H5P is a pretty open format. Barriers for tweaking things are relatively low. For instance, you can easily download an H5P file, unzip it (yes, despite the file extension .h5p it’s merely a zip file), and then peek at all the files that you can open and modify with a plain text editor. That’s great! And that’s terrible, at least for the time being. Here’s why.
But before, the important bits aka …
TL;DR
- Please, please, do not change the official code of content types on your system if there is the slightest chance that the contents that use it can leave the platform. You may not only mess up your platform, but the platform of other people, too.
- Please, do not upload H5P content with administrative rights if you’re not sure that it is fine (or you know what you’re doing). On WordPress, in general, it’s a good idea to set up an editor account and not do everything with an admin account.
- The former two points will become less relevant once H5P Group introduces a way to ensure that H5P libraries that are supposed to be installed are official ones. There’s a suggestion on the H5P forums, feel free to vote it up! I am sure that topic is on their agenda for the new H5P Hub server that they are planning, but until then: 1. and 2.
April 20, 2024, 08:26
Someone posted on the H5P forums and reported an issue with an Interactive Book content when uploading it to WordPress. Course Presentations disappeared from the content after uploading. The content file looked fine. It could be uploaded to other sites without any trouble. Therefore, the problem supposedly was lurking somewhere on that WordPress site. Narrowing it down would hardly be possible without being able to look at the server, but no further information was supplied after April 22, 2024.
April 25, 2024, 10:30
I met with staff of different German universities that are linked via the HU moodle forums. Someone also mentioned a similar issue: An Interactive Book content could not be uploaded to a moodle site at all. I promised to take a look and received the file at 11:24. I investigated the file and found what was causing this issue and the one on the WordPress site.
April 25, 2024, 13:48
I sent my “report” and suggested to immediately stop sharing Interactive Book and Column contents if one found Column 1.16.6 among the installed libraries. Skip the rest of this time stamp if it feels too technical for you. The jist is:
It can be dangerous to upload H5P content of other people. You can wreck existing content this way. Do not upload H5P content from others with administrative rights without care! If you wonder why you cannot upload an H5P content file: It’s likely for a good reason.
H5P content files do not only contain the parameters that an author has set for the content, not only the media files that one may have used, but also all the H5P libraries of the content types that are required to run and display the content. That’s a blessed feature, because it allows to share content more easily. It’s a curse in the current form as well, as it’s responsible for the trouble.
I found that the library for H5P.Column, which is responsible for displaying a Course Presentation inside an Interactive Book, had version number 1.16.6. That was odd – because the latest version that was published by H5P Group was 1.16.5. Comparing the files of the two different incarnations of Column I found:
- The official version (1.16.5) uses Course Presentation (1.25.x) and Interactive Video (1.26.x).
- The strange version (1.16.6) used Course Presentation (1.24.x) and Interactive Video (1.24.x).
The “newer” version of Column is not an official version. Someone must have patched the original code, used his/her version and (accidentally) let it loose in the wild – and there it has spread and gone unnoticed since January 19, 2024 at least. The “newer” version referenced an older version of the two content types. This causes a lot of trouble, please see details below if you’re interested what exactly happened.
The important bit is that someone had modified Column, changed the version number and spread the content. And when others uploaded that content with administrative rights, they automatically installed that patched version of Column, too. And that will break things eventually.
April 25, 2024, 14:03
I informed the poster on the H5P forums about the issue and suggested to take measures.
April 25, 2024, 15:31
The addressee of the report had tried to find out where the “infected” content came from. Lumi Cloud was not the source, but also had Column 1.16.6 installed.
April 25, 2024, 17:58
I informed Lumi about the issue, as they are a popular site that content is shared on and re-used from. They replied very quickly and investigated the issue on their end.
April 25, 2024, 18:20
I had thought about ways to fix this. One could, of course, correct database entries and other things, but the approach wouldn’t be completely identical on every platform, how would you explain this to hobby admins, wrong “fixes” could cause other trouble, etc.
The simplest approach seemed to be that H5P Group re-released version 1.16.5 as 1.16.7. People would just need to update the content type, and that would set the dependencies straight. That would also fix existing content that may have been compromised unless it had been edited and saved. I informed H5P Group accordingly.
April 26, 2024, 15:36
H5P Group promised to look into this, but they wouldn’t want to do this “all the time” if someone decided to tamper with H5P libraries.
April 26, 2024, 16:46
H5P Group reported to have released Column 1.16.7.
All is well that ends well?
Not quite, I think. There are a couple of things one should take away from this brief story:
- Please, please, do not change the official code of content types on your system if there is the slightest chance that the contents that use it can leave the platform. You may not only mess up your platform, but the platform of other people, too.
- Please, do not upload H5P content with administrative rights if you’re not sure that it is fine (or you know what you’re doing). On WordPress, in general, it’s a good idea to set up an editor account and not do everything with an admin account.
- The former two points will become less relevant once H5P Group introduces a way to ensure that H5P libraries that are supposed to be installed are official ones. There’s a suggestion on the H5P forums, feel free to vote it up! I am sure that topic is on their agenda for the new H5P Hub server that they are planning, but until then: 1. and 2.
The details: What happened here?
In order to understand this, you need to know what happens when you upload H5P content.
