Security of .H5P files

The question has come up about uploading .H5P files into our LMS that could potentially have been tampered with - had JavaScript or similar injected into them. I understand the Library would block JavaScript in the Content part of the file but there are other parts of the .H5P package that requires JavaScript. This JavaScript  runs on a student's computer and if altered could do a number of potetially damaging things. My question is twofold:

1. Are there precausions to ensure a .H5P file has not been tampered with and had code added to it?

2. Is there a way of turning off the file upload option in the Moodle plugin, so that the only way a teacher can use H5P is to create the content from scratch?

icc's picture

1. No, you should not give the updatelibraries permission to someone that doesn't know what they're doing. However, you also got the installrecommendedh5plibraries permission that allows the user to only install content types (JavaScripts) that comes directly from the H5P Hub (H5P.org).
I would recommend only using files that come from H5P.org or another source that you fully trust.

2. No, but if you revoke the mentioned permission only the content part of the .h5p file is used.