How to use the 'safe output' mechanism of AnQiCMS template to avoid HTML content from being escaped?

In website content management, we often need to display various text information on the page, including HTML content with specific formats or interactive effects.AnQiCMS (AnQiCMS) is a modern content management system that, when handling template rendering, defaults to taking an important security measure: automatically escaping HTML content.This mechanism is designed to prevent cross-site scripting attacks (XSS) and ensure the security of the website.However, in certain specific scenarios, such as when we want to display formatted content edited by a rich text editor, custom HTML code snippets, or even system-built copyright information, we do not want these contents to be escaped but to be presented in their original HTML form to the user.At this point, it is particularly important to understand and master the 'secure output' mechanism of AnQiCMS templates.

The security mechanism of AnQiCMS template: default escaping

The design philosophy of AnQiCMS template engine is similar to many modern web frameworks, it defaults to escaping all through{{变量}}The content output in this manner is treated as plain text. This means that if your content variable contains something like<script>/<img>or such HTML tags,&/</>Such special characters, the template engine will automatically convert them to HTML entities (for example<Will become<,&Will become&This is the default behavior that acts as the first line of defense for website security, effectively preventing malicious code (such as injected JavaScript) from executing in the user's browser, thereby greatly reducing the risk of XSS attacks.

For example, if you enter content in the background<p>这是一段<em>加粗</em>的文字。</p>That is what you might see on the front-end page by default<p>这是一段<em>加粗</em>的文字。</p>This is not a formatted text. This processing method ensures safety, but when it comes to displaying HTML formatted content, we need to actively inform the template engine to stop escaping.

The core of achieving 'safe output':|safeFilter

When you know for sure that a piece of content is safe and contains HTML that needs to be parsed, AnQiCMS provides|safea filter to indicate to the template engine not to escape the content.|safeThe filter's role is to tell the system: 'I have checked this content, it is safe, please parse and output it directly as HTML.'

The way it is used is very intuitive, just add it after the variable name you want to unescape|safeIt can be. For example, in AnQiCMS, the rich text editing area of document content, category content, or single page content will usually generate HTML code.If you want this content to be displayed in the correct format, you might use it like this:

{# 文档详情页显示文章内容，确保富文本格式正确展示 #}
<div>
    {% archiveDetail articleContent with name="Content" %}
    {{ articleContent|safe }}
</div>

{# 分类详情页显示分类描述或内容，若其中包含HTML #}
<div>
    {% categoryDetail categoryDescription with name="Description" %}{{ categoryDescription|safe }}
</div>

{# 系统版权信息可能包含链接等HTML标签 #}
<div>{% system siteCopyright with name="SiteCopyright" %}{{ siteCopyright|safe }}</div>

Please note that using|safeThe filter means that you will be responsible for the security of the content. If it is|safeThe content being processed contains malicious scripts that will be executed in the user's browser. Therefore, it should be used at any time|safeEnsure that the content source is reliable, or has been strictly reviewed and filtered.

###