Blackboard is committed to improving security features and resolving security vulnerabilities quickly and carefully. Such security vulnerability resolutions may lead to the release of a Security Advisory as well as any needed product update for our customers based on the context, severity and timing of confirmed vulnerabilities. Below we have outlined the security enhancements and security vulnerabilities resolved in this release.
For more information on each of the features and improvements, please see the System Administrator documentation.
Safe HTML Filter for the Content Editor Building Block
Users can enter HTML in Blackboard Learn wherever the content editor appears, including blogs, journals, wikis and the discussion board. To make HTML entered by users safer, this building block shifts filtering from the previous "Global Safe HTML Filter" to the open-source security library from the Open Web Application Security Project's AntiSamy API. This new API ensures "user-supplied HTML/CSS is in compliance within an application's rules."
System Administrators can tailor the HTML tags and attributes allowed on their Blackboard Learn instance based on their organization's risk tolerance level. Blackboard will ship with a secure-default HTML policy file.
The privilege to control whether a user is restricted to Safe HTML policies is controlled by a privilege named "Add/Modify trusted content" or "Add/Edit trusted content with scripts" depending on which version of Learn you are on. Blackboard Learn ships by default granting the privilege to enter unrestricted HTML to Administrators, Course Builders, Graders, Instructors, and Teaching Assistants. Roles such as Students and Guests do not have the capability by default to enter trusted content and are thus restricted to Safe HTML. Customers should evaluate whether users need the privilege.
This security control is enabled by default.