Request To Allow Turning off of Upload Feature

  • Resolved JohnArcadian

    (@johnarcadian)


    7 years, 1 month ago

    H5P looks fascinating and worthwhile, but the fact that it is packaged Javascript means my university is having a lot of concerns about implementing it on a site. If there were a feature to turn off the upload functionality within the admin page, that would eliminate a potential attack vector.

    As it is, this is a huge security risk where someone could be provided an H5P file that has been unzipped, modified, and rezipped so that the Javascript compromises the server or the user experience.

Viewing 1 replies (of 1 total)
  • Plugin Author icc0rz

    (@icc0rz)

    Hi,
    Thank you for posting your concerns, I want you to know that we take security matters very seriously.

    Note that only users with the capability named manage_h5p_libraries can upload and install new JavaScript libraries on the site. If the user does not have this permission any JavaScript in the package is simply discarded.
    You should take care which role or user you assign this capability too.
    By default, this is assigned to the administrator role of the site.

    There is another capability named ‘install_recommended_h5p_libraries’ that allows for downloading JavaScript through the editor, but these downloads are limited to the h5p.org domain.
    By default, this is assigned to the editor role of the site.

    Note that upload and download of content is an important feature for many authors as it gives them the possibility to both easily backup and share content that they make.

Viewing 1 replies (of 1 total)
  • The topic ‘Request To Allow Turning off of Upload Feature’ is closed to new replies.