In AnQiCMS, passing the text content entered by the user as a URL parameter is a common requirement, such as in the search function, filtering list, the keywords or filtering conditions entered by the user will be included in the URL.The benefits of doing this are obvious: it makes the URL more descriptive, SEO-friendly, and convenient for users to share or save links with specific search results.However, if not handled properly, this operation may also pose security risks.

Understanding URL parameters and potential risks

URL parameters are typically preceded by a question mark?starting with a key-value pair, for examplehttps://yourdomain.com/search?q=anqicms&category=news. Hereqandcategorywhich is the parameter name,anqicmsandnewsrepresenting the value entered or selected by the user.

There are mainly two types of potential risks:

  1. Cross-site Scripting (XSS): Malicious users may inject JavaScript code into parameters.When other users visit URLs containing this malicious code, the browser may execute these scripts, potentially stealing user cookies, modifying page content, or even conducting phishing attacks.
  2. SQL Injection/Command Injection attack: Although it is relatively rare to directly perform database queries with URL parameters, in certain complex custom scenarios, if the backend code directly concatenates unverified URL parameters into SQL queries or system commands, it may lead to data leakage, data tampering, or even control of the server.

AnQiCMS as an enterprise-level content management system developed based on the Go language has always placed a high emphasis on security and concurrency from the beginning of its design.Go language itself has advantages in memory safety and concurrency processing, AnQiCMS also incorporates multiple security mechanisms to help us build a secure website.

How to safely handle user input URL parameters in AnQiCMS

AnQiCMS provides security at multiple levels for us, helping us safely transmit and process URL parameters:

  1. URL encoding is fundamentalWhen the user's input text contains special characters (such as spaces,&/?///#When) these characters interfere with the structure of the URL, it can cause links to fail or be misinterpreted. URL encoding (Percent-encoding) is to convert these special characters into%xxThe format ensures the integrity of the URL structure.

    In AnQiCMS, when we use the built-in function to generate URLs with user input, the system usually automatically performs URL encoding. For example, when usingarchiveListTag search (viaqparameters) or viaarchiveFiltersWhen generating filter links with tags, AnQiCMS is responsible for correctly encoding these parameter values.

    If we need to manually construct a URL containing user input content and pass it as a parameter, we can make use of the AnQiCMS providedurlencodeA filter that percent-encodes the content of a variable to ensure its safety in URLs. For example:

    <a href="/search?q={{ user_input|urlencode }}">搜索</a>

    So, even ifuser_inputcontains spaces or&Special characters, they are also encoded safely to prevent breaking the URL structure.

  2. Backend validation and filteringIt is not enough to simply perform URL encoding, because encoding only changes the form of characters and does not eliminate their potential malice.The real defense line lies in the server-side validation and filtering of user input.AnQiCMS has built-in functions such as "Content Security Management" and "Sensitive Word Filtering" that can perform real-time checks and filtering when users submit content (including text that may be used as URL parameters).

    When a user publishes content through the AnQiCMS backend interface or submits data through a frontend form, the system will perform multi-layer validations on these inputs, including:

    • Data type verificationEnsure that the input conforms to the expected data type (for example, numeric fields only accept numbers).
    • Length restriction: Prevent excessive input leading to overflow or unnecessary storage.
    • Format checkFor example, the email address must be a valid format.
    • sensitive word filteringAnQiCMS's 'Content Security Management' mechanism can detect and block content containing predefined sensitive words.
    • HTML/JS escapeIn content display, the AnQiCMS template engine (similar to Django template engine syntax) defaults to automatically escaping HTML tags and JS syntax to prevent XSS attacks. Unless explicitly used|safeFilter, otherwise the malicious script will not be executed.

  3. Use built-in functions reasonablyAnQiCMS provides a variety of built-in tags and features to handle content and URLs, which have been designed with security in mind.

    • Search function (qparameters): PassarchiveListlabel'sqParameter-based search functionality, AnQiCMS will handle the encoding of keywords and the security of subsequent queries internally.
    • Document parameter filtering (archiveFilters)This tag can generate complex filtering links based on custom content model fields. AnQiCMS ensures that generatedval.Linkis a URL encoded in a secure manner.
    • Custom URL (customURLfield): When publishing documents, categories, or tags, AnQiCMS allows us to set custom URL aliases (such as{filename}or{catname})。The system will automatically convert these aliases entered by users into a URL-safe and standardized format, which is usually based on pinyin and ensures uniqueness, avoiding the direct inclusion of the original user input in the URL path.

    Make full use of these built-in features to build the interactive logic of the website, rather than starting from scratch and manually piecing together URLs with user input.Because built-in functions have undergone strict testing, their security is more guaranteed.

Advice in practice

  • Use AnQiCMS built-in tags and filters firstWhen it is necessary to pass user input as URL parameters, consider using firstarchiveList/archiveFiltersFunctions provided by AnQiCMS. If you need to build manually, please make sure to useurlencodeThe filter encodes the parameter values entered by the user.
  • Do not directly concatenate the original user input into the URL pathEspecially when constructing pseudo-static URLs, avoid using unprocessed user input directly as part of the path, for example/{{ user_input }}.html. AnQiCMS'自定义URLThe field has provided a secure alternative.
  • Front-end and back-end dual verification: Although AnQiCMS has strong security mechanisms on the backend, it is still a good habit to perform initial input validation on the frontend using JavaScript (such as checking for emptiness, length limits, etc.), which can improve user experience and reduce server load.But remember, frontend validation cannot replace backend validation.
  • Regular updates and security audits: AnQiCMS is continuously updated and will fix potential security vulnerabilities.Make sure to keep the system version up to date. Regular security audits are also an important aspect for highly customized websites.

By using the above method, combined with the powerful backend features of AnQiCMS and the underlying advantages of Go language, we can safely pass the text content entered by users as URL parameters, while providing a good user experience and SEO effect, and also ensuring the safety of the website.

Frequently Asked Questions (FAQ)

Q1: I have a custom frontend form that needs to pass the user input fields as URL parameters to be processed by AnQiCMS. How can I ensure safety?A1: For custom forms, first perform basic validation (such as non-empty, length limits, etc.) on the user input on the front end using JavaScript, but the most critical is to URL-encode the user input values when passing the data as URL parameters. In the AnQiCMS template, you can use{{ user_input_variable|urlencode }}Process it. When these parameters reach the AnQiCMS backend, the system will revalidate and filter these inputs, including sensitive word checks and XSS protection, so make sure your backend logic fully utilizes the security features provided by AnQiCMS.

Q2: Does AnQiCMS automatically encode user input and escape HTML when generating links?A2: Yes, for AnQiCMS built-in functions (such as througharchiveFiltersgenerated filter links, orarchiveListsearch by tagsqParameters), the system will automatically encode the parameter values for URL encoding, and by default, it will perform HTML escaping when outputting to the page to prevent XSS attacks. However, if you manually concatenate URL parameters containing user input in the template or directly output user content that may contain HTML/JS code, you need to manually use|urlencodeThe filter performs URL encoding and checks if necessary|safeThe filter (use only when you are sure the content is safe and need to parse HTML).

Q3: Use pseudo-static URLs (such as/article/my-custom-title.htmlIfmy-custom-titleAre there any security issues with user input?A3: Static URLs make links look neater, but essentially they still pass content as parameters. Ifmy-custom-titleIs directly entered by the user as the original string, and since AnQiCMS does not process it, there may theoretically still be security risks