H5P is a pretty open format. Barriers for tweaking things are relatively low. For instance, you can easily download an H5P file, unzip it (yes, despite the file extension .h5p it’s merely a zip file), and then peek at all the files that you can open and modify with a plain text editor. That’s great! And that’s terrible, at least for the time being. Here’s why.
But before, the important bits aka …
TL;DR
- Please, please, do not change the official code of content types on your system if there is the slightest chance that the contents that use it can leave the platform. You may not only mess up your platform, but the platform of other people, too.
- Please, do not upload H5P content with administrative rights if you’re not sure that it is fine (or you know what you’re doing). On WordPress, in general, it’s a good idea to set up an editor account and not do everything with an admin account.
- The former two points will become less relevant once H5P Group introduces a way to ensure that H5P libraries that are supposed to be installed are official ones. There’s a suggestion on the H5P forums, feel free to vote it up! I am sure that topic is on their agenda for the new H5P Hub server that they are planning, but until then: 1. and 2.
April 20, 2024, 08:26
Someone posted on the H5P forums and reported an issue with an Interactive Book content when uploading it to WordPress. Course Presentations disappeared from the content after uploading. The content file looked fine. It could be uploaded to other sites without any trouble. Therefore, the problem supposedly was lurking somewhere on that WordPress site. Narrowing it down would hardly be possible without being able to look at the server, but no further information was supplied after April 22, 2024.
April 25, 2024, 10:30
I met with staff of different German universities that are linked via the HU moodle forums. Someone also mentioned a similar issue: An Interactive Book content could not be uploaded to a moodle site at all. I promised to take a look and received the file at 11:24. I investigated the file and found what was causing this issue and the one on the WordPress site.
April 25, 2024, 13:48
I sent my “report” and suggested to immediately stop sharing Interactive Book and Column contents if one found Column 1.16.6 among the installed libraries. Skip the rest of this time stamp if it feels too technical for you. The jist is:
It can be dangerous to upload H5P content of other people. You can wreck existing content this way. Do not upload H5P content from others with administrative rights without care! If you wonder why you cannot upload an H5P content file: It’s likely for a good reason.
H5P content files do not only contain the parameters that an author has set for the content, not only the media files that one may have used, but also all the H5P libraries of the content types that are required to run and display the content. That’s a blessed feature, because it allows to share content more easily. It’s a curse in the current form as well, as it’s responsible for the trouble.
I found that the library for H5P.Column, which is responsible for displaying a Course Presentation inside an Interactive Book, had version number 1.16.6. That was odd – because the latest version that was published by H5P Group was 1.16.5. Comparing the files of the two different incarnations of Column I found:
- The official version (1.16.5) uses Course Presentation (1.25.x) and Interactive Video (1.26.x).
- The strange version (1.16.6) used Course Presentation (1.24.x) and Interactive Video (1.24.x).
The “newer” version of Column is not an official version. Someone must have patched the original code, used his/her version and (accidentally) let it loose in the wild – and there it has spread and gone unnoticed since January 19, 2024 at least. The “newer” version referenced an older version of the two content types. This causes a lot of trouble, please see details below if you’re interested what exactly happened.
The important bit is that someone had modified Column, changed the version number and spread the content. And when others uploaded that content with administrative rights, they automatically installed that patched version of Column, too. And that will break things eventually.
April 25, 2024, 14:03
I informed the poster on the H5P forums about the issue and suggested to take measures.
April 25, 2024, 15:31
The addressee of the report had tried to find out where the “infected” content came from. Lumi Cloud was not the source, but also had Column 1.16.6 installed.
April 25, 2024, 17:58
I informed Lumi about the issue, as they are a popular site that content is shared on and re-used from. They replied very quickly and investigated the issue on their end.
April 25, 2024, 18:20
I had thought about ways to fix this. One could, of course, correct database entries and other things, but the approach wouldn’t be completely identical on every platform, how would you explain this to hobby admins, wrong “fixes” could cause other trouble, etc.
The simplest approach seemed to be that H5P Group re-released version 1.16.5 as 1.16.7. People would just need to update the content type, and that would set the dependencies straight. That would also fix existing content that may have been compromised unless it had been edited and saved. I informed H5P Group accordingly.
April 26, 2024, 15:36
H5P Group promised to look into this, but they wouldn’t want to do this “all the time” if someone decided to tamper with H5P libraries.
