Users can enter HTML in Blackboard Learn in a variety of ways. For example, users can enter HTML using the content editor in blogs and discussion boards, and through HTML file uploads. In the past, a security threat was introduced because users could enter potentially dangerous tags, such as script tags. Such tags could be used to execute malicious script in Blackboard Learn, exposing other users to attacks. This is referred to as cross scripting, which allows a user to have control over other user browsers.
To make user-supplied HTML safer to use in Blackboard Learn and provide administrators with more control over the type of HTML students can enter, the Safe HTML Building Block replaces the previous HTML sanitizer with the open-source security library from the Open Web Application Security Project's AntiSamy API. The new API ensures that user-supplied HTML is in compliance within an application's rules.
Blackboard Learn provides administrators with a default-policy.xml file containing Safe HTML rules. Administrators can define the HTML tags and attributes in the default-policy.xml file that are allowable on their Blackboard Learn instance, based on their organization's risk tolerance level.
Safe HTML is only applicable to users who don't have the Add/Modify Trusted Content privilege-also called the Add/Edit Trusted Content With Scripts privilege, depending on the version of Blackboard Learn you're running. Users with this privilege can enter unrestricted/trusted HTML, meaning they aren't bound to the Safe HTML rules. By default, Blackboard Learn gives this privilege to Administrators, Course Builders, Graders, Instructors, and Teaching Assistants. All other roles don't have this privilege by default, but it can be added on an as-needed basis.
Install Safe HTML
To download and install this building block, go to the Extensions Catalog and type "Safe HTML" in the Name Search box.
Prior to SP 11, Safe HTML is disabled by default. You must enable the building block to make it available in Blackboard Learn.
Safe HTML is installed and enabled by default for Blackboard Learn Release 9.1 Service Pack 11 and later.
Access Safe HTML
After you have installed the Safe HTML Building Block, you can access it from the Admin Panel. From the Building Blocks section, select Installed Tools. Locate Safe HTML Filters from the list of installed building blocks. Set the building block to Active.
Customize a policy
System administrators can customize the list of allowable HTML tags and attributes in the default-policy.xml file based on the needs of their organizations. However, this should be a rare event. System administrators only need to customize the policy if they have a specific use case that the policy doesn't support.
When your Blackboard Learn instance is upgraded, any custom policy files are preserved. However, if the building block is deleted, the custom policy files are also deleted.
- In the Admin Panel in the Security section, select Safe HTML Filters to access the Safe HTML Filters page.
- Select Safe HTML Filter for Content Editor to access the policy list.
- Access the menu for the default-policy.xml and select Download. Save the file on your computer.
- Make any changes to the SafeHTML rule to meet the needs of your organization.
- When you've edited the file, type a new name.
- Return to the Safe HTML Filter for Content Editor page to access the policy list.
- Select Upload to access the Upload Safe HTML Policy page and browse for your new file.
- Optionally, type a comment.
- Select Submit to upload the new file.
- The new file appears in the list of policy files. From the file's menu, select Activate to make this the active policy file in your Blackboard Learn instance.
Test a policy
System administrators can test policies to make sure they are functioning properly and yielding the results they want.
- In the Admin Panel in the Security section, select Safe HTML Filters.
- Select Safe HTML Filter for Content Editor.
- From the policy file's menu, select Test Policy .
- In the Enter code (HTML, JS) to Test field, enter any HTML code that you want to test.
- Select Test.
The system provides test results, based on the HTML code entered, such as these:
- A new Sanitized Output field appears showing you the system-sanitized output for the HTML you entered.
- If the script tag you entered isn't allowed by the policy, a message appears telling you the script isn't allowed for security reasons.
- A tag may contain an attribute that can't be processed. In this case, a message appears with the tag that contains an attribute that can't be processed and has been filtered out.
HTML body tags and attributes
The default-policy.xml file the Safe HTML Building Block ships with allows these body tags and attributes.
Grouping elements
| Tag | Attributes |
|---|---|
| div | id, class, lang, dir, title, style, align |
| span | id, class, dir, title, style, align, xml:lang |
Headings
| Tag | Attributes |
|---|---|
| h1 | id, class, lang, dir, title, style, align |
| h2 | id, class, lang, dir, title, style, align |
| h3 | id, class, lang, dir, title, style, align |
| h4 | id, class, lang, dir, title, style, align |
| h5 | id, class, lang, dir, title, style, align |
| h6 | id, class, lang, dir, title, style, align |
Address
| Tag | Attributes |
|---|---|
| address | id, class, lang, dir, title, style |
Font Style and HR Tags and Attributes
The default-policy.xml file ships with these Font Style and HR tags and attributes.
