In website content operation, we often need to publish articles containing images, links, paragraph styles, and other rich formats.AnQiCMS (AnQiCMS) is a powerful content management system, its flexible template engine can help us easily display these contents.However, while enjoying the convenience, we must also pay attention to a core issue: how to safely output the article content with HTML tags in the template, maintaining its original beautiful format while effectively preventing potential cross-site scripting (XSS) attacks?

The Anqi CMS adopts a template engine syntax similar to Django, which considers security from the design stage.By default, the template engine will automatically escape all output content.<script>These HTML tags are not parsed by the browser as executable code, but are displayed as plain text, for example&lt;script&gt;This mechanism greatly reduces the risk of XSS attacks, as it prevents malicious scripts from executing in the user's browser.

However, this default automatic escaping mechanism may cause trouble for the article content we create with rich text editors, which includes valid HTML tags.For example, if you have bolded text or inserted an image in the editor, and these HTML tags are escaped, the final user will see the original, unformatted HTML code instead of the expected visual effect.

To solve this problem, Anqi CMS provides|safeFilter. When you determine that a piece of content is trusted and safe HTML, you can use the template variable followed by|safeFilter, explicitly tell the template engine: this content is safe, do not escape it, and output it directly in HTML format.

For example, when displaying the article details, it is usually used like this:

<div>
    {%- archiveDetail articleContent with name="Content" %}
    {{articleContent|safe}}
</div>

Here,archiveDetailtags are used to get the detailed content of the article,name="Content"Specify the field to obtain the main content of the article. Next,{{articleContent|safe}}of|safethe filter takes effect, ensuring thatarticleContentAll HTML tags contained in the variable, such as<p>,<strong>,<img>can be correctly parsed and rendered by the browser, thereby fully preserving the layout and style of the article.

Moreover, if your content is written using a Markdown editor, and you wish the template engine to automatically render it as HTML,archiveDetailthe tag also provides,renderparameters. For example,{% archiveDetail articleContent with name="Content" render=true %}{{articleContent|safe}}Convert Markdown content to HTML, then through|safeThe filter outputs safely. If you want to preserve the original Markdown format without rendering, you canrendersetfalse.

Understanding|safeThe role of the filter is crucial. It is equivalent to a "trust statement". Once used|safe, the template engine will completely trust this content and will no longer perform any security checks. Therefore,It should only be used when you are sure that the content source is reliable, controlled, and strictly reviewed|safeFilter.

For example, content manually input by editors from the AnQi CMS backend can generally be considered a trusted source.Because the backend user has management permissions, and the rich text editor itself will also perform preliminary filtering on some common malicious scripts.But, if your website allows users to submit content (such as comments, forum posts), or if you collect content from external sources through content collection features, then be sure to perform strict server-side cleaning and disinfection before saving it to the database.|safeIt is still the last line of defense against XSS attacks.

In short, when displaying article content containing HTML tags using the Aanqi CMS template, the core strategy is to use content that is trusted on|safeFilter to retain format and remain vigilant over all other untrusted content, or to clean thoroughly before entering.This is how to achieve a perfect balance between content richness and website security.

Common Questions (FAQ)

  1. 问:Why do the HTML tags in my article content not work and display directly instead?答:This is usually because the default security mechanism of the Anqi CMS template engine is in effect.To prevent XSS attacks, the template engine defaults to automatically escaping all output content, displaying HTML tags as plain text.|safeFilter, for example{{ archive.Content|safe }}.

  2. 问:如果我的内容是从外部采集的,如何确保它在模板中安全显示?答:For the content collected externally, there is a high XSS risk.Even though AnQi CMS provides content collection functionality, we strongly recommend that you perform strict server-side cleaning and filtering of HTML content using custom logic or third-party libraries before storing the content in the database (saving to the database), to remove all potential malicious scripts and unsafe tag attributes.|safeUsed together with the filter.

  3. 问:我正在使用Markdown编辑器,|safe过滤器还需要用吗?答:是的,即使您使用Markdown编辑器,|safe过滤器通常也是必要的。当您在archiveDetailthe label userender=trueThe Markdown content is converted to HTML, and in order for these converted HTML tags to render normally rather than be escaped, you still need to use it immediately afterwards.|safefilter. For example:{% archiveDetail articleContent with name="Content" render=true %}{{articleContent|safe}}.