April 26, 2024, 16:46
H5P Group reported to have released Column 1.16.7.
All is well that ends well?
Not quite, I think. There are a couple of things one should take away from this brief story:
- Please, please, do not change the official code of content types on your system if there is the slightest chance that the contents that use it can leave the platform. You may not only mess up your platform, but the platform of other people, too.
- Please, do not upload H5P content with administrative rights if you’re not sure that it is fine (or you know what you’re doing). On WordPress, in general, it’s a good idea to set up an editor account and not do everything with an admin account.
- The former two points will become less relevant once H5P Group introduces a way to ensure that H5P libraries that are supposed to be installed are official ones. There’s a suggestion on the H5P forums, feel free to vote it up! I am sure that topic is on their agenda for the new H5P Hub server that they are planning, but until then: 1. and 2.
The details: What happened here?
In order to understand this, you need to know what happens when you upload H5P content.
By design, H5P content files contain everything that an H5P enabled platform will need to run the content:
- the “parameters” that you entered in the editor (e. g. some task description text or having checked a checkbox or not,
- the media that you may have uploaded (e. g. images or audio files),
- a package definition file that tells the platform what pieces of JavaScript code (called libraries) the platform requires to run the content, and
- the aforementioned pieces of JavaScript code themselves.
Among a couple of other things, the H5P platform will check if it already has all the H5P libraries that the content needs. If some are missing, then H5P will try to install those from the H5P content file that you are trying to upload. And here’s where things can go south.
You may not be allowed to install H5P libraries – neither those that are completely new nor newer versions of existing ones. That’s a security measure. Admins try to keep the platform free from malicious code, and therefore they tend to be cautious. They should not allow anyone to install arbitrary JavaScript code to the platform, and that’s essentially what happens if you install H5P libraries. Sure, H5P content that you obtain from trustworthy sites should be fine. But it’s really not rocket science to create H5P content with customized libraries that could compromise a platform – and even spread from there. Well, this is obviously what happened with Column.
But things are different if you upload H5P content with appropriate (or inappropriate) permissions. That’s the curse. Or part of it.
Someone must in fact have had administrative rights and uploaded the “infected” Interactive Book with the patched H5P.Column in version 1.16.6. H5P core realized that this was a later version that it didn’t have already and installed that one. You would not notice immediately, because the content that was uploaded contained the older version of Course Presentation and was “correct” for that patched Column version. In turns out that someone could date back the time of “infection” to January 19, 2024. Existing content that had previously been created with the regular Column 1.16.5 or earlier were rendered invalid now, however. They may still have been displayed if they were still served from cache, but as soon as that would be updated, e.g. by editing and saving the file, Course Presentations and Interactive Videos would vanish.
The two cases
In the latter case, the moodle site, the latest official version of Column (1.16.5) was installed. Someone now wanted to upload the Interactive Book with the modified version of Column (1.16.6). The core of H5P that is running on the moodle site will detect that it does not yet have what seems to be a later version of Column. H5P could automatically install that later library version to ensure that the content could be displayed properly. That’s the blessing. This would only happen, however, if and only if the person who uploads the content has appropriate administrative rights. This was not the case. H5P tried to continue with what it had: Column 1.16.5. It found the Course Presentation of version 1.24.x inside the content and now detected a conflict: 1.24.x is not what Column 1.16.5 expects. You’d see the error message
“The version of the H5P library H5P.CoursePresentation used in this content is not valid. Content contains H5P.CoursePresentation 1.24, but it should be H5P.CoursePresentation 1.25.”
They could not run the content, but the H5P libraries were not compromised, as no patched version was uploaded.
In the former case, the WordPress site, we had the opposite case. Column 1.16.6 was installed already. That site could be patient zero where the modification took place in the first place, or someone had uploaded “infected” content with administrative rights and inherited the problem – that’s what most people on WordPress do, unfortunately.
Someone now wanted to install a legit Interactive Book content with Column 1.16.5 and Course Presentation 1.25.x. The core of H5P noticed that it had a later version of Column already (even though not an official one) and checked the content file for validity against that version. It expects Course Presentation 1.24, so you’d get the error message
“The version of the H5P library H5P.CoursePresentation used in this content is not valid. Content contains H5P.CoursePresentation 1.25, but it should be H5P.CoursePresentation 1.24.”