Support #20686
openH5P request
0%
Description
Via Keeping, from Joshua Tan:
What's the name of the plugin/theme?
*
H5P
In a few words, what does it do?
*
It allows for interactive educational content.
Please provide a link to the plugin on the WordPress theme repository or (https://wordpress.org/themes/) plugin repository (https://wordpress.org/plugins/)
*
https://wordpress.org/plugins/h5p/#installation
Please research the release history and popularity of the plugin. How many times has it been downloaded? When was it last updated?
*
40,000+ implementations. It continues to be updated as H5P is an active collaboration.
How is the plugin/theme different from what's already provided on the Commons?
*
I don't think there is anything comparable available on Commons.
Please let us know who you are (include a link to your site) and who will use this tool?
*
Joshua Tan https://commons.gc.cuny.edu/members/joshuapaultan/ There are other collaborators and online educators interested in having a commons instance of this plugin. It's already used on pressbooks.cuny.edu
Related issues
Updated by Boone Gorges 5 months ago
- Related to Support #10749: Plugin Request - H5P added
Updated by Boone Gorges 5 months ago
- Related to Feature #9947: Install H5P quiz plugin added
Updated by Colin McDonald 5 months ago
Following up on last week's call, it IS possible to create H5P content on their "community site" h5p.org, but embedding/sharing that content is not recommended because H5P does not guarantee its hosting/reliability:
https://h5p.org/h5p-org-only-for-testing-h5p
H5P promotes the Wordpress plugin because, while it uses the same (free, open-source) library as anything you can make on h5p.org, it is hosted wherever the Wordpress installation is hosted, rather than with H5P, and they want to avoid the hosting burden.
I think we'd need to further explore enabling the plugin if we want to let users utilize H5P on the Commons. The security concerns seem (to my limited view) substantial, though. This page doesn't inspire much confidence:
https://h5p.org/documentation/installation/security
The "Evaluating user's answers" section at the bottom is particularly interesting to me from a pedagogical standpoint. Should we ever enable this, we'll need to make professors aware that they probably shouldn't use H5P quizzes/content for evaluation of any kind, if "it is easy for users familiar to web development to cheat on tasks in H5P."
Updated by Boone Gorges 5 months ago
Thanks for reviewing, Colin.
I've had another look at the plugin to refresh my memory on how it works. Here's a summary:
1. The H5P security page https://h5p.org/documentation/installation/security says that JS files are only required for H5P libraries, not content. This appears true in a way - content is defined in a JSON file - but it skims over the fact that .h5p uploadable packages contain their own copies of the required libraries. See eg https://h5p.org/specification - libraries like H5P.Blanks will necessarily contain JS files. .h5p files are standard zip files, so it would be trivial to create an .h5p file, modify the enclosed libraries, and then upload to a site using the WP plugin.
2. As suggested on our most recent call, I think that it would probably be OK to allow the plugin if we could disable the ability to upload .h5p files. From a cursory investigation, it appears that this would mean several things.
a. First, we'd have to disable the ability to upload Libraries at Dashboard > H5P Content > Libraries. There's no fine-grained way to do this in the H5P plugin itself. This particular template file has a capability check 'disable_h5p_security' https://github.com/h5p/h5p-wordpress-plugin/blob/8a81beb2e65be9f4a32f89f8f7f49ffcd8aee7fe/admin/views/libraries.php#L59 but it only wraps the ability to bypass file-extension checks. Probably the most straightforward move would be to remove the Libraries panel altogether. However, the plugin doesn't come with any libraries, and you can't create local content without these libraries. So we'd have to allow access to the "Hub", which allows the download of libraries from the central H5P library-of-libraries. This still introduces the possibility of a security issue, but it'd be limited to bad actors on the H5P Hub.
b. We'd need to disallow the ability to choose 'Upload' at Dashboard > H5P Content > Add New. This interface is part of a single H5P editor app, and I don't know whether it's possible to disable from outside the app. We could perhaps ask for some modification in h5p-hub-client that would allow us to turn it off: https://github.com/h5p/h5p-hub-client/blob/aa259b637f2873d76918f7543a22ba0aaeb650ca/src/scripts/Components/Hub.js#L143
I'm afraid that my opinion hasn't changed much since #9947. Allowing general use of the plugin introduces security risks that are difficult to justify. And the modifications that would be necessary to mitigate these concerns are not easy to make.
Updated by Marilyn Weber 4 months ago
Given that I haven't heard back from the requestor, I think we can skip it.
Updated by Raymond Hoh 4 months ago
- Related to Feature #12121: Embedding H5P Iframes on Commons Site added
Updated by Raymond Hoh 4 months ago
I've added #12121 to the related issues list as there is some good discussion regarding H5P there as well.