In AnQi CMS,archiveListTags are a powerful tool that allows us to flexibly display website content, whether it's a regular list, related documents, or pagination lists. When we need to implement search functionality, qThe parameter plays a crucial role, allowing us to dynamically filter and display content based on the user's input keywords. For example, in a list of articles, we can use{% archiveList archives with type="page" q="搜索关键词" %}This way to use it, or more commonly,archiveListAutomatically read the parameters in the URL query.q=关键词And use the content for searching.

However, any feature involving user input cannot do without careful consideration of secure coding.Users entering keywords in the search box are not always harmless plain text, they may contain malicious code, and if these inputs are not properly processed, they may pose potential security risks to the website.

UnderstandingqThe potential risks of the parameters

When the user enters content in the search box, this content will be asqThe value of the parameter is passed to the server and is used in the template,archiveListLabel reading and usage. If these keywords are displayed directly on the page without processing, or participate in page rendering in an unsafe manner, it may lead to some security issues.The most common and direct threat is cross-site scripting attack (XSS).For example, if the user entered in the search box<script>alert('XSS');</script>This code, and the page directly outputs this unescaped string, then the browser will execute this script, thus stealing the user's session information, tampering with the page content, and even redirecting the user to a malicious website.

Although AnQi CMS is developed using Go language at the bottom level and emphasizes its characteristics of 'lightweight, efficient, and secure', especially in the database operation level, it usually reduces the risk of SQL injection by mechanisms such as parameterized queries, but this does not mean that developers can completely ignore the security protection of the front-end template level.The security encoding of the template output is crucial for content that is directly visible to users and may interact with them.

The built-in security mechanism of AnQi CMS template engine

Fortunately, the Anqi CMS template engine (which is based on Django-like syntax, and such engines usually have automatic escaping mechanisms) has taken this into consideration in its design.This means that when we output the value of a variable directly in a template, the template engine usually defaults to escaping HTML special characters. For example,<Will be escaped to<,>Will be escaped to>,&Will be escaped to&,"Will be escaped to",'Will be escaped to'This automatic escaping is an important defense against XSS attacks.

This means that if we simply display the user's search keywords on the search results page, for example by retaining the user's input in the search box,qwe can usually use them directly.{{ urlParams.q }}(SupposeurlParams.qIs to obtain the URL inqThe way to get parameter values), without adding additional escape filters, because the template engine will complete this task for us.

Explicitly output encoding withsafeThe use case of the filter

Although the template engine provides default automatic escaping, AnQi CMS also provides explicit output encoding filters such asescape(or its abbreviation)e), andsafeto handle specific scenarios.

escape/eFilter：They are used to explicitly indicate that the template engine should escape the output content.In most cases, this may be redundant (because it is escaped by default), but in certain specific situations, such as when you turn off the global automatic escaping feature, or want to ensure that a variable is always escaped regardless, you can explicitly use them. For example:{{ urlParams.q|escape }}.
safeFilter: This is a filter that should be used with caution. Its function is todisableThe template engine's automatic HTML escaping feature, tells the template engine: 'This content is safe HTML code, please output it directly without escaping the special characters.'It is typically used to display content that includes valid HTML tags provided by administrators or other trusted sources, such as articles generated by rich text editors.For user's direct inputqparameter value,strongly advise againstUsesafeFilter, unless you have ensured that this string has been strictly cleaned and validated on the server side and does not contain any malicious HTML or JavaScript code. If you are dealing with unverifiedqParameter usagesafeThat equals opening the door to XSS attacks.

Summary and **practice**

EnsurearchiveListin the tagqSecure parameter encoding, the core lies in understanding and utilizing the default security mechanism of the AnQi CMS template engine, and supplementing with appropriate practices:

Relies on default escapingIn most cases where user input needs to be displayedqThe parameter scenario (for example, echoing keywords in the search box on the search results page), just output the variable directly, because the Anqi CMS template engine will default to perform HTML escaping, effectively preventing XSS attacks.
Use with caution.safeOnly when the output content indeed contains legally valid HTML code that needs to be parsed by the browser, and you have completely trusted its source (for example, from the background administrator's rich text editing content, and there is a content filtering mechanism in the background), should it be usedsafeFilter. Never apply it to user input that has not been strictly verified.
Multi-layered protection mindsetHowever, a sound security strategy should be multi-layered, as Anqi CMS provides security at both the underlying and template levels.In an ideal case, all user input should be strictly validated and cleaned on the server side, not only for security but also for data consistency and the correctness of business logic.

Through these practices, we can use Anqi CMS with confidence.archiveListofqBuild a powerful search function and ensure the safety and reliability of the display of website content.

Frequently Asked Questions (FAQ)

Q1: Does AnQiCMS template engine default to escaping all variable outputs with HTML? A1:Yes, AnQiCMS's template engine usually defaults to escaping all variable outputs as HTML special characters to prevent cross-site scripting attacks (XSS). This means that unless you explicitly usesafeFilter, otherwise like<script>Such tags will be escaped when output<script>.

Q2: When should we usesafeFilter? ForqAre the parameters applicable? A2: safeThe filter should only be used for HTML content that you completely trust and are sure does not contain any malicious code. For example, when you edit a piece of content with specific formatting (such as bold, italic) using a rich text editor in the background and want the front end to display these formats, you can usesafe. but forqparameters such as search keywords directly entered by the user,strongly advise againstUsesafefilter, because it bypasses the default security escaping of the template engine, thereby creating an opportunity for XSS attacks.

Q3: Besides security coding at the template level, are there other security aspects to be concerned about when usingqparameters? A3:Of course. In addition to the output encoding at the template level, **the practice also includes strict validation and cleaning of user input on the server sideStrict validation and cleaning. AlthougharchiveListThe underlying implementation of tags (Go language and its ORM) can usually effectively prevent SQL injection, but validating inputs (such as length limits, allowing only specific characters, etc.) can further enhance security and ensure that the input conforms to business logic.This is a multi-layered defense strategy that can provide comprehensive protection for your website.

How to ensure safe encoding of the `q` parameter of the `archiveList` tag in AnQiCMS?

What error message will the `archive/list` interface return when the `moduleId` parameter is invalid?

How to use the results of `archive/list` to implement click to view article details in conjunction with `archiveDetail.md`?

Does the AnQiCMS document list interface support complex queries on the returned data's `extra` field?

How to use the `archive/list` interface to dynamically load more documents on the front end (infinite scrolling)?

What is the help of `archive/list` interface returned `canonical_url` and `fixed_link` fields to SEO optimization?

What will `data` and `total` return if no documents meeting the criteria are found in the AnQiCMS document list?

Does the `pagination` tag generate URL parameters that require additional escaping?

In AnQiCMS form submission, will the URL parameters entered by the user be automatically escaped?

How does the URL parameter escaping function of AnQiCMS help prevent XSS (cross-site scripting attacks)?

How to build a URL with multiple dynamic parameters in AnQiCMS template and ensure its escaping?

How does `CanonicalUrl` work with URL parameter escaping in AnQiCMS to optimize SEO?

How does AnQiCMS's 'Content Management' feature affect the parameter escaping strategy when generating URLs?