By design, H5P content files contain everything that an H5P enabled platform will need to run the content:
- the “parameters” that you entered in the editor (e. g. some task description text or having checked a checkbox or not,
- the media that you may have uploaded (e. g. images or audio files),
- a package definition file that tells the platform what pieces of JavaScript code (called libraries) the platform requires to run the content, and
- the aforementioned pieces of JavaScript code themselves.
Among a couple of other things, the H5P platform will check if it already has all the H5P libraries that the content needs. If some are missing, then H5P will try to install those from the H5P content file that you are trying to upload. And here’s where things can go south.
You may not be allowed to install H5P libraries – neither those that are completely new nor newer versions of existing ones. That’s a security measure. Admins try to keep the platform free from malicious code, and therefore they tend to be cautious. They should not allow anyone to install arbitrary JavaScript code to the platform, and that’s essentially what happens if you install H5P libraries. Sure, H5P content that you obtain from trustworthy sites should be fine. But it’s really not rocket science to create H5P content with customized libraries that could compromise a platform – and even spread from there. Well, this is obviously what happened with Column.
But things are different if you upload H5P content with appropriate (or inappropriate) permissions. That’s the curse. Or part of it.
Someone must in fact have had administrative rights and uploaded the “infected” Interactive Book with the patched H5P.Column in version 1.16.6. H5P core realized that this was a later version that it didn’t have already and installed that one. You would not notice immediately, because the content that was uploaded contained the older version of Course Presentation and was “correct” for that patched Column version. In turns out that someone could date back the time of “infection” to January 19, 2024. Existing content that had previously been created with the regular Column 1.16.5 or earlier were rendered invalid now, however. They may still have been displayed if they were still served from cache, but as soon as that would be updated, e.g. by editing and saving the file, Course Presentations and Interactive Videos would vanish.
The two cases
In the latter case, the moodle site, the latest official version of Column (1.16.5) was installed. Someone now wanted to upload the Interactive Book with the modified version of Column (1.16.6). The core of H5P that is running on the moodle site will detect that it does not yet have what seems to be a later version of Column. H5P could automatically install that later library version to ensure that the content could be displayed properly. That’s the blessing. This would only happen, however, if and only if the person who uploads the content has appropriate administrative rights. This was not the case. H5P tried to continue with what it had: Column 1.16.5. It found the Course Presentation of version 1.24.x inside the content and now detected a conflict: 1.24.x is not what Column 1.16.5 expects. You’d see the error message
“The version of the H5P library H5P.CoursePresentation used in this content is not valid. Content contains H5P.CoursePresentation 1.24, but it should be H5P.CoursePresentation 1.25.”
They could not run the content, but the H5P libraries were not compromised, as no patched version was uploaded.
In the former case, the WordPress site, we had the opposite case. Column 1.16.6 was installed already. That site could be patient zero where the modification took place in the first place, or someone had uploaded “infected” content with administrative rights and inherited the problem – that’s what most people on WordPress do, unfortunately.
Someone now wanted to install a legit Interactive Book content with Column 1.16.5 and Course Presentation 1.25.x. The core of H5P noticed that it had a later version of Column already (even though not an official one) and checked the content file for validity against that version. It expects Course Presentation 1.24, so you’d get the error message
“The version of the H5P library H5P.CoursePresentation used in this content is not valid. Content contains H5P.CoursePresentation 1.25, but it should be H5P.CoursePresentation 1.24.”
Ouch my brain! This is mind bending and appreciate how you break this down. If an unofficial version gets into a site how is it dialed back?
And for WordPress Multisite what does this mean? My brain is fuzzy (see above) are the libraries organized at the server level or per site.
Thanks for this
If you wanted to revert back to an older version, you’d need to remove the library files that got installed, change/delete a couple of entries in the platform’s database, install the old version and rebuild the cache. How this is done exactly varies from platform to platform. So it was easier to ask H5P Group to release a new version that’s in fact the same as the old version. It essentially does the same thing.
We’re talking about changes in the patch version only (major.minor.patch), however. Things can get way more complicated if a change in the minor version or major version, because this often means that the structure of the content type parameters (semantics.json) changed.
I don’t know if a WordPress Multisite uses one central pool of H5P libraries or if it has one pool per site. Would assume the latter, then one site would not contaminate the other.
And yes, it’s a complicated issue, and I noticed when writing that the structure of that post was also complicated … But I was too lazy to try to find a better approach.
I completely agree with you. It appears there are tasks on the coding side that you mentioned here. I hope they consider implementing these improvements in the near future. As an educational instructor, I’ve found numerous areas that could be easily enhanced with just a couple of lines of CSS, yet I haven’t seen any progress on this front.
I see that you might feel like you’re facing challenges in improving H5P on your own.
I have also mine which keeps bothering me….
For example, the H5P structure should follow this sequence: Title > Description > Content > Buttons, etc. However, in some content types, images or audio files are positioned at the top, directly beneath the title and description, disrupting the intended structure. Feedback is very important, yet the space it seems quite limited in many content types. Anyways, I love H5P; it adds an enjoyable aspect to my life.
What I am discussing here does not concern content types, but the H5P (backend) infrastructure. These are quite different things.
Regarding CSS changes: You can use H5P’s customization hooks to change them yourself cleanly. And have you suggested changes to H5P Group?
Images are only put to the top of content types if the author puts them there, so I don’t see how this would be an issue if you don’t want them there.