In website content operation, we often need to publish articles containing images, links, paragraph styles, and other rich formats.AnQiCMS (AnQiCMS) is a powerful content management system with a flexible template engine that can help us easily display these contents.However, while enjoying the convenience, we must also pay attention to a core issue: how to safely output the article content with HTML tags in the template, while maintaining its original beautiful format and effectively preventing potential cross-site scripting (XSS) attacks?
AnQi CMS uses a template engine syntax similar to Django, which has considered security from the design phase.By default, the template engine will automatically escape all output content.This means, if the content of the article contains like<script>Such HTML tags are not parsed by the browser as executable code but are displayed as plain text, for example<script>This mechanism greatly reduces the risk of XSS attacks because it prevents malicious scripts from executing in the user's browser.
However, this default automatic escaping mechanism may cause trouble for the content of articles with valid HTML tags created through rich text editors.For example, if you have bolded text in the editor or inserted an image, if these HTML tags are escaped, the final user will see the original, unformatted HTML code instead of the expected visual effect.
To solve this problem, Anqi CMS provides|safeThe filter. When you are sure that a piece of content is trusted and safe HTML, you can add it after the template variable by|safeFilter, explicitly tells the template engine: This content is safe, please do not escape it, and output it directly in HTML format.
For example, when displaying article details, it is usually used like this:
<div>
{%- archiveDetail articleContent with name="Content" %}
{{articleContent|safe}}
</div>
Here, archiveDetailTags are used to obtain the detailed content of the article,name="Content"Specified the field to obtain the main content of the article. Next,{{articleContent|safe}}of|safeThe filter worked, it ensured thatarticleContentall HTML tags contained in the variable, such as<p>,<strong>,<img>They can all be correctly parsed and rendered by the browser, thus completely preserving the layout and style of the article.
In addition, if your content is written using a Markdown editor and you want the template engine to automatically render it to HTML,archiveDetailthe tags also providerenderthe parameters. For example,{% archiveDetail articleContent with name="Content" render=true %}{{articleContent|safe}}will first convert Markdown content to HTML, and then through|safeThe filter outputs safely. If you wish to retain the original Markdown format without rendering, you canrenderis set tofalse.
Understanding|safeThe role of the filter is crucial. It is equivalent to a "trust statement". Once used,|safethe template engine will fully trust this content and will no longer perform any security checks. Therefore,Only use it when you are sure that the content source is reliable, controlled, and strictly reviewed|safefilter.
For example, content manually input by editors from the AnQi CMS background is usually considered a trusted source.Because the user behind the scenes has management permissions, and the rich text editor itself will also perform preliminary filtering on some common malicious scripts.However, if your website allows users to submit content (such as comments, forum posts), or you collect content from external sources using content collection functions, then you must strictly clean and disinfect the server-side before saving it to the database.The AnQi CMS provides security mechanisms such as sensitive word filtering, but this is mainly a safeguard at the content storage level, during output,|safeIt is still the last line of defense against XSS attacks.
In short, when displaying article content with HTML tags using the Anqi CMS template, the core strategy is to use content that is trusted on|safeThe filter retains the format and remains vigilant for all other untrusted content, or performs a thorough cleaning before being stored.This can achieve a perfect balance between the richness of content display and website security.
Frequently Asked Questions (FAQ)
Ask: Why don't the HTML tags in my article content work, but are displayed directly instead?Answer: This is usually because the default security mechanism of the Anqi CMS template engine is in effect.To prevent XSS attacks, the template engine defaults to automatically escaping all output content, displaying HTML tags as plain text.If you are sure that these HTML tags are valid, safe, and you want them to render normally, you need to use them in the output
|safeFilter, for example{{ archive.Content|safe }}.Ask: If my content is collected from the outside, how can I ensure that it is displayed safely in the template?Answer: There is a high XSS risk for content collected externally.Even though AnQi CMS provides content collection functionality, we strongly recommend that you perform strict server-side cleaning and filtering of HTML content through custom logic or third-party libraries before storing it in the database (before saving to the database), removing all potentially malicious scripts and unsafe tag attributes.Avoid directly using uncleaned collected content with
|safethe filter together.Ask: I am using a Markdown editor,
|safeDo I still need to use the filter?Answer: Yes, even if you use a Markdown editor,|safefilters are usually necessary. When you arearchiveDetailUsed in tagsrender=trueThe parameter should use Markdown content to convert it to HTML, in order for these converted HTML tags to render normally instead of being escaped, you still need to follow it with the use of|safea filter. For example:{% archiveDetail articleContent with name="Content" render=true %}{{articleContent|safe}}.