Sanitize HTML in Curriculum Fields

To provide a more secure experience, Cornerstone has made changes to several curricula administration fields to prevent XSS (cross-site scripting) security vulnerabilities. These updates include the following:

  • HTML text will be encoded in fields that do not support HTML
  • Fields will be validated for potentially problematic JavaScript

The following curricula administration field is only impacted by the HTML encoding update:

  • Curriculum title

The following curricula administration fields are impacted by both the HTML encoding update AND the field validation update:

  • Section title
  • Section instructions
  • Note title
  • Note instructions


For the additional fields that are checked for problematic inputs of HTML and Javascript:

  • In affected fields that do not allow HTML, the field will display as HTML code and not as it would be rendered by a browser if tags are entered.
  • In fields that do allow HTML, the field is validated for Javascript, and the administrator cannot move on in the curriculum creation process if problematic code is found.
  • Impact to existing curricula - If a curriculum already has JavaScript in one of the fields that is now validated, this will continue to exist in that field until an administrator edits that curriculum and re-saves. At the time the curriculum is saved, the field will display a validation message and prevent the saving of the curriculum until the problematic JavaScript is removed.


This functionality is turned on by default for all portals using the Learning module. Note: Customers who have the backend setting enabled to bypass Cross Site Scripting (XSS) security measures are unaffected by this enhancement.


The following existing permission applies to this functionality:

Curricula Admin - Manage

Grants ability to create new and edit/update existing curricula. This permission can be constrained by OU, User's OU, Provider, and User's LO Availability. This is an administrator permission.

Adding an OU constraint and a provider constraint to this permission results in an "AND" statement.

Tip: Do not constrain this permission to your entire corporation; it can cause long page load times and timeout errors. Applying this constraint is functionally the same as leaving the permission unconstrained, but omitting this constraint does not cause the system to do the unnecessary constraint checks as in the former scenario.

Learning - Administration