Enhanced HTML Security for Training Description and Training Custom Fields

With the February 2020 release, HTML security for training descriptions and training custom fields has been enhanced, allowing all HTML markup in these fields to be sanitized on output. This means HTML markup can be correctly formatted without presenting XSS risk. With this enhancement to HTML security, organizations no longer need to sign a waiver acknowledging the risk that previously existed for HTML markup.

HTML Text Appearance PRIOR to HTML Security Enhancement:

HTML Text Appearance WITH this HTML Security Enhancement:

Use Case

Cynthia is a Learning Administrator at ACME Corp. When creating new training items, she uses HTML markup in the training title, description, and training custom fields to improve the experience of her learners. Due to the XSS Security risk, Cynthia's company chooses to encode HTML in these fields. This allows the system to remain secure, and because the Cornerstone system sanitizes these fields on output, they can be correctly formatted for users without presenting a security risk. Cynthia is able to create a great learner experience using HTML while also maintaining the security of her users, portals, and systems.

Considerations

This functionality is automatically enabled in all portals using the Learning module. There is an existing backend setting enabled in some portals which increased security but caused training descriptions and training custom fields to be poorly formatted when they contained HTML markup. This backend setting will be retired with the August ’20 Release. Conversely, some portals have signed a security waiver to have their HTML markup appear correctly by opting out of the security this backend setting provides. There is an additional backend setting which bypasses all XSS security validations which will also interact with the new setting. This setting is not currently targeted for retirement.

Refer to the table below to determine how this enhancement affects your portal:

My portal uses the backend setting which increases security of HTML tags but compromises correct formatting My portal uses the backend setting Which bypasses Cross Site Scripting (XSS) security measures Impact of new enhanced HTML security for my portal
True False These portals are unaffected by this enhancement. These portals are secure and protected against XSS security risk associated with HTML and also use additional XSS security measures. These portals can use HTML Markup without accepting a security risk.
False True These portals have opted out of security measures and are unaffected by this enhancement and the retirement of the existing backend setting to provide security when using HTML.
False False These portals are affected by this new enhancement. These portals receive increased security for their HTML markup.
True True These portals are affected by this enhancement. When the backend setting to encode training text is retired, these portals will lose the HTML security associated with the backend setting without gaining the security of this new enhancement. These portals must assess their configuration before the backend setting to make HTML secure is retired with the August ’20 Release.