The H5P system is exposed to several security challenges. We here explain how these challenges are handled.
When the .h5p files are validated each file inside the package is checked against a white-list of file extensions. These white-lists are possible for site administrators to alter. If a file is found that isn't on the white-list the .h5p package is rejected.
In upcoming versions of H5P there will be features that verify libraries against h5p.org so that "not so trusted" users may also be allowed to update H5P libraries.
If a user without the update libraries permission uploads an H5P file the content will be stored and the libraries will be ignored given that the system already has the necessary libraries.
Sanitizing HTML and text input from the authoring tool
Input from authors is sanitized server-side using the same code for sanitizing user input that Drupal uses. Unsafe properties, protocols etc. is stripped away server side.
Sanitizing file locations
Each library is responsible for prefixing file locations with a library path or a content path to stop users from manipulating URLs making users visit other sites without knowing it.
Evaluating user's answers
The user's answer is evaluated client side. This means that the correct answer also exists client side and it is easy for users familiar to web development to cheat on tasks in H5P. The evaluation of answers will be moved server side in future versions to avoid this.