H5P Guides

Security model

Overview

The H5P system is exposed to several security challenges. We here explain how these challenges are handled.

.h5p files

When the .h5p files are validated each file inside the package is checked against a white-list of file extensions. These white-lists are possible for site administrators to alter. If a file is found that isn't on the white-list the .h5p package is rejected.

JavaScript files and other problematic files are by default and necessity allowed for H5P libraries but not for H5P content. Because of this only trusted users should be given permission to update h5p libraries.

In upcoming versions of H5P there will be features that verify libraries against h5p.org so that "not so trusted" users may also be allowed to update H5P libraries.

If a user without the update libraries permission uploads an H5P file the content will be stored and the libraries will be ignored given that the system already has the necessary libraries.

Sanitizing HTML and text input from the authoring tool

Input from authors is sanitized server-side using the same code for sanitizing user input that Drupal uses. Unsafe properties, protocols etc. is stripped away server side.

Sanitizing file locations

Each library is responsible for prefixing file locations with a library path or a content path to stop users from manipulating URLs making users visit other sites without knowing it.

Evaluating user's answers

The user's answer is evaluated client side. This means that the correct answer also exists client side and it is easy for users familiar to web development to cheat on tasks in H5P. The evaluation of answers will be moved server side in future versions to avoid this.