The H5P system is exposed to several security challenges. We here explain how these challenges are handled.
When the .h5p files are validated each file inside the package is checked against a white-list of file extensions. These white-lists are possible for site administrators to alter. If a file is found that isn't on the white-list the .h5p package is rejected.
In upcoming versions of H5P there will be features that verify libraries against h5p.org so that "not so trusted" users may also be allowed to update H5P libraries.
If a user without the update libraries permission uploads an H5P file the content will be stored and the libraries will be ignored given that the system already has the necessary libraries.
Sanitizing HTML and text input from the authoring tool
Input from authors is sanitized server-side using the same code for sanitizing user input that Drupal uses. Unsafe properties, protocols etc. is stripped away server side.
Sanitizing file locations
Each library is responsible for prefixing file locations with a library path or a content path to stop users from manipulating URLs making users visit other sites without knowing it.
Evaluating user's answers
The user's answer is evaluated client side. This means that the correct answer also exists client side and it is easy for users familiar to web development to cheat on tasks in H5P. The evaluation of answers will be moved server side in future versions to avoid this.
Sat, 02/18/2017 - 14:21
preventing content from getting copied
how to prevent the content of h5p file from getting copied. i use h5p in moodle.... and the images and text can be copied by using right click button....i diasabled the download button...but copy paste funtion still allows to copy data....how to make data secure and available only to the paying customers??
Mon, 02/20/2017 - 07:17
There are options to set the copyright data on all media and on the H5P. This will not prevent the user from being able to copy it, only inform them that the image or text is copyrighted or under a certain licence.
This will not prevent them from downloading anything. But when the data has shown up on their computer, it's very little you can do to stop them.
Mon, 02/20/2017 - 07:19
Regarding the only making it available to paying customers. That is something you have to handle with user access settings in Moodle.
Sat, 02/18/2017 - 14:41
password protection for h5p files
can we password protect the h5p files?
Mon, 02/20/2017 - 07:54
You can use the built in access controls in your system (Drupal, WordPress or Moodle) to handle access to the page where you h5p is displayed.
Mon, 02/20/2017 - 10:32
hi tomaj ...thanks for replying...tomaj, suppose i use course presentation module....then suppose i added 10 slides....now when the user opens the webpage displaying course presentation module ...only one slide is displayed at a time...so if a user decides to copy the html page he will have to copy html pages 10 times for each slide separately...right? since i disabled the download file option...right? is it still possible for him to download the complete h5p file in one go even when i disabled the option in the h5p plugin settings? in plugin settings i disabled the download option..
Mon, 02/20/2017 - 10:35
if it takes him saving the
if it takes him saving the html pages 10 times then he will be discouraged to steal the material....
Mon, 02/20/2017 - 10:44
actually i tried this by
actually i tried this by logging in as a student user...when i copy the html page only the displayed part gets copied....so one will have to copy 10 pages for the complete presentation...but i am not a IT / computer man...so maybe i don't know the tricks to download...that's why i asked is it still possible for him to download all the content in one go after disabling the download option in h5p settings?? i hope i am able to explain my query sufficiently...and thanks again for the first reply...
Tue, 02/21/2017 - 08:28
From a technical standpoint, there is really nothing you can do to protect your content, other then taking people to court over copyright infringement.
It might be technically possible to use something like EME for videos (like Netflix does), but this is not something H5P supports.
Thu, 08/03/2017 - 16:36
Is there a way to disable viewing/playing H5P content except on a certain domain?
Fri, 08/04/2017 - 10:29
This is not possible for
This is not possible for content hosted on h5p.org, but if you have your own WordPress, Drupal or Moodle site you can set this up by specifying the X-Frame-Options header.
Mon, 12/21/2020 - 14:58
Server side evaluation.
The evaluation of answers will be moved server side in future versions to avoid this. <- Any news on this? Has this process started yet?
Thu, 04/14/2022 - 19:27
IT Security Documentation
I have been trying to contact my H5P representitve, Ryan Barber for a couple of months to have required security documents completed for mu Central IT Security department and have gotten no response. Can some one respond? Or should I be contacting someone else?