When developing websites with AnQiCMS, we often use templates in them{{ item.Link }}Such a variable is used to generate links, which leads to a natural question: When these URLs generated automatically by the system, such as the link of the article detail page, the link of the category list page, etc., are output to the HTML page, have they been automatically parameter escaped to ensure the correctness and security of the link?
AnQiCMS's template system uses a syntax similar to Django's Pongo2 template engine, which choice itself carries an important security feature. According to the design principles of the template engine, all through{{ 变量 }}This double curly bracket syntax outputs content that will be automatically escaped by HTML. This means that when{{ item.Link }}is rendered to the HTML page, for example as<a>label'shrefWhen the attribute value contains</>/&/"/'special characters will be converted to their corresponding HTML entities (for example&Will become&This mechanism is designed to effectively prevent cross-site scripting attacks (XSS), ensuring that even if malicious script code is accidentally mixed into the link, it will not be executed directly by the browser, thereby enhancing the security of the website.
Therefore, for most common template usage, such as directly placing{{ item.Link }}inhrefIn the attribute, you usually don't have to worry about potential HTML injection issues.The template engine's automatic escaping feature handles these details properly, ensuring that the generated links are safe and compliant within the HTML structure.AnQiCMS attaches great importance to security in project design, which is also reflected in this default template output behavior, it is committed to helping users build a safer website.
However, it should be noted that the 'escape' here mainly refers to the escaping in the HTML context, which is to prevent the HTML structure from being destroyed or attacked by XSS. URL parameter escaping (also known as percent encoding) is another level, its role is to encode some characters with special meanings in the URL (such as spaces,&/?//etc.) in the URL to%xxThe form is used to ensure that the URL itself does not cause ambiguity during network transmission and parsing.
Ifitem.LinkIt is already a complete URL containing query parameters, for examplehttps://www.example.com/article?id=1&title=test article)and these parameters were generateditem.Linkhas been correctly handled by AnQiCMS (for example, through pseudo-static rules generation), then it is ashrefWhen an attribute value is rendered, HTML automatically escapes it by&to&which is completely correct during browser parsing.
But if you need to convertitem.Linkthe valueinto a query parameter value for another URLOr when manually concatenating URL components containing special characters, the situation is different. For example, you may want to build a redirect link whereitem.Linkis the redirect target:
{{ some_base_url }}?redirect_to={{ item.Link }}
In this scenario, ifitem.Linkhas a value ofpath/to/page?param1=value1¶m2=value2it is not enough to concatenate and rely on HTML automatic escaping. Becauseredirect_tothe value inside the&symbol needs to be encoded with a percent sign.%26instead of&Otherwise, the browser willparam2=value2recognize asredirect_toanother independent parameter outside of it.
To meet such complex URL construction requirements, AnQiCMS's template system also provides|urlencodeand|iriencodeFilters. When you need to ensure that a string (especially user input or dynamic content containing special characters) is properly encoded as a URL parameter value, you can use them:
{{ some_base_url }}?redirect_to={{ item.Link|urlencode }}
By|urlencodeFilter,item.LinkAll special characters are correctly percent-encoded to ensure that the entire URL is valid and conforms to standards.|iriencodeThe filter provides another encoding method, which escapes other parts of the URL except for some specified characters, and is suitable for specific scenarios such as internationalized domain names (IRI).
In summary:
AnQiCMS template in{{ item.Link }}The automatically generated URLs are set to perform by defaultHTML is automatically escapedThis provides basic security to prevent XSS attacks, and is sufficient for scenarios where it is used directly as a property value.hrefBut if you need to use these links asOther URL parameter valuesOr, when building more complex URLs, it is recommended to use manually|urlencodeFiltering to performURL parameter encodingTo ensure the robustness of the link in terms of functionality and compatibility. Understanding the difference between these two escape characters will allow you to use AnQiCMS more skillfully, balancing safety and flexibility.
Frequently Asked Questions (FAQ)
Question: Why do I sometimes see
{{ item.Link }}of&was rendered into&Sometimes it doesn't?Answer: It depends onitem.LinkFinally, the placed HTML context. When{{ item.Link }}is placed into a like<a href="...">When such HTML attributes are present, the template engine will default to HTML entity escaping, so&becomes&it is a normal and safe behavior. Ifitem.LinkIt is already fully percent-encoded as a complete URL (for example, it inside&has already%26), then the HTML escaping will no longer change%26This part, because they are no longer bare HTML special characters.Question: If my URL contains Chinese, do I need to manually
|urlencodeescape it?Answer: Although modern browsers and servers are increasingly supporting URLs containing UTF-8 Chinese characters, compatibility issues may still arise in some old systems or specific integration scenarios. For the greatest compatibility and clarity, especially when using Chinese URLs as parameter values for another URL, it is strongly recommended to use|urlencodeThe filter performs percent-encoding to ensure that the URL can be correctly parsed and transmitted in all environments.Question: In the AnQiCMS template,
|safeFilters and|urlencodeWhat are the differences between the filters, and how should I choose?Answer:|safeFilters are used toDisable HTML automatic escapingThe. When you are sure that the content of a variable is completely safe HTML code (such as from a trusted rich text editor), and you want it to be parsed as HTML by the browser instead of being displayed as plain text, then use it.|safeIt does not perform any URL encoding.|urlencodeThe filter focuses onURL parameter encodingConvert special characters to percent-encoded format to ensure the grammatical correctness of the URL and consistency during network transmission. In short,|safeThe focus is on the safe HTML parsing of the content, while|urlencodeThe focus is on the correct URL encoding of the content. Generally, unless you are dealing with trusted original HTML fragments, you should avoid abuse|safeConsider first when building a URL that includes dynamic parameters|urlencode.