Does the `moduleDetail` tag get the model introduction (`Description`) support HTML content?How to safely render in templates?

As an experienced website operations expert, I fully understand the specific issues you may encounter in AnQiCMS template development and content operations.Flexible content display is the core advantage of CMS, but the content safety and proper rendering that come with it also need our careful consideration.moduleDetailLabel model introduction obtained (DescriptionDoes it support HTML content, and how to safely render in the template?

Unveiling AnQiCMSmoduleDetailLabel under model introduction: HTML content and secure rendering practices

When using the flexible content model function of AnQiCMS,moduleDetailTags are an important tool for obtaining model metadata, whereDescriptionFields are usually used to display a brief introduction of the model.Does this 'Model Introduction' field