When developing websites with AnQiCMS, we often use templates in{{ item.Link }}Such a variable is used to generate links, which leads to a very natural question: Whether these URLs automatically generated by the system, such as the link to the article detail page, the link to the category list page, etc., have been automatically escaped when output to the HTML page to ensure the correctness and security of the link?
AnQiCMS's template system uses a template engine syntax similar to Django's Pongo2, which inherently carries an important security feature. According to the design principles of the template engine, all through{{ 变量 }}This double-bracket syntax outputs content that will be automatically HTML escaped. This means that when{{ item.Link }}it is rendered to the HTML page, for example as<a>TagshrefProperty value, which contains,</>/&/"/'such special characters will be converted to their corresponding HTML entities (for example),&Will become&)。This mechanism is designed to effectively prevent cross-site scripting attacks (XSS), ensuring that even if malicious script code is inadvertently mixed into the link, it will not be executed directly by the browser, thereby enhancing the security of the website.
Therefore, for most common template usage, such as directly using,{{ item.Link }}placed inhrefIn properties, you usually don't have to worry about potential HTML injection issues.The template engine's automatic escaping feature handles these details properly, making the generated links safe and compliant within the HTML structure.AnQiCMS attaches great importance to security in project design, which is also reflected in this default template output behavior, it is committed to helping users build a safer website.
However, it is important to note that the 'escaping' here mainly refers to escaping in the HTML context, the purpose of which is to prevent the destruction of HTML structure or XSS attacks. URL parameter escaping (also known as 'percent encoding') is another level, its role is to encode some characters with special meanings in the URL (such as spaces,&/?//English)converted to%xxin the form, to ensure that the URL itself does not produce ambiguity during network transmission and parsing.
Ifitem.Linkis already a complete URL, including query parameters (for examplehttps://www.example.com/article?id=1&title=test article),and these parameters have been correctly processed by AnQiCMS when generating.item.LinkIf it has been processed correctly by AnQiCMS when generating (for example, through pseudo-static rules), then it is as follows:href属性值时,HTML 自动转义会将&Converted to&,这在浏览器解析时是完全正确的。
但如果你需要将item.Linkof the value作为另一个 URL 的查询参数值, or when manually concatenating URL components containing special characters, the situation is different. For example, you may want to build a redirect link, whereitem.Linkis the redirect target:
{{ some_base_url }}?redirect_to={{ item.Link }}
In this scenario, ifitem.LinkThe value ofpath/to/page?param1=value1¶m2=value2, directly concatenating and depending on HTML auto-escaping is not enough. Becauseredirect_tothe value of the&symbol inside the parameter needs to be encoded with%26,instead of&,otherwise the browser will recognizeparam2=value2asredirect_toanother independent parameter.
To meet such complex URL construction requirements, AnQiCMS's template system also provides|urlencodeand|iriencodeThese filters. When you need to ensure that a string (especially user input or dynamic content containing special characters) is correctly encoded as a URL parameter value, you can use them:
{{ some_base_url }}?redirect_to={{ item.Link|urlencode }}
Pass|urlencodethe already escaped string,item.LinkAll special characters of the URL will be correctly percent-encoded, ensuring that the entire URL is valid and conforms to standards.|iriencodeThe filter provides another encoding method, which escapes all parts of the URL except for certain specified characters, and is suitable for specific scenarios such as internationalized domain names (IRI).
In summary:
In the AnQiCMS template{{ item.Link }}This automatically generated URL will be processed by defaultHTML auto-escapewhich provides fundamental security against XSS attacks, often used directly ashref属性值的场景下是足够安全的。但若您需要将这些链接作为 English其他 URL 的参数值 English,或进行更复杂的 URL 构建时,建议手动使用 English|urlencodefilter to performURL Parameter EncodingTo ensure the robustness of the link in terms of functionality and compatibility.Understanding the difference between these escape characters can make your use of AnQiCMS more agile, balancing security and flexibility.
Common Questions (FAQ)
Question: Why do I sometimes see
{{ item.Link }}of&rendered as&and sometimes not?Answer: It depends onitem.LinkThe final placed HTML context. When{{ item.Link }}placed into something like<a href="...">such HTML attributes, the template engine will default to performing HTML entity escaping, so&becomes&It is a normal and safe behavior. Ifitem.Linkis already fully percent-encoded in its complete URL (for example, it internal&is already%26),then HTML escaping will no longer change%26because they are no longer bare HTML special characters.问:如果我的 URL 中包含中文,需要手动进行
|urlencode转义吗?答:Although modern browsers and servers are increasingly supporting URLs containing Chinese characters in UTF-8, compatibility issues may still arise when using Chinese URLs directly in certain old systems or specific integration scenarios. For maximum compatibility and clarity, especially when using Chinese URLs as parameter values for another URL, it is strongly recommended to use|urlencodeThe filter performs percentage encoding to ensure that the URL can be correctly parsed and transmitted in all environments.Question: In the AnQiCMS template,
|safefilters and|urlencodeWhat are the differences between filters, and how should I choose?Answer:|safeFilters are used toDisable HTML auto-escapeWhen you are sure that the content of a variable is completely safe HTML code (such as from a trusted rich text editor), and you want it to be parsed as HTML by the browser instead of being displayed as plain text, then use it.|safe。It does not perform any URL encoding.|urlencodeThe filter focuses onURL Parameter EncodingConvert special characters to percent-encoded format to ensure the correct syntax of URLs and consistency during network transmission. In short,|safeFocuses on the safe HTML parsing of content,|urlencodeThe focus is on the URL encoding correctness of the content. Usually, unless you are handling trusted original HTML fragments, you should avoid abuse.|safeWhen constructing URLs with dynamic parameters, prioritize|urlencode.