In website content management, we often need to display various text information on the page, including HTML content with specific formats or interactive effects.AnQiCMS (AnQiCMS) is a modern content management system. When handling template rendering, it defaults to taking an important security measure: automatically escaping HTML content.This mechanism is designed to prevent cross-site scripting (XSS) attacks and ensure the security of the website.However, in some specific scenarios, such as when we want to display formatted content edited by a rich text editor, custom HTML code snippets, or built-in copyright information, we do not want these contents to be escaped, but to be presented in their original HTML form to the user.This is particularly important to understand and master the 'safe output' mechanism of AnQiCMS template.
AnQiCMS template's security mechanism: Default escaping
The template engine design concept of AnQiCMS is similar to many modern web frameworks, it defaults to all through{{变量}}The content output as a method is treated as plain text. This means that if your content variable contains something like<script>/<img>or any HTML tags,&/</>Such special characters, the template engine will automatically convert them to HTML entities when outputting (for example<will become<,&will become&)。This default behavior is the first line of defense for website security, effectively preventing malicious code (such as injected JavaScript) from executing in the user's browser, thereby greatly reducing the risk of XSS attacks.
For example, if you enter text in the background content<p>这是一段<em>加粗</em>的文字。</p>In default, what you see on the frontend page might be,.<p>这是一段<em>加粗</em>的文字。</p>Instead of a formatted text.This handling method ensures security, but when it comes to displaying HTML formatted content, we need to actively inform the template engine to stop escaping.
The core of achieving 'secure output':|safeFilters
When you are sure that a certain content is safe and contains HTML that needs to be parsed, AnQiCMS provides|safea filter to indicate that the template engine should not escape this content.|safeThe filter's purpose is to inform the system: 'I have checked this content, it is safe, please parse and output it as HTML directly.'
The usage is very intuitive, just add it after the variable name you want to unescape.|safe
{# 文档详情页显示文章内容,确保富文本格式正确展示 #}
<div>
{% archiveDetail articleContent with name="Content" %}
{{ articleContent|safe }}
</div>
{# 分类详情页显示分类描述或内容,若其中包含HTML #}
<div>
{% categoryDetail categoryDescription with name="Description" %}{{ categoryDescription|safe }}
</div>
{# 系统版权信息可能包含链接等HTML标签 #}
<div>{% system siteCopyright with name="SiteCopyright" %}{{ siteCopyright|safe }}</div>
Please note that when using.|safeThe filter means you will be responsible for the security of the content. If it is|safeThe content to be processed contains malicious scripts that will be executed in the user's browser. Therefore, use at any time|safeAll content should ensure the reliability of the source or has been strictly reviewed and filtered.
###