Security implications of H5P in Moodle 3.9

Security implications of H5P in Moodle 3.9

by Fabian Glagovsky -
Number of replies: 4
Picture of Particularly helpful Moodlers Picture of Testers

Hi, do you know of any security implications of letting students upload H5P content through the Atto editor, or in general? It comes by default on Moodle 3.9.

Can they SPAM, crosscript or freeze other students' browsers with malicious H5P content? Is it even possible to create malicious H5P content?

Best,

Fabian

Average of ratings: -
In reply to Fabian Glagovsky

Re: Security implications of H5P in Moodle 3.9

by Beatriz Rojo -
Hello Fabian,
as standard settings, the student role doesn't have access to the content bank, i.e. they cannot create any H5P content. I have checked and, in the case of an essay question, the Atto editor doesn't display the H5P button in a student role, so there are no security issues in this regard.
But the best would be to create and dummy student account and check how is the role configured in your site.
Average of ratings: -
In reply to Beatriz Rojo

Re: Security implications of H5P in Moodle 3.9

by Fabian Glagovsky -
Picture of Particularly helpful Moodlers Picture of Testers

Thank you Beatriz. I didn't think of login in as a student to see if the button appeared or not. Apparently it doesn't appear by default for the student role in the Atto. Thank you!

Best,

Fabian

Average of ratings: -
In reply to Fabian Glagovsky

Re: Security implications of H5P in Moodle 3.9

by Daniel Thies -
Picture of Core developers Picture of Plugin developers Picture of Testers

It is possible to create a malicious content type, but new content types have to uploaded by a system administrator. It can not be done by normal users. Javascript is loaded from the content types. When editing content users can really only change plain text.

The H5P filter allows users to include content from external sites, but only those on a list specified by the admin as safe. It is possible that malicious code is on one of those sites if the admin is not careful.

Average of ratings: -