Project

General

Profile

Feature #9947

Install H5P quiz plugin

Added by Matt Gold 10 months ago. Updated 8 months ago.

Status:
Reporter Feedback
Priority name:
Normal
Assignee:
Category name:
WordPress Plugins
Target version:
Start date:
2018-06-18
Due date:
% Done:

0%

Estimated time:

Description

Luke and I have been in conversation with Emily Fairey at Brooklyn College (a watcher on this ticket, too), who is working with faculty who are interested in using the H5P plugin for OER-related quizzing. Boone, can you please look this over and let us know whether it meets security requirements? From our conversations with Emily, it sounds like H5P offers features not currently offered by our other form and quiz plugins.

I've add Emily, Luke, and Scott as watchers here. And the Open@CUNY blog just did a post on H5P -- https://openatcuny.commons.gc.cuny.edu/2018/06/18/easily-make-oer-content-interactive-with-h5p/


Related issues

Related to CUNY Academic Commons - Support #10749: Plugin Request - H5PDuplicate2018-11-26

History

#1 Updated by Boone Gorges 10 months ago

  • Status changed from Assigned to Reporter Feedback

The H5P platform uses HTML5 and JavaScript to share content of different "Content Types". Allowing non-admins to upload arbitrary JavaScript and execute it on the front end introduces a number of serious security issues.

H5P's Content Types are not part of the WordPress plugin. As such, there's no way to perform a static security scan on them. These types are either pulled dynamically from the official H5P library, or are uploaded by users, who may create and share them.

If we want to allow H5P on the Commons, we need to make decisions about the level of risk (or, conversely, trust) we want to take on.

1. We could allow Content Types from the official H5P library. This involves trusting that the maintainers of the H5P library don't allow for security vulnerabilities. (Most are developed by their "Core Team", though it sounds like there's a push to accept more Types developed by the "community" - ie, third parties.)

2. We could allow arbitrary H5P uploads from Commons users. This involves trusting that our users aren't malicious (or dupe-able).

I'd strongly recommend against 2. As in the case of custom WP plugins/themes, we should be doing a full code review of any items provided by members of the Commons community. Members who don't like this policy are always welcome to set up their own WordPress sites, where they're in full control.

As for 1: I don't know enough about the H5P project https://h5p.org/about-the-project to know what to think. As of right now, a realistic appraisal of the risks is probably that there's next to no risk. But if if there were to be a breach, now or in the future, the ramifications would be very serious. Wearing the conservative hat of the person who has to deal with potential fallout, I'd recommend against its use. But if there's a sense that this would be a valuable tool for many Commons users, the risk/overhead may be worth it.

#2 Updated by Matt Gold 10 months ago

Thanks so much for reviewing this so quickly, Boone. I'm meeting with Luke tomorrow, so we can discuss then.

#3 Updated by Boone Gorges 10 months ago

  • Target version set to Future release

#4 Updated by Luke Waltzer 8 months ago

I'd like to re-explore supporting this tool, as the functionality offered by H5P keeps coming up. I plan to ask Laurie to get a version up an running on a test domain....

#5 Updated by Boone Gorges 5 months ago

Also available in: Atom PDF