Font style
| Tag | Attributes |
|---|---|
| tt | id, class, lang, dir, title, style |
| i | id, class, lang, dir, title, style |
| b | id, class, lang, dir, title, style |
| big | id, class, lang, dir, title, style |
| small | id, class, lang, dir, title, style |
HR
| Tag | Attributes |
|---|---|
| hr | id, class, lang, dir, title, style |
List tags and attributes
The default-policy.xml file ships with these List tags and attributes.
Unordered lists, ordered lists, and list items
| Tag | Attributes |
|---|---|
| ul | id, class, lang, dir, title, style |
| li | id, class, lang, dir, title, style |
| ol | id, class, lang, dir, title, style |
Definition lists
| Tag | Attributes |
|---|---|
| dl | id, class, lang, dir, title, style |
| dt | id, class, lang, dir, title, style |
| dd | id, class, lang, dir, title, style |
| dir | id, class, dir, title, style, compact |
| menu | id, class, lang, dir, title, style, compact |
Link tags and attributes
The default-policy.xml file ships with these Link tags and attributes.
Links
| Tag | Attributes |
|---|---|
| a | class, dir, id, lang, name, rel, rev, style, target = _blank, title, xml:lang, accesskey, tabindex, charset, coords, href, hreflang, name, shape |
| link | See http://www.w3schools.com/tags/tag_link.asp. |
Text tags and attributes
The default-policy.xml file ships with these Text tags and attributes.
Phrase elements
| Tag | Attributes |
|---|---|
| em | id, class, lang, dir, title, style |
| strong | id, class, lang, dir, title, style |
| cite | id, class, lang, dir, title, style |
| dfn | id, class, lang, dir, title, style |
| code | id, class, lang, dir, title, style |
| samp | id, class, lang, dir, title, style |
| kbd | id, class, lang, dir, title, style |
| var | id, class, lang, dir, title, style |
| abbr | id, class, lang, dir, title, style |
| acronym | id, class, lang, dir, title, style |
Quotations
| Tag | Attributes |
|---|---|
| blockquote | id, class, lang, dir, title, style |
| q | id, class, lang, dir, title, style |
Subscripts and superscripts
| Tag | Attributes |
|---|---|
| sub | id, class, lang, dir, title, style |
| sup | id, class, lang, dir, title, style |
Lines and paragraphs
| Tag | Attributes |
|---|---|
| p | id, class, lang, dir, title, stye, align |
| br | id, class, title, style, clear |
| pre | id, class, lang, dir, title, style |
Marking document changes
| Tag | Attributes |
|---|---|
| ins | id, class, lang, dir, title, style |
| del | id, class, lang, dir, title, style |
Table tags and attributes
The default-policy.xml file ships with these Table tags and attributes.
Table
| Tag | Attributes |
|---|---|
| table | id, border, cellpadding, cellspacing, align, class, frame, summary, lang, dir, style, bgcolor, width, rules, dir |
Table captions
| Tag | Attributes |
|---|---|
| caption | id, lang, dir, title, style |
Row groups
| Tag | Attributes |
|---|---|
| thread | cellhalign, cellvalign, id, class, lang, dir, title, style, align, char, charoff, valign |
| tfoot | cellhalign, cellvalign, id, class, lang, dir, title, style, align, char, charoff, valign |
| tbody | id, class, lang, dir, title, style, align, char, charoff, valign |
| pre | id, class, lang, dir, title, style |
Column groups
| Tag | Attributes |
|---|---|
| colgroup | span, width, id, class, lang, dir, title, style, align, char, charoff, valign |
| col | span, width, id, class, lang, dir, title, style, align, char, charoff, valign |
Table rows
| Tag | Attributes |
|---|---|
| tr | id, class, lang, dir, title, style, bgcolor, align, char, charoff, valign |
Table cells
| Tag | Attributes |
|---|---|
| th | abbr, axis, headers, scope, rowspan, colspan, id, class, lang, dir, title, style, bgcolor, align, char, charoff, valign |
| td | abbr, axis, headers, scope, rowspan, colspan, id, class, lang, dir, title, style, bgcolor, align, char, charoff, valign |
Embedded media and Mashup tags and attributes
The default-policy.xml file ships with these Embedded Media and Mashup tags and attributes.
Partners
| Tag | Attributes |
|---|---|
| script | type, charset, src |
| iframe | src=starts with SafeHTML Restricted Youtube Sources or building blocks, longdesc, name, width, height, id, class, title, style, align, frameborder, marginwidth, marginheight, scrolling |
Images
| Tag | Attributes |
|---|---|
| img | src, alt, longdesc, name, id, class, lang, dir, title, style, align, width, height, border, hspace, vspace |
YouTube
| Tag | Attributes |
|---|---|
| object | classid, codebase, codetype, data, type, archive, declare, standby, id, class, lang, dir, title, style, tabindex, name, align, width, height, border, hspace, vspace |
| param | name=movie, value=starts with SafeHTML Restricted Youtube Sources, name = allowscriptaccess, value=true, name=allowfullscreen, value=true|false |
| embed | src=starts with SafeHTML Restricted Youtube Sources, allowScriptAccess=never, allowNetworking=internal, type=application/x-shockwave-flash, id, width, height, type, quality, scale, salign, wmode, base, name, align, hspace, vspace, bgcolor, sound, progress, swstretchstyle, swstretchalign, swstretchvalign |
| iframe | src=starts with http(s)://www.youtube.com or http(s)://www.youtube-nocookie.com/, longdesc, name, width, height, id, class, title, style, align, frameborder, marginwidth, marginheight, scrolling |
Slideshare
| Tag | Attributes |
|---|---|
| object | classid, codebase, codetype, data, type, archive, declare, standby, id, class, lang, dir, title, style, tabindex, name, align, width, height, border, hspace, vspace |
| param | name=movie, value=starts with http(s)://static.slidesharecdn.com/ or http(s)://www.slideshare.net/, name=allowscriptaccess, value=never, name=allowfullscreen, value=true|false, name=wmode, value=transparent |
| embed | src=starts with http(s)://static.slidesharecdn.com/ or http(s)://www.slideshare.net/, allowScriptAccess=never, allowNetworking=never, wmode=transparent, type=application/x-shockwave-flash, id, width, height, type, quality, scale, salign, base, name, align, hspace, vspace, bgcolor, sound, progress, autostart=false, swstretchstyle, swstretchalign, swstretchvalign |
| iframe | src=starts with http(s)://static.slidesharecdn.com/ or http(s)://www.slideshare.net/, height, width, frameborder, marginwidth, marginheight, scrolling |
Other media types including Flash
| Tag | Attributes | Comments |
|---|---|---|
| object | codebase, name, align, hspace, vspace, bgcolor, classid | |
| param | name=allowScriptAccess, value=never, name=allowNetworking, value=none, name=autostart, value=false | May contain other parameters, but these must always be present for sources other than youtube and slideshare. |
| embed | allowScriptAccess=never, allowNetworking=none, autostart=false, allowFullScreen=false, type=... see comment, wmode=window/transparent/opaque, id, class, dir, flashvars, height, lang, name, src, style, title, width, xml:lang | allowScriptAccess=never must always be present for Flash
allowNetworking=none must always be present for Flash allowFullScreen=false must always be present for Flash "type" is not restricted currently to our supported media types, but the default policy will eventually be limited to:
|
| iframe | src=restricted list, longdesc, name, width, height, id, class, title, style, align, frameborder, marginwidth, marginheight, scrolling |
Configure filtered file types
If you configure filtered file types for your Blackboard Learn environment, you'll need to re-apply these changed after each upgrade.
You can configure the file types that pass through the HTML filter. If users need to upload any of the filtered file types, they may put them in a ZIP file. ZIP file content isn't filtered by design.
- Open blackboard_home/config/internal/bb-file-filter-configuration.properties.
- Under # Filtered file types, add the file types you'd like to filter.
- Save the file and run PushConfigUpdates.
In the most recent release of Blackboard Learn, the following file are filtered due to possible security risks:
# Filtered file types
.htm=filter
.html=filter
.xhtml=filter
.xhm=filter
.css=filter
.js=filter
.xml=filter
.svg=filter
.svgz=filter
.xsl=filter
Newly added file types/extensions include *.xhm, *.xhtml, *.xsl, *.svgz. The .txt filter was removed in Blackboard Learn 9.1 Q2 2019.
