Skip to main content

Security Notices

Tip

For comprehensive information about the topic of security in the CODESYS environment, see: Security

Development of an HTML5 Control

It is not possible to transfer any amount of data which may occur with large arrays. In this case, it is helpful to bind the array with scroll range functionality. This also allows for better transfer performance because only the section that is actually needed is transferred.

  • Editor type: ArrayRange

  • Property type: Update

  • Variable type: Base type of the array

Therefore, configure the HTML5 control with an interface property for the array as follows:

Using an HTML5 control

Important

For security reasons, when using HTML5 controls you need to be aware that the functionality it contains can result in unexpected attacks. As a result, the operation of a PLC may be damaged.

  • Execution of DoS attacks on the web servers

  • Spying of values which have been configured on HTML5 controls

  • Displaying incorrect values from the application

  • Sending incorrect values to the application

Examples of these include the following:

For effective safeguarding, it is necessary that the actions below are taken for safeguarding.

Check the author and contents

Use only HTML5 controls from trusted authors.

CODESYS provides support to prevent unexpected (and potentially malicious) changes to HTML5 controls. Used HTML5 controls can be checked for changes during compile or download and have to initially be confirmed in projects for this. A checksum (= hash value) is calculated for the contents of these HTML5 controls. Authors of HTML5 controls can provide their hash values for comparison.

Secure HTTPS protocol

Use HTTPS.

With HTML5 controls, in addition to character statements and input events such as mouse clicks, values read from or written to IEC variables are now also transferred. This could facilitate man-in-the-middle attacks.

Access to resources

By default, an HTML5 control cannot load resources such as scripts or styles. However, the resources which are provided with the element itself are excluded from this. If this requires that contents are loaded from servers other than the controller, then this can be mitigated by adjusting the ContentSecurityPolicyIncludeTrustedOrigins setting in the automatically generated webvisu.cfg.json file.

However, this is not recommended for the following reasons:

  • All other HTML5 controls are then also allowed to download and use contents from these allowed locations.

  • Basic Level has no control over the resources loaded from external servers, so availability and compatibility cannot be guaranteed.

  • External servers could provide malicious scripts which could then be executed as part of the HTML5 control. For example, a malicious script could modify received or sent values or reveal information.

File manipulation

Be careful if the application uses HTML5 controls together with the ability to modify files. In the case of file manipulation, malicious users might be able to insert malicious code into HTML5 controls. This should be feared, for example, when using the text editor of the visualization or functions like SysFile.

  • The application developer is responsible for making sure that file paths used for modification are checked for valid locations (for example, not in the $PlcLogic$/$visu$folders). This is especially dangerous if the user of the visualization can freely enter the path for a file to be changed.

  • We recommend that you use only hard-coded paths. Alternatively, you could also verify that a path entered by the user is in its expected location.

: