Safe HTML filters

Users can enter HTML in Blackboard in a variety of ways. For example, users can enter HTML using the content editor in blogs and discussion boards, and through HTML file uploads. In the past, a security threat was introduced because users could enter potentially dangerous tags, such as script tags. Such tags could be used to execute malicious script in Blackboard, exposing other users to attacks. This is referred to as cross scripting, which allows a user to have control over other user browsers.

Safe HTML filters provide you with more control over the type of HTML students can enter, making user-supplied HTML safer to use in Blackboard. The feature replaces an earlier HTML sanitizer with the open-source security library from the Open Web Application Security Project's AntiSamy API. The new API ensures that user-supplied HTML complies with an application's rules.

Blackboard provides administrators with a default-policy.xml file containing Safe HTML rules. Administrators can define the HTML tags and attributes in the default-policy.xml file that are allowable on their Blackboard instance, based on their organization's risk tolerance level.

If you’ve customized your default-policy.xml file and Blackboard makes changes to the default version of the file, the previous Blackboard default file is renamed to indicate that it’s an old version. The new default-policy.xml file by Blackboard is added to your policies and is set to be your active policy. You’ll be informed of the file update via email. Your own customized policy is unchanged.

Note

Safe HTML is only applicable to users who don't have the Add/Modify Trusted Content privilege, also called the Add/Edit Trusted Content With Scripts privilege. Users with this privilege can enter unrestricted/trusted HTML, meaning they aren't bound to the Safe HTML rules. By default, Blackboard gives this privilege to Administrators, Course Builders, Graders, Instructors, and Teaching Assistants. All other roles don't have this privilege by default, but it can be added on an as-needed basis.

On the Administrator Panel, select Safe HTML Filters in the Security menu.

Important

Blackboard SaaS environments can't be configured to filter custom file types through HTML filters.

Customize a policy

Administrators can customize the list of allowable HTML tags and attributes in the default-policy.xml file based on the needs of their organizations. However, this should be a rare event. Administrators only need to customize the policy if they have a specific use case that the policy doesn't support.

On the Administrator Panel, select Safe HTML Filters in the Security menu.
Select Safe HTML Filter for Content Editor to access the policy list.
Access the menu for the default-policy.xml file and select Download. Save the file on your computer.
Make any changes to the SafeHTML rule to meet the needs of your organization.
When you've edited the file, type a new name.
Return to the Safe HTML Filter for Content Editor page to access the policy list.
Select Upload to access the Upload Safe HTML Policy page and browse for your new file.
Optionally, type a comment.
Select Submit to upload the new file.
The new file appears in the list of policy files. From the file's menu, select Activate to make this the active policy file in your Blackboard environment.

Test a policy

Administrators can test policies to make sure they are functioning properly and yielding the results they want.

On the Administrator Panel, select Safe HTML Filters in the Security menu.
Select Safe HTML Filter for Content Editor.
From the policy file's menu, select Test Policy.
In the Enter code (HTML, JS) to Test field, enter any HTML code that you want to test.
Select Test.

The system provides test results, based on the HTML code entered, such as these:

A new Sanitized Output field appears showing you the system-sanitized output for the HTML you entered.
If the script tag you entered isn't allowed by the policy, a message appears telling you the script isn't allowed for security reasons.
A tag may contain an attribute that can't be processed. In this case, a message appears with the tag that contains an attribute that can't be processed and has been filtered out.

HTML body tags and attributes

The default-policy.xml file allows these body tags and attributes.

Grouping elements

Table 20. Grouping elements

Tag	Attributes
div	id, class, lang, dir, title, style, align
span	id, class, dir, title, style, align, xml:lang

Headings

Table 21. Headings

Tag	Attributes
h1	id, class, lang, dir, title, style, align
h2	id, class, lang, dir, title, style, align
h3	id, class, lang, dir, title, style, align
h4	id, class, lang, dir, title, style, align
h5	id, class, lang, dir, title, style, align
h6	id, class, lang, dir, title, style, align

Address

Table 22. Address

Tag	Attributes
address	id, class, lang, dir, title, style

Font Style and HR Tags and Attributes

The default-policy.xml file ships with these font style and HR tags and attributes.

