Securing User Content
Users can enter HTML in Blackboard Learn in a variety of ways. For example, users can enter HTML using the content editor in blogs and discussion boards, and through HTML file uploads. In the past, this has introduced a security threat in that users could enter potentially dangerous tags, such as script tags. Such tags could be used to execute malicious script in Blackboard Learn, exposing other users to attacks. This is referred to as cross-site scripting, which allows a user to have control over other user browsers.
To make user-supplied HTML safer to use in Blackboard Learn and provide Blackboard Learn administrators with more control over the type of HTML students can enter, the Safe HTML building block replaces the previous HTML sanitizer with the open-source security library from the Open Web Application Security Project's AntiSamy API. The new API ensures that user-supplied HTML is in compliance within an application's rules.
Rendering user-uploaded files from an alternate domain is a defense-in-depth security control. By uploading a piece of content containing potentially malicious scripts, a user could potentially perform session hijacking on the main Blackboard Learn session once a target user accesses the affected content.
As a method of protection against this type of activity, users can now access user-uploaded files through an alternate domain and a separate session that cannot access cookies from a user’s primary Blackboard Learn session. This security control leverages the browser security features, namely the “same-origin policy". As a result, malicious scripts within user-uploaded files that are rendered in one domain or subdomain are segregated from the cookies, and thus the session information, of the primary Blackboard Learn session.
This security control is another defensive layer in Blackboard’s security framework to further protect users from potentially malicious user-uploaded files.
File Type Upload Restrictions
A preventative security control that allows System Administrators to define what types of files and MIME types that may be uploaded into the system and how they should be handled.
Blackboard Learn does not yet support anti-virus scanning on files uploaded by users into the system. This feature is on the Blackboard Learn Product Security Roadmap.
Any statements about future expectations, plans and prospects for Blackboard represent the Company’s views as of January 1, 2013. Actual results may differ materially as a result of various important factors. The Company anticipates that subsequent events and developments will cause the Company’s views to change. However, while the Company may elect to update these statements at some point in the future, the Company specifically disclaims any obligation to do so.