How to make `urlize` output HTML links correctly without using the `safe` filter?

Security BLOG 2025-11-09 58 Views

AnQiCMS's template system, with its powerful features and flexible customization, provides a solid foundation for content operations.In the content display, we often encounter the need to automatically convert URLs in plain text to clickable HTML links.urlizeThe filter is designed for this, it can intelligently identify URLs or email addresses in text and wrap them in<a>in the tag.

However, when usingurlizeWhen using a filter, a common practice is to|safeThe filter is used because AnQiCMS (and most modern template engines) default to escaping HTML entities for all content output through variables to prevent cross-site scripting (XSS) attacks and other security issues.This means, if there is not|safewith explicit instructions,urlizeGenerated<a href="...目标的URL...">链接文本</a>will be rendered as<a href="...">链接文本</a>The user sees a string of source code instead of a clickable link.|safeThe role of the filter is to inform the template engine: "This content has been confirmed as safe HTML, please output it directly without escaping."

But if for certain development specifications or special scenarios, we want to use without directly|safeleturlizeCorrectly output HTML links, has AnQiCMS provided the corresponding solution? The answer is yes, we can achieve this by using the template engine'sautoescapetag to achieve this goal.

AnQiCMS template engine provides a namedautoescapepowerful tag that allows us to precisely control the HTML escaping behavior of specific areas in the template.autoescapetag to receiveonoroffAs a parameter, it indicates whether the code block it wraps enables automatic escaping.

When using{% autoescape on %}When, it will force the automatic HTML escaping of all its internal content, even if some content may be marked as safe.
While we use{% autoescape off %}When, it will temporarily disable the automatic HTML escaping of its internal content. This means that any variable output or filter processing result within the scope of the tag pair will be treated as safe HTML output directly, without the need to use an extra `

How to make `urlize` output HTML links correctly without using the `safe` filter?

What error message will the `archive/list` interface return when the `moduleId` parameter is invalid?

How to use the results of `archive/list` to implement click to view article details in conjunction with `archiveDetail.md`?

Does the AnQiCMS document list interface support complex queries on the returned data's `extra` field?

How to use the `archive/list` interface to dynamically load more documents on the front end (infinite scrolling)?

What is the help of `archive/list` interface returned `canonical_url` and `fixed_link` fields to SEO optimization?

What will `data` and `total` return if no documents meeting the criteria are found in the AnQiCMS document list?

Does the `urlize` filter-generated link include the `title` or `alt` attributes of the original URL?

Is there a global option in the AnQiCMS background settings that affects the behavior of `urlize` and `urlizetrunc`?

Does the `urlize` filter support recognizing and converting IP address formatted URLs (e.g., `http://192.168.1.1`)?

The `urlize` filter does it attempt to verify the validity or accessibility of the URL?

How to flexibly adjust the truncation length when using `urlizetrunc`, for example, based on the device type?

Does the `urlize` filter support custom attributes of the generated `<a>` tag, such as `data-*`?