Interactive Video: "Prevent skipping forward" and Dumb but 100% correct answering

Submitted by wiktor.wandachowicz on Wed, 09/22/2021 - 15:26
Forums: 
Bugs in content types

I would like to report two problems in Interactive Video.

1) Behavioural settings > Prevent skipping forward in a video

One of our Polish "creative" students has found a very easy workaround.
Given that for example Google Chrome web browser has "Inspect" in context menu, just right-click on H5P video and select that "Inspect" option.
In DevTools select "Console" and type following JavaScript that results in "virtual skip forward" of video:

document.querySelector('video.h5p-video').currentTime = parseFloat(
  document.querySelector('.h5p-seekbar-interaction.h5p-singlechoiceset-interaction:not(.h5p-interaction-answered)').style.left
)*parseFloat(
  document.querySelector('a.ui-slider-handle.ui-state-default.ui-corner-all').ariaValueMax
)*0.01-0.5;

In Firefox it might be necessary to right-click on #document node of iframe in "Inspector" and select "Open in console".
This might result in creation of temporary variable, like "temp0" for which the above JavaScript needs to be altered a little:

temp0.querySelector('video.h5p-video').currentTime = parseFloat(
  temp0.querySelector('.h5p-seekbar-interaction.h5p-singlechoiceset-interaction:not(.h5p-interaction-answered)').style.left
)*parseFloat(
  temp0.querySelector('a.ui-slider-handle.ui-state-default.ui-corner-all').attributes['aria-valuemax'].value
)*0.01-0.5;


2) Dumb but 100% correct answering

Given that Interactive Video has "Single Choice Set" interactions placed inside video, there is a very easy workaround to answer correctly all questions without even thinking!
Whenever a question is displayed, just run the following JavaScript code:

document.querySelector('li.h5p-sc-alternative.h5p-sc-is-correct').click();  // CSS class ".h5p-sc-is-correct" - this is the worst!
document.querySelector('button.h5p-ssc-next-button.h5p-joubelui-button').click();
document.querySelector('button.h5p-question-iv-continue.h5p-joubelui-button').click();

for Firefox it could be:

temp0.querySelector('li.h5p-sc-alternative.h5p-sc-is-correct').click();
temp0.querySelector('button.h5p-ssc-next-button.h5p-joubelui-button').click();
temp0.querySelector('button.h5p-question-iv-continue.h5p-joubelui-button').click();

 

This seems funny at first, but such simple JavaScript workarounds mean a real possibility of cheating!
At least for me, and other teachers at my university.

DETAILS:

  • Platform: Moodle 3.10
  • Desktop browser: Google Chrome, or Firefox
  • H5P plugin version: mod_hvp for Moodle (1.22.3 - 2021061100)
    and built-in mod_h5pactivity (2020110900) - with "H5P framework v1.24 (h5plib_v124)"
  • H5P content type and version: Interactive Video
  • Any browser console errors: none, instead a provided JavaScript is expected to be ENTERED in the Console window
  • Any PHP errors: none
  • Screenshots if it's a visual problem: attached a tutorial (written in Polish), how to overcome safety options in H5P Interactive Video
  • Any recent changes to the environment: described workaround works in Moodle 3.8 as well as in Moodle 3.10
  • Any recent changes to the browser you're using: none
H5P file: 
Binary Data interactive-video-single-choice.h5p
Attachments: 
Image icon kurs_bhp_haxy_edit_by_Lewy.png
Content types: 
Interactive Video
otacke's picture

otacke

Wed, 09/22/2021 - 16:19

Hi wiktor!

There's a fix for the 2nd issue that you're mentioning. In the end, however, you cannot prevent cheating with H5P in general regardless of the content type you are using. That's because H5P content runs inside the browser. It may take a little more effort than looking at the so called DOM, but it doesn't require much knowledge to obtain the answers using the developer tools that all modern browsers provide. That's not a secret.

Cheers,
Oliver

wiktor.wandachowicz

Thu, 09/23/2021 - 10:33

Thanks, Oliver for pointing out possible solution for the second issue.

However Moodle relies on official distribution of H5P libraries, which are automatically updated. So unless the reported problems are not solved in the official upgrade, this will still remain problematic and possible to work around :(

Of course when all data - including questions and corrent/incorrect answers - are loaded into the browser's memory, it is still possible to find a way to do JavaScript tricks. Only interaction with the server side program, which checks the correctness of the answers, may prevent such alterations. That's the state of the art as it is right now.

Best regards,
Wiktor

wiktor.wandachowicz

Thu, 09/23/2021 - 10:36

Thanks, Oliver for pointing out possible solution for the second issue.

However Moodle relies on official distribution of H5P libraries, which are automatically updated. So unless the reported problems are not solved in the official upgrade, this will still remain problematic and possible to work around :(

Of course when all data - including questions and corrent/incorrect answers - are loaded into the browser's memory, it is still possible to find a way to do JavaScript tricks. Only interaction with the server side program, which checks the correctness of the answers, may prevent such alterations. That's the state of the art as it is right now.

Best regards,
Wiktor

otacke's picture

otacke

Thu, 09/23/2021 - 16:23

Hi Wiktor!

I am aware that the changes need to be included into the official code if you don't want to patch it yourself, but reviewing and merging-in that code is up to the H5P core team, not to me.

And yes, I am also aware that server-side evaluation is required for proper testing. It's on the roadmap of the H5P core team for (H5P.com at least), but you will have to ask them for details. 

Cheers,
Oliver

BV52's picture

BV52

Thu, 09/23/2021 - 20:30

Hi Wiktor,

I speak for the H5P core team and currently we do not have a timeline when the backend evalutaion as well as merging of Oliver's PR will be released. I will however follow up with the developers on your behalf.

-BV