H5P has two primary security features, an HTML purifier and a file extension whitelist.
All author input is validated and purified server side based on the allowed types and tags specified by the libraries semantics. As long as semantics doesn't specifically allow dangerous tags developers shouldn't worry about escaping the content.
If developers escape content it might lead to double escaping, for instance if using jQuery's text function instead of html function on an already escaped string you'll end up with double escaping.
The extension whitelist makes sure that dangerous files aren't being uploaded and placed on the server. For instance an .h5p file containing .php files will be refused.
Sanitizing file locations
Each library is responsible for prefixing file locations with a library path or a content path to stop users from manipulating urls making users visit other sites without knowing it.