HTML5 questions obfuscation to avoid cheating

Hello actually, when you're creating H5P content and upload it for education purpose, students can cheat by inspecting the source code of the H5P object and by copying and pasting the question within the search toolbar (ctrl +f). Then it will go automatically to where the question is inserted in the html5 source code, and they can find the answer to the question within the correct tag.

Here is the process to do it :

Right click on any H5P object, then open the source page:

Copy the question (ctrl + c) "What nginx is ?":

Go to the source page, open the searching tool (ctrl +f), paste the question "What is nginx" and press enter :

If there is a way to obfuscate the question that you can't just copy and paste the question to the source code to find the answer please ? Maybe encrypt the text with a javascript function.

Thanks in advance.

HTML5 questions obfuscation to avoid cheating
Supporter votes Members of the Supporter Network can vote for feature requests. When the supporter network has generated sufficient funding for the top voted feature request it will normally be implemented and released. More about the H5P Supporter Network

Here are the images that were not uploaded in the first message

BV52's picture

Hi Barnou,

There are already plans to fix this limitation but I do not have any information in what stage we are on the development and when it will be released.


otacke's picture

According to, server-side evaluation will remain a feature exclusive to

Any client-side evaluation will not really be secure. You could encrypt the text, but the key would need to be located client-side, too. You could make cheating more difficult, but you cannot prevent it.

Yes, I understand, thank you for your answers. Maybe the key could be located in the platform where you install H5P plugin, for instance on a moodle course, then when you submit the form at the end you could use the key stored in the moodle course to validate the form ?

Although I understand that this feature could be exclusive to it could be nice to work with the community on this feature.

otacke's picture

These are two completely different things.

  1. Server-side evaluation doesn't need a key. The anwers would never find their way into the browser.
  2. If there was a key, the client (the browser) would need it to decode the parameters, so you will have to send the key over to the browser with the paratemers as well - where it then can be observed, too.