Skip to main content
pdf?stylesheet=default
Blackboard Help

Security Management - Safe HTML

Users can enter HTML in Blackboard Learn in a variety of ways. For example, users can enter HTML using the content editor in blogs and discussion boards, and through HTML file uploads. In the past, this has introduced a security threat in that users could enter potentially dangerous tags, such as script tags. Such tags could be used to execute malicious script in Blackboard Learn, exposing other users to attacks. This is referred to as cross scripting, which allows a user to have control over other user browsers.

To make user-supplied HTML safer to use in Blackboard Learn and provide Blackboard Learn administrators with more control over the type of HTML students can enter, the Safe HTML building block replaces the previous HTML sanitizer with the open-source security library from the Open Web Application Security Project's AntiSamy API. The new API ensures that user-supplied HTML is in compliance within an application's rules.

Blackboard Learn provides administrators with a default-policy.xml file containing Safe HTML rules. Blackboard Learn administrators can define the HTML tags and attributes in the default-policy.xml file that are allowable on their Blackboard Learn instance, based on their organization's risk tolerance level.

Note: Safe HTML is only applicable to users who do not have the Add/Modify Trusted Content privilege (also called the Add/Edit Trusted Content With Scripts privilege, depending on the version of Blackboard Learn you are running). Users with this privilege can enter unrestricted/trusted HTML, meaning they are not bound to the Safe HTML rules. By default, Blackboard Learn gives this privilege to Administrators, Course Builders, Graders, Instructors, and Teaching Assistants. All other roles do not have this privilege by default, but it can be added on an as-needed basis.

Installing Safe HTML

To download and install this Building Block, go to the Extensions Catalog and type “Safe HTML" in the Name Search box.

Safe HTML is set by default as disabled. You must enable the building block to make it available in Blackboard Learn.

Accessing Safe HTML

After you have installed the Safe HTML building block, you can access it from the System Admin page. From the Building Blocks panel, click Installed Tools. Locate span class="interface">Safe HTML Filters from the list of installed building blocks. Set the building block to Active.

Customizing a Policy

System Administrators can customize the list of allowable HTML tags and attributes in the default-policy.xml file based on the needs of their organization. However, this should be a rare event. System Administrators only need to customize the policy if they have a specific use case that the policy does not support.

Note: When your Blackboard Learn instance is upgraded, any custom policy files are preserved. However, if the building block is deleted, the custom policy files are also deleted.

  1. On the System Admin page, under Security, click Safe HTML Filters to access the Safe HTML Filters page.
  2. Click Safe HTML Filter for Content Editor to access the policy list.
  3. Click the default-policy.xml action link and select Download. Save the file on your computer.
  4. Make any changes to the SafeHTML rule to meet the needs of your organization.
  5. When you have finished editing the file, give it a new name.
  6. On the System Admin page, under Security, click Safe HTML Filters to access the Safe HTML Filters page and then click Safe HTML Filter for Content Editor to access the policy list.
  7. Click Upload to access the Upload Safe HTML Policy page.
  8. Browse for your new file.
  9. Optionally enter a comment in the Comment field.
  10. Click Submit to upload the new file.
  11. After the file is uploaded, it appears the list of policy files. Click the action link and select Activate to make this the active policy file in your Blackboard Learn instance.

Testing a Policy

System Administrators can test policies to make sure they are functioning properly and yielding the desired results.

  1. On the System Admin page, from the Securitypanel, click Safe HTML Filters.
  2. Click Safe HTML Filter for Content Editor.
  3. From the policy file's action link, select Test Policy .
  4. In the Enter code (HTML, JS) to Test field, enter any HTML code that you want to test.
  5. Click Test.

The system provides test results, depending on the HTML code entered. For example:

  • A new Sanitized Output field appears showing you the system-sanitized output for the HTML you entered.
  • If the script tag you entered is not allowed by the policy, a message appears telling you the script is not allowed for security reasons.
  • A tag may contain an attribute that cannot be processed. In this case, a message appears telling you the tag contained an attribute that could not be processed and it has therefore been filtered out.

HTML Body Tags and Attributes

The default-policy.xml file the Safe HTML building block ships with allows the following body tags and attributes.

Grouping Elements

HTML Body Tags and Attributes
Tag Attributes
div id, class, lang, dir, title, style, align
span id, class, dir, title, style, align, xml:lang

Headings

Headings
Tag Attributes
h1 id, class, lang, dir, title, style, align
h2 id, class, lang, dir, title, style, align
h3 id, class, lang, dir, title, style, align
h4 id, class, lang, dir, title, style, align
h5 id, class, lang, dir, title, style, align
h6 id, class, lang, dir, title, style, align

Address

Address
Tag Attributes
address id, class, lang, dir, title, style

Font Style and HR Tags and Attributes

The default-policy.xml file ships with the following Font Style and HR tags and attributes.

Font Style and HR Tags and Attributes

Font Style and HR Tags and Attributes
Tag Attributes
tt id, class, lang, dir, title, style
i id, class, lang, dir, title, style
b id, class, lang, dir, title, style
big id, class, lang, dir, title, style
small id, class, lang, dir, title, style

HR

HR
Tag Attributes
hr id, class, lang, dir, title, style

List Tags and Attributes

The default-policy.xml file ships with the following List tags and attributes.

Unordered Lists, Ordered Lists, and List Items

List Tags and Attributes
Tag Attributes
ul id, class, lang, dir, title, style
li id, class, lang, dir, title, style
ol id, class, lang, dir, title, style

Definition Lists

Definition Lists
Tag Attributes
dl id, class, lang, dir, title, style
dt id, class, lang, dir, title, style
dd id, class, lang, dir, title, style
dir id, class, dir, title, style, compact
menu id, class, lang, dir, title, style, compact

Link Tags and Attributes

The default-policy.xml file ships with the following Link tags and attributes.

Links

Link Tags and Attributes
Tag Attributes
a class, dir, id, lang, name, rel, rev, style, target = _blank, title, xml:lang, accesskey, tabindex, charset, coords, href, hreflang, name, shape
link See http://www.w3schools.com/tags/tag_link.asp.

Text Tags and Attributes

The default-policy.xml file ships with the following Text tags and attributes.

Phrase Elements

Text Tags and Attributes
Tag Attributes
em id, class, lang, dir, title, style
strong id, class, lang, dir, title, style
cite id, class, lang, dir, title, style
dfn id, class, lang, dir, title, style
code id, class, lang, dir, title, style
samp id, class, lang, dir, title, style
kbd id, class, lang, dir, title, style
var id, class, lang, dir, title, style
abbr id, class, lang, dir, title, style
acronym id, class, lang, dir, title, style

Quotations

Quotation Tags and Attributes
Tag Attributes
blockquote id, class, lang, dir, title, style
q id, class, lang, dir, title, style

Subscripts and Superscripts

Subscript and Superscript Tags and Attributes
Tag Attributes
sub id, class, lang, dir, title, style
sup id, class, lang, dir, title, style

Lines and Paragraphs

Line and Paragraph Tags and Attributes
Tag Attributes
p id, class, lang, dir, title, stye, align
br id, class, title, style, clear
pre id, class, lang, dir, title, style

Marking Document Changes

Marking Document Change Tags and Attributes
Tag Attributes
ins id, class, lang, dir, title, style
del id, class, lang, dir, title, style

Table Tags and Attributes

The default-policy.xml file ships with the following Table tags and attributes.

Table

Table Tags and Attributes
Tag Attributes
table id, border, cellpadding, cellspacing, align, class, frame, summary, lang, dir, style, bgcolor, width, rules, dir

Table Captions

Table Caption Tags and Attributes
Tag Attributes
caption id, lang, dir, title, style

Row Groups

Row Group Tags and Attributes
Tag Attributes
thread cellhalign, cellvalign, id, class, lang, dir, title, style, align, char, charoff, valign
tfoot cellhalign, cellvalign, id, class, lang, dir, title, style, align, char, charoff, valign
tbody id, class, lang, dir, title, style, align, char, charoff, valign
pre id, class, lang, dir, title, style

Column Groups

Column Group Tags and Attributes
Tag Attributes
colgroup span, width, id, class, lang, dir, title, style, align, char, charoff, valign
col span, width, id, class, lang, dir, title, style, align, char, charoff, valign

Table Rows

Table Row Tags and Attributes
Tag Attributes
tr id, class, lang, dir, title, style, bgcolor, align, char, charoff, valign

Table Cells

Table Cell Tags and Attributes
Tag Attributes
th abbr, axis, headers, scope, rowspan, colspan, id, class, lang, dir, title, style, bgcolor, align, char, charoff, valign
td abbr, axis, headers, scope, rowspan, colspan, id, class, lang, dir, title, style, bgcolor, align, char, charoff, valign

Embedded Media and Mashup Tags and Attributes

The default-policy.xml file ships with the following Embedded Media and Mashup tags and attributes.

Partners

Embedded Media and Mashup Tags and Attributes
Tag Attributes
script type, charset, src
iframe src=starts with SafeHTML Restricted Youtube Sources or building blocks, longdesc, name, width, height, id, class, title, style, align, frameborder, marginwidth, marginheight, scrolling

Images

Image Tags and Attributes
Tag Attributes
img src, alt, longdesc, name, id, class, lang, dir, title, style, align, width, height, border, hspace, vspace

YouTube

YouTube Tags and Attributes
Tag Attributes
object classid, codebase, codetype, data, type, archive, declare, standby, id, class, lang, dir, title, style, tabindex, name, align, width, height, border, hspace, vspace
param name=movie, value=starts with SafeHTML Restricted Youtube Sources, name = allowscriptaccess, value=true, name=allowfullscreen, value=true|false
embed src=starts with SafeHTML Restricted Youtube Sources, allowScriptAccess=never, allowNetworking=internal, type=application/x-shockwave-flash, id, width, height, type, quality, scale, salign, wmode, base, name, align, hspace, vspace, bgcolor, sound, progress, swstretchstyle, swstretchalign, swstretchvalign
iframe src=starts with http(s)://www.youtube.com or http(s)://www.youtube-nocookie.com/, longdesc, name, width, height, id, class, title, style, align, frameborder, marginwidth, marginheight, scrolling

Slideshare

Slideshare Tags and Attributes
Tag Attributes
object classid, codebase, codetype, data, type, archive, declare, standby, id, class, lang, dir, title, style, tabindex, name, align, width, height, border, hspace, vspace
param name=movie, value=starts with http(s)://static.slidesharecdn.com/ or http(s)://www.slideshare.net/, name=allowscriptaccess, value=never, name=allowfullscreen, value=true|false, name=wmode, value=transparent
embed src=starts with http(s)://static.slidesharecdn.com/ or http(s)://www.slideshare.net/, allowScriptAccess=never, allowNetworking=never, wmode=transparent, type=application/x-shockwave-flash, id, width, height, type, quality, scale, salign, base, name, align, hspace, vspace, bgcolor, sound, progress, autostart=false, swstretchstyle, swstretchalign, swstretchvalign
iframe src=starts with http(s)://static.slidesharecdn.com/ or http(s)://www.slideshare.net/, height, width, frameborder, marginwidth, marginheight, scrolling

Other Media Types Including Flash

Other Media Type Tags and Attributes
Tag Attributes Comments
object codebase, name, align, hspace, vspace, bgcolor, classid  
param name=allowScriptAccess, value=never, name=allowNetworking, value=none, name=autostart, value=false May contain other parameters, but these must always be present for sources other than youtube and slideshare.
embed allowScriptAccess=never, allowNetworking=none, autostart=false, allowFullScreen=false, type=... see comment, wmode=window/transparent/opaque, id, class, dir, flashvars, height, lang, name, src, style, title, width, xml:lang allowScriptAccess=never must always be present for Flash

allowNetworking=none must always be present for Flash

allowFullScreen=false must always be present for Flash

"type" is not restricted currently to our supported media types, but the default policy will eventually be limited to:

  • video/quicktime
  • application/x-shockwave-flash
  • application/x-director
  • application/x-mplayer2
iframe src=restricted list, longdesc, name, width, height, id, class, title, style, align, frameborder, marginwidth, marginheight, scrolling