Font style

Table 23. Font style

Tag	Attributes
tt	id, class, lang, dir, title, style
i	id, class, lang, dir, title, style
b	id, class, lang, dir, title, style
big	id, class, lang, dir, title, style
small	id, class, lang, dir, title, style

Table 24. HR

Tag	Attribute
hr	id, class, lang, dir, title, style

List tags and attributes

The default-policy.xml file ships with these list tags and attributes.

Unordered lists, ordered lists, and list items

Table 25. Unordered lists, ordered lists, and list items

Tag	Attributes
ul	id, class, lang, dir, title, style
li	id, class, lang, dir, title, style
ol	id, class, lang, dir, title, style

Definition lists

Table 26. Definition lists

Tag	Attributes
dl	id, class, lang, dir, title, style
dt	id, class, lang, dir, title, style
dd	id, class, lang, dir, title, style
dir	id, class, dir, title, style, compact
menu	id, class, lang, dir, title, style, compact

Link tags and attributes

The default-policy.xml file ships with these link tags and attributes.

Links

Table 27. Links

Tag	Attributes
a	class, dir, id, lang, name, rel, rev, style, target = _blank, title, xml:lang, accesskey, tabindex, charset, coords, href, hreflang, name, shape
link	See http://www.w3schools.com/tags/tag_link.asp.

Text tags and attributes

The default-policy.xml file ships with these text tags and attributes.

Phrase elements

Table 28. Phrase elements

Tag	Attributes
em	id, class, lang, dir, title, style
strong	id, class, lang, dir, title, style
cite	id, class, lang, dir, title, style
dfn	id, class, lang, dir, title, style
code	id, class, lang, dir, title, style
samp	id, class, lang, dir, title, style
kbd	id, class, lang, dir, title, style
var	id, class, lang, dir, title, style
abbr	id, class, lang, dir, title, style
acronym	id, class, lang, dir, title, style

Quotations

Table 29. Quotations

Tag	Attributes
blockquote	id, class, lang, dir, title, style
q	id, class, lang, dir, title, style

Subscripts and superscripts

Table 30. Subscripts and superscripts

Tag	Attributes
sub	id, class, lang, dir, title, style
sup	id, class, lang, dir, title, style

Lines and paragraphs

Table 31. Lines and paragraphs

Tag	Attributes
p	id, class, lang, dir, title, stye, align
br	id, class, title, style, clear
pre	id, class, lang, dir, title, style

Marking document changes

Table 32. Marking document changes

Tag	Attributes
ins	id, class, lang, dir, title, style
del	id, class, lang, dir, title, style

Table tags and attributes

The default-policy.xml file ships with these table tags and attributes.

Table

Table 33. Table

Tag	Attributes
table	id, border, cellpadding, cellspacing, align, class, frame, summary, lang, dir, style, bgcolor, width, rules, dir

Table captions

Table 34. Table captions

Tag	Attributes
caption	id, lang, dir, title, style

Row groups

Table 35. Row groups

Tag	Attributes
thead	cellhalign, cellvalign, id, class, lang, dir, title, style, align, char, charoff, valign
tfoot	cellhalign, cellvalign, id, class, lang, dir, title, style, align, char, charoff, valign
tbody	id, class, lang, dir, title, style, align, char, charoff, valign
pre	id, class, lang, dir, title, style

Column groups

Table 36. Column groups

Tag	Attributes
colgroup	span, width, id, class, lang, dir, title, style, align, char, charoff, valign
col	span, width, id, class, lang, dir, title, style, align, char, charoff, valign

Table rows

Table 37. Table rows

Tag	Attributes
tr	id, class, lang, dir, title, style, bgcolor, align, char, charoff, valign

Table cells

Table 38. Table cells

Tag	Attributes
th	abbr, axis, headers, scope, rowspan, colspan, id, class, lang, dir, title, style, bgcolor, align, char, charoff, valign
td	abbr, axis, headers, scope, rowspan, colspan, id, class, lang, dir, title, style, bgcolor, align, char, charoff, valign

Embedded media and Mashup tags and attributes

The default-policy.xml file ships with these embedded media and mashup tags and attributes.

Partners

Table 39. Partners

Tag	Attributes
script	type, charset, src
iframe	src=starts with SafeHTML Restricted Youtube Sources or building blocks, longdesc, name, width, height, id, class, title, style, align, frameborder, marginwidth, marginheight, scrolling

Images

Table 40. Images

Tag	Attributes
img	src, alt, longdesc, name, id, class, lang, dir, title, style, align, width, height, border, hspace, vspace

YouTube

Table 41. YouTube

Tag	Attributes
object	classid, codebase, codetype, data, type, archive, declare, standby, id, class, lang, dir, title, style, tabindex, name, align, width, height, border, hspace, vspace
param	name=movie, value=starts with SafeHTML Restricted Youtube Sources, name = allowscriptaccess, value=true, name=allowfullscreen, value=true\|false
embed	src=starts with SafeHTML Restricted Youtube Sources, allowScriptAccess=never, allowNetworking=internal, type=application/x-shockwave-flash, id, width, height, type, quality, scale, salign, wmode, base, name, align, hspace, vspace, bgcolor, sound, progress, swstretchstyle, swstretchalign, swstretchvalign
iframe	src=starts with http(s)://www.youtube.com or http(s)://www.youtube-nocookie.com/, longdesc, name, width, height, id, class, title, style, align, frameborder, marginwidth, marginheight, scrolling

Slideshare

Table 42. Slideshare

Tag	Attributes
object	classid, codebase, codetype, data, type, archive, declare, standby, id, class, lang, dir, title, style, tabindex, name, align, width, height, border, hspace, vspace
param	name=movie, value=starts with http(s)://static.slidesharecdn.com/ or http(s)://www.slideshare.net/, name=allowscriptaccess, value=never, name=allowfullscreen, value=true\|false, name=wmode, value=transparent
embed	src=starts with http(s)://static.slidesharecdn.com/ or http(s)://www.slideshare.net/, allowScriptAccess=never, allowNetworking=never, wmode=transparent, type=application/x-shockwave-flash, id, width, height, type, quality, scale, salign, base, name, align, hspace, vspace, bgcolor, sound, progress, autostart=false, swstretchstyle, swstretchalign, swstretchvalign
iframe	src=starts with http(s)://static.slidesharecdn.com/ or http(s)://www.slideshare.net/, height, width, frameborder, marginwidth, marginheight, scrolling

Other media types including Flash

Table 43. Other media types including Flash

Tag	Attributes	Comments
object	codebase, name, align, hspace, vspace, bgcolor, classid
param	name=allowScriptAccess, value=never, name=allowNetworking, value=none, name=autostart, value=false	May contain other parameters, but these must always be present for sources other than youtube and slideshare.
embed	allowScriptAccess=never, allowNetworking=none, autostart=false, allowFullScreen=false, type=... see comment, wmode=window/transparent/opaque, id, class, dir, flashvars, height, lang, name, src, style, title, width, xml:lang	allowScriptAccess=never must always be present for Flash allowNetworking=none must always be present for Flash allowFullScreen=false must always be present for Flash "type" is not restricted currently to our supported media types, but the default policy will eventually be limited to: video/quicktime application/x-shockwave-flash application/x-director application/x-mplayer2
iframe	src=restricted list, longdesc, name, width, height, id, class, title, style, align, frameborder, marginwidth, marginheight, scrolling