Feature #9947


Install H5P quiz plugin

Added by Matt Gold over 5 years ago. Updated about 5 years ago.

Reporter Feedback
Priority name:
Category name:
WordPress Plugins
Target version:
Start date:
Due date:
% Done:


Estimated time:
Deployment actions:


Luke and I have been in conversation with Emily Fairey at Brooklyn College (a watcher on this ticket, too), who is working with faculty who are interested in using the H5P plugin for OER-related quizzing. Boone, can you please look this over and let us know whether it meets security requirements? From our conversations with Emily, it sounds like H5P offers features not currently offered by our other form and quiz plugins.

I've add Emily, Luke, and Scott as watchers here. And the Open@CUNY blog just did a post on H5P --

Related issues

Related to CUNY Academic Commons - Support #10749: Plugin Request - H5PDuplicate2018-11-26

Related to CUNY Academic Commons - Feature #12121: Embedding H5P Iframes on Commons SiteReporter FeedbackBoone Gorges2019-11-20

Actions #1

Updated by Boone Gorges over 5 years ago

  • Status changed from Assigned to Reporter Feedback

The H5P platform uses HTML5 and JavaScript to share content of different "Content Types". Allowing non-admins to upload arbitrary JavaScript and execute it on the front end introduces a number of serious security issues.

H5P's Content Types are not part of the WordPress plugin. As such, there's no way to perform a static security scan on them. These types are either pulled dynamically from the official H5P library, or are uploaded by users, who may create and share them.

If we want to allow H5P on the Commons, we need to make decisions about the level of risk (or, conversely, trust) we want to take on.

1. We could allow Content Types from the official H5P library. This involves trusting that the maintainers of the H5P library don't allow for security vulnerabilities. (Most are developed by their "Core Team", though it sounds like there's a push to accept more Types developed by the "community" - ie, third parties.)

2. We could allow arbitrary H5P uploads from Commons users. This involves trusting that our users aren't malicious (or dupe-able).

I'd strongly recommend against 2. As in the case of custom WP plugins/themes, we should be doing a full code review of any items provided by members of the Commons community. Members who don't like this policy are always welcome to set up their own WordPress sites, where they're in full control.

As for 1: I don't know enough about the H5P project to know what to think. As of right now, a realistic appraisal of the risks is probably that there's next to no risk. But if if there were to be a breach, now or in the future, the ramifications would be very serious. Wearing the conservative hat of the person who has to deal with potential fallout, I'd recommend against its use. But if there's a sense that this would be a valuable tool for many Commons users, the risk/overhead may be worth it.

Actions #2

Updated by Matt Gold over 5 years ago

Thanks so much for reviewing this so quickly, Boone. I'm meeting with Luke tomorrow, so we can discuss then.

Actions #3

Updated by Boone Gorges over 5 years ago

  • Target version set to Future release
Actions #4

Updated by Luke Waltzer about 5 years ago

I'd like to re-explore supporting this tool, as the functionality offered by H5P keeps coming up. I plan to ask Laurie to get a version up an running on a test domain....

Actions #5

Updated by Boone Gorges about 5 years ago

Actions #6

Updated by Boone Gorges about 4 years ago

  • Related to Feature #12121: Embedding H5P Iframes on Commons Site added

Also available in: Atom PDF