In AnQiCMS, passing the text content entered by the user as a URL parameter is a common requirement, such as in search functions, filtering lists, the keywords or filtering conditions entered by the user will be included in the URL.The benefits of doing so are obvious: it makes the URL more descriptive, SEO-friendly (i.e., optimized for search engines), and convenient for users to share or bookmark links with specific query results.However, improper handling of this operation may also pose safety risks.

Understanding URL parameters and potential risks

URL parameters are usually followed by a question mark?starting with key-value pairs, such ashttps://yourdomain.com/search?q=anqicms&category=news.qandcategorywhich is the parameter name,anqicmsandnewswhich is the value entered or selected by the user.

The potential risks mainly include two types:

  1. Cross-site Scripting (XSS)English: Malicious users may inject JavaScript code into the parameters.When other users visit the URL containing these malicious codes, the browser may execute these scripts, thereby stealing users' cookies, modifying the page content, or even conducting phishing attacks.
  2. Injection Attack (SQLi/Command Injection)Although it is relatively rare to directly query the database with URL parameters, in some complex custom scenarios, if the backend code directly concatenates unverified URL parameters to SQL queries or system commands, it may lead to data leakage, data tampering, or even control of the server.

AnQiCMS as an enterprise-level content management system developed based on the Go language, attaches great importance to security and high concurrency from the very beginning.Go language itself has advantages in memory safety and concurrency handling, AnQiCMS also built-in multiple security mechanisms to help us build a secure website.

How AnQiCMS safely handles URL parameters input by users

AnQiCMS on multiple levels provides us with security, helping us safely transmit and process URL parameters:

  1. URL encoding is the foundationWhen the user enters text that contains special characters (such as spaces,&/?///#When these characters are present in a URL, they can interfere with the structure of the URL, causing links to fail or be misinterpreted. URL encoding (Percent-encoding) is the process of converting these special characters into%xxof the form, ensure the integrity of the URL structure.

    In AnQiCMS, when we use built-in features to generate URLs with user input, the system usually performs URL encoding automatically. For example, when usingarchiveListTag search (viaqParameters) or viaarchiveFiltersWhen generating filter links with tags, AnQiCMS will be responsible for correctly encoding these parameter values.

    If we need to manually construct a URL containing user input content in the template and pass it as a parameter, we can make use of the AnQiCMS providedurlencodeFilter. This filter will percent-encode the content of the variable to ensure its safety in the URL. For example:

    <a href="/search?q={{ user_input|urlencode }}">搜索</a>

    In this way, even though user_inputcontains spaces or&English special characters, they will also be safely encoded to prevent destruction of URL structure.

  2. Backend validation and filteringIt is not enough to perform URL encoding, because encoding only changes the representation of characters without eliminating their potential maliciousness.The true defense in security lies in the server-side validation and filtering of user input.AnQiCMS built-in "content security management" and "sensitive word filtering" functions, which can perform real-time checks and filtering when users submit content (including text that may be used as URL parameters).

    When the user publishes content through the AnQiCMS admin interface or submits data through the front-end form, the system will perform multi-layer validation on these inputs, including:

    • Data type validationEnsure the input conforms to the expected data type (for example, numeric fields only accept numbers).
    • Length limitationPrevent excessive input from causing overflow or unnecessary storage.
    • Format check:For example, the email address must be in a valid format.
    • Sensitive word filtering:The "Content Security Management" mechanism of AnQiCMS can detect and block content containing preset sensitive words.
    • HTML/JS转义:In content display, the AnQiCMS template engine (similar to Django template engine syntax) defaults to automatically escaping HTML tags and JS syntax to prevent XSS attacks. Unless explicitly used|safeFilter, otherwise the malicious script will not be executed.

  3. Use built-in features reasonablyAnQiCMS provides various built-in tags and features to handle content and URLs, which have considered security during design.

    • Search function (qParameter): ThrougharchiveListTagsqParameters implementation search function, AnQiCMS will handle the encoding of keywords and the security of subsequent queries internally.
    • Document parameter filtering (archiveFilters):This tag can generate complex filtering links based on custom content model fields. AnQiCMS will ensure that the generatedval.Linkis a URL encoded with security.
    • Custom URL (customURLField): When publishing documents, categories, or tags, AnQiCMS allows us to set custom URL aliases (such as){filename}or{catname})。The system will automatically convert these user-input aliases into a URL-compliant and secure format, usually based on pinyin and ensuring uniqueness, to avoid directly placing the original user input in the URL path.

    Make full use of these built-in features to build the interactive logic of the website instead of manually piecing together URLs with user input from scratch.Because the built-in features have been strictly tested, their security is more guaranteed.

recommendations in practice

  • 优先使用AnQiCMS内置标签和过滤器:当需要将用户输入作为URL参数传递时,首先考虑使用EnglisharchiveList/archiveFiltersEnglish provided by AnQiCMS. If manual construction is required, please make sure to useurlencodeThe filter encodes the parameter values entered by the user.
  • Do not directly concatenate the original user input into the URL pathEspecially when constructing pseudo-static URLs, avoid using unprocessed user input as part of the path, for example/{{ user_input }}.html。AnQiCMS的自定义URLThe field has provided a secure alternative.
  • Front-end and back-end dual verification:Even though AnQiCMS has strong security mechanisms on the backend, it is still a good habit to perform initial input validation using JavaScript on the frontend (such as checking if it is empty, limiting length, etc.), which can improve user experience and reduce server load.But please remember, frontend validation cannot replace backend validation.
  • Regular updates and security auditsAnQiCMS is continuously updated and potential security vulnerabilities will be fixed.Please make sure to keep the system version up to date.For highly customized websites, conducting regular security audits is also an important step.

By using the above method, combining the powerful backend features of AnQiCMS and the underlying advantages of Go language, we can safely pass the user input text content as URL parameters. This not only provides a good user experience and SEO effect but also ensures the security of the website.

Common Questions (FAQ)

Q1: I have a custom frontend form, and I need to pass the user's input fields as URL parameters to be processed by AnQiCMS. What should I do to ensure safety?A1:For custom forms, the front-end JavaScript is used to perform basic validations on user input (such as non-empty, length limits, etc.), but the most critical thing is to URL-encode the user input value when passing the data as URL parameters. In AnQiCMS templates, you can use{{ user_input_variable|urlencode }}Come to handle.When these parameters reach the backend of AnQiCMS, the system will revalidate and filter these inputs, including sensitive word checks and XSS protection, so please make sure that your backend logic fully utilizes the security features provided by AnQiCMS.

Q2:AnQiCMS in generating links, whether it will automatically encode user input content into URL encoding and HTML escaping?A2: Yes, for the built-in functions of AnQiCMS (such as througharchiveFiltersthe generated filter link, orarchiveListsearch by tagq参数),系统会负责自动对参数值进行URL编码,并默认在输出到页面时进行HTML转义,以防止XSS攻击。但如果你在模板中手动拼接包含用户输入部分的URL参数,或者直接输出可能含有HTML/JS代码的用户内容,就需要手动使用English|urlencodeFilter performs URL encoding and checks if it is necessary|safeFilter (use only when you are sure the content is safe and you need to parse HTML).

Q3: Use pseudo-static URLs (such as/article/my-custom-title.html)when,my-custom-titleIs there any security issue if it is user input?A3: The pseudo-static URL makes the link look neater, but in essence, it still passes the content as parameters.my-custom-titleThe string is directly input by the user and AnQiCMS does not process it, so theoretically there may still be security risks