CUNY Academic Commons

Following up on last week's call, it IS possible to create H5P content on their "community site" h5p.org, but embedding/sharing that content is not recommended because H5P does not guarantee its hosting/reliability:

https://h5p.org/h5p-org-only-for-testing-h5p

H5P promotes the Wordpress plugin because, while it uses the same (free, open-source) library as anything you can make on h5p.org, it is hosted wherever the Wordpress installation is hosted, rather than with H5P, and they want to avoid the hosting burden.

I think we'd need to further explore enabling the plugin if we want to let users utilize H5P on the Commons. The security concerns seem (to my limited view) substantial, though. This page doesn't inspire much confidence:

https://h5p.org/documentation/installation/security

The "Evaluating user's answers" section at the bottom is particularly interesting to me from a pedagogical standpoint. Should we ever enable this, we'll need to make professors aware that they probably shouldn't use H5P quizzes/content for evaluation of any kind, if "it is easy for users familiar to web development to cheat on tasks in H5P."

Thanks for reviewing, Colin.

I've had another look at the plugin to refresh my memory on how it works. Here's a summary:

1. The H5P security page https://h5p.org/documentation/installation/security says that JS files are only required for H5P libraries, not content. This appears true in a way - content is defined in a JSON file - but it skims over the fact that .h5p uploadable packages contain their own copies of the required libraries. See eg https://h5p.org/specification - libraries like H5P.Blanks will necessarily contain JS files. .h5p files are standard zip files, so it would be trivial to create an .h5p file, modify the enclosed libraries, and then upload to a site using the WP plugin.

2. As suggested on our most recent call, I think that it would probably be OK to allow the plugin if we could disable the ability to upload .h5p files. From a cursory investigation, it appears that this would mean several things.

a. First, we'd have to disable the ability to upload Libraries at Dashboard > H5P Content > Libraries. There's no fine-grained way to do this in the H5P plugin itself. This particular template file has a capability check 'disable_h5p_security' https://github.com/h5p/h5p-wordpress-plugin/blob/8a81beb2e65be9f4a32f89f8f7f49ffcd8aee7fe/admin/views/libraries.php#L59 but it only wraps the ability to bypass file-extension checks. Probably the most straightforward move would be to remove the Libraries panel altogether. However, the plugin doesn't come with any libraries, and you can't create local content without these libraries. So we'd have to allow access to the "Hub", which allows the download of libraries from the central H5P library-of-libraries. This still introduces the possibility of a security issue, but it'd be limited to bad actors on the H5P Hub.

b. We'd need to disallow the ability to choose 'Upload' at Dashboard > H5P Content > Add New. This interface is part of a single H5P editor app, and I don't know whether it's possible to disable from outside the app. We could perhaps ask for some modification in h5p-hub-client that would allow us to turn it off: https://github.com/h5p/h5p-hub-client/blob/aa259b637f2873d76918f7543a22ba0aaeb650ca/src/scripts/Components/Hub.js#L143

I'm afraid that my opinion hasn't changed much since #9947. Allowing general use of the plugin introduces security risks that are difficult to justify. And the modifications that would be necessary to mitigate these concerns are not easy to make.

Given that I haven't heard back from the requestor, I think we can skip it.

I've added #12121 to the related issues list as there is some good discussion regarding H5P there as well.