable on their Blackboard Learn instance, based on their organization's risk tolerance level.

If you’ve customized your default-policy.xml file and Blackboard makes changes to the default version of the file, the previous Blackboard default file is renamed to indicate that it’s an old version. The new default-policy.xml file by Blackboard is added to your policies and is set to be your active policy. You’ll be informed of the file update via email. Your own customized policy is unchanged.

Safe HTML is only applicable to users who don't have the Add/Modify Trusted Content privilege, also called the Add/Edit Trusted Content With Scripts privilege. Users with this privilege can enter unrestricted/trusted HTML, meaning they aren't bound to the Safe HTML rules. By default, Blackboard Learn gives this privilege to Administrators, Course Builders, Graders, Instructors, and Teaching Assistants. All other roles don't have this privilege by default, but it can be added on an as-needed basis.

On the Administrator Panel, select Safe HTML Filters in the Security menu.

Blackboard Learn SaaS environments can't be configured to filter custom file types through HTML filters.


Customize a policy

Administrators can customize the list of allowable HTML tags and attributes in the default-policy.xml file based on the needs of their organizations. However, this should be a rare event. Administrators only need to customize the policy if they have a specific use case that the policy doesn't support.

  1. On the Administrator Panel, select Safe HTML Filters in the Security menu.
  2. Select Safe HTML Filter for Content Editor to access the policy list.
  3. Access the menu for the default-policy.xml and select Download. Save the file on your computer.
  4. Make any changes to the SafeHTML rule to meet the needs of your organization.
  5. When you've edited the file, type a new name.
  6. Return to the Safe HTML Filter for Content Editor page to access the policy list.
  7. Select Upload to access the Upload Safe HTML Policy page and browse for your new file.
  8. Optionally, type a comment.
  9. Select Submit to upload the new file.
  10. The new file appears in the list of policy files. From the file's menu, select Activate to make this the active policy file in your Blackboard Learn environment.

Test a policy

Administrators can test policies to make sure they are functioning properly and yielding the results they want.

  1. On the Administrator Panel, select Safe HTML Filters in the Security menu.
  2. Select Safe HTML Filter for Content Editor.
  3. From the policy file's menu, select Test Policy.
  4. In the Enter code (HTML, JS) to Test field, enter any HTML code that you want to test.
  5. Select Test.

The system provides test results, based on the HTML code entered, such as these:

  • A new Sanitized Output field appears showing you the system-sanitized output for the HTML you entered.
  • If the script tag you entered isn't allowed by the policy, a message appears telling you the script isn't allowed for security reasons.
  • A tag may contain an attribute that can't be processed. In this case, a message appears with the tag that contains an attribute that can't be processed and has been filtered out.

HTML body tags and attributes

The default-policy.xml file allows these body tags and attributes.

Grouping elements

HTML Body Tags and Attributes
TagAttributes
divid, class, lang, dir, title, style, align
spanid, class, dir, title, style, align, xml:lang

Headings

Headings
TagAttributes
h1id, class, lang, dir, title, style, align
h2id, class, lang, dir, title, style, align
h3id, class, lang, dir, title, style, align
h4id, class, lang, dir, title, style, align
h5id, class, lang, dir, title, style, align
h6id, class, lang, dir, title, style, align

Address

Address
TagAttributes
addressid, class, lang, dir, title, style

Font Style and HR Tags and Attributes

The default-policy.xml file ships with these font style and HR tags and attributes.

Font style

Font Style and HR Tags and Attributes
TagAttributes
ttid, class, lang, dir, title, style
iid, class, lang, dir, title, style
bid, class, lang, dir, title, style
bigid, class, lang, dir, title, style
smallid, class, lang, dir, title, style

HR

HR
TagAttributes
hrid, class, lang, dir, title, style

List tags and attributes

The default-policy.xml file ships with these list tags and attributes.

Unordered lists, ordered lists, and list items

List Tags and Attributes
TagAttributes
ulid, class, lang, dir, title, style
liid, class, lang, dir, title, style
olid, class, lang, dir, title, style

Definition lists

Definition Lists
TagAttributes
dlid, class, lang, dir, title, style
dtid, class, lang, dir, title, style
ddid, class, lang, dir, title, style
dirid, class, dir, title, style, compact
menuid, class, lang, dir, title, style, compact

Link tags and attributes

The default-policy.xml file ships with these link tags and attributes.

Links

Link Tags and Attributes
TagAttributes
aclass, dir, id, lang, name, rel, rev, style, target = _blank, title, xml:lang, accesskey, tabindex, charset, coords, href, hreflang, name, shape
linkSee http://www.w3schools.com/tags/tag_link.asp.

Text tags and attributes

The default-policy.xml file ships with these text tags and attributes.

Phrase elements

Text Tags and Attributes
TagAttributes
emid, class, lang, dir, title, style
strongid, class, lang, dir, title, style
citeid, class, lang, dir, title, style
dfnid, class, lang, dir, title, style
codeid, class, lang, dir, title, style
sampid, class, lang, dir, title, style
kbdid, class, lang, dir, title, style
varid, class, lang, dir, title, style
abbrid, class, lang, dir, title, style
acronymid, class, lang, dir, title, style

Quotations

Quotation Tags and Attributes
TagAttributes
blockquoteid, class, lang, dir, title, style
qid, class, lang, dir, title, style

Subscripts and superscripts

Subscript and Superscript Tags and Attributes
TagAttributes
subid, class, lang, dir, title, style
supid, class, lang, dir, title, style

Lines and paragraphs

Line and Paragraph Tags and Attributes
TagAttributes
pid, class, lang, dir, title, stye, align
brid, class, title, style, clear
preid, class, lang, dir, title, style

Marking document changes

Marking Document Change Tags and Attributes
TagAttributes
insid, class, lang, dir, title, style
delid, class, lang, dir, title, style

Table tags and attributes

The default-policy.xml file ships with these table tags and attributes.

Table

Table Tags and Attributes
TagAttributes
tableid, border, cellpadding, cellspacing, align, class, frame, summary, lang, dir, style, bgcolor, width, rules, dir

Table captions

Table Caption Tags and Attributes
TagAttributes
captionid, lang, dir, title, style

Row groups

Row Group Tags and Attributes
TagAttributes
threadcellhalign, cellvalign, id, class, lang, dir, title, style, align, char, charoff, valign
tfootcellhalign, cellvalign, id, class, lang, dir, title, style, align, char, charoff, valign
tbodyid, class, lang, dir, title, style, align, char, charoff, valign
preid, class, lang, dir, title, style

Column groups

Column Group Tags and Attributes
TagAttributes
colgroupspan, width, id, class, lang, dir, title, style, align, char, charoff, valign
colspan, width, id, class, lang, dir, title, style, align, char, charoff, valign

Table rows

Table Row Tags and Attributes
TagAttributes
trid, class, lang, dir, title, style, bgcolor, align, char, charoff, valign

Table cells

Table Cell Tags and Attributes
TagAttributes
thabbr, axis, headers, scope, rowspan, colspan, id, class, lang, dir, title, style, bgcolor, align, char, charoff, valign
tdabbr, axis, headers, scope, rowspan, colspan, id, class, lang, dir, title, style, bgcolor, align, char, charoff, valign

Embedded media and Mashup tags and attributes

The default-policy.xml file ships with these embedded media and mashup tags and attributes.

Partners

Embedded Media and Mashup Tags and Attributes
TagAttributes
scripttype, charset, src
iframesrc=starts with SafeHTML Restricted Youtube Sources or building blocks, longdesc, name, width, height, id, class, title, style, align, frameborder, marginwidth, marginheight, scrolling

Images

Image Tags and Attributes
TagAttributes
imgsrc, alt, longdesc, name, id, class, lang, dir, title, style, align, width, height, border, hspace, vspace

YouTube

YouTube Tags and Attributes
TagAttributes
objectclassid, codebase, codetype, data, type, archive, declare, standby, id, class, lang, dir, title, style, tabindex, name, align, width, height, border, hspace, vspace
paramname=movie, value=starts with SafeHTML Restricted Youtube Sources, name = allowscriptaccess, value=true, name=allowfullscreen, value=true|false
embedsrc=starts with SafeHTML Restricted Youtube Sources, allowScriptAccess=never, allowNetworking=internal, type=application/x-shockwave-flash, id, width, height, type, quality, scale, salign, wmode, base, name, align, hspace, vspace, bgcolor, sound, progress, swstretchstyle, swstretchalign, swstretchvalign
iframesrc=starts with http(s)://www.youtube.com or http(s)://www.youtube-nocookie.com/, longdesc, name, width, height, id, class, title, style, align, frameborder, marginwidth, marginheight, scrolling

Slideshare

Slideshare Tags and Attributes
TagAttributes
objectclassid, codebase, codetype, data, type, archive, declare, standby, id, class, lang, dir, title, style, tabindex, name, align, width, height, border, hspace, vspace
paramname=movie, value=starts with http(s)://static.slidesharecdn.com/ or http(s)://www.slideshare.net/, name=allowscriptaccess, value=never, name=allowfullscreen, value=true|false, name=wmode, value=transparent
embedsrc=starts with http(s)://static.slidesharecdn.com/ or http(s)://www.slideshare.net/, allowScriptAccess=never, allowNetworking=never, wmode=transparent, type=application/x-shockwave-flash, id, width, height, type, quality, scale, salign, base, name, align, hspace, vspace, bgcolor, sound, progress, autostart=false, swstretchstyle, swstretchalign, swstretchvalign
iframesrc=starts with http(s)://static.slidesharecdn.com/ or http(s)://www.slideshare.net/, height, width, frameborder, marginwidth, marginheight, scrolling

Other media types including Flash

Other Media Type Tags and Attributes
TagAttributesComments
objectcodebase, name, align, hspace, vspace, bgcolor, classid 
paramname=allowScriptAccess, value=never, name=allowNetworking, value=none, name=autostart, value=falseMay contain other parameters, but these must always be present for sources other than youtube and slideshare.
embedallowScriptAccess=never, allowNetworking=none, autostart=false, allowFullScreen=false, type=... see comment, wmode=window/transparent/opaque, id, class, dir, flashvars, height, lang, name, src, style, title, width, xml:lang

allowScriptAccess=never must always be present for Flash

allowNetworking=none must always be present for Flash

allowFullScreen=false must always be present for Flash

"type" is not restricted currently to our supported media types, but the default policy will eventually be limited to:

  • video/quicktime
  • application/x-shockwave-flash
  • application/x-director
  • application/x-mplayer2
iframesrc=restricted list, longdesc, name, width, height, id, class, title, style, align, frameborder, marginwidth, marginheight, scrolling