CUNY Academic Commons

The H5P platform uses HTML5 and JavaScript to share content of different "Content Types". Allowing non-admins to upload arbitrary JavaScript and execute it on the front end introduces a number of serious security issues.

H5P's Content Types are not part of the WordPress plugin. As such, there's no way to perform a static security scan on them. These types are either pulled dynamically from the official H5P library, or are uploaded by users, who may create and share them.

If we want to allow H5P on the Commons, we need to make decisions about the level of risk (or, conversely, trust) we want to take on.

1. We could allow Content Types from the official H5P library. This involves trusting that the maintainers of the H5P library don't allow for security vulnerabilities. (Most are developed by their "Core Team", though it sounds like there's a push to accept more Types developed by the "community" - ie, third parties.)

2. We could allow arbitrary H5P uploads from Commons users. This involves trusting that our users aren't malicious (or dupe-able).

I'd strongly recommend against 2. As in the case of custom WP plugins/themes, we should be doing a full code review of any items provided by members of the Commons community. Members who don't like this policy are always welcome to set up their own WordPress sites, where they're in full control.

As for 1: I don't know enough about the H5P project https://h5p.org/about-the-project to know what to think. As of right now, a realistic appraisal of the risks is probably that there's next to no risk. But if if there were to be a breach, now or in the future, the ramifications would be very serious. Wearing the conservative hat of the person who has to deal with potential fallout, I'd recommend against its use. But if there's a sense that this would be a valuable tool for many Commons users, the risk/overhead may be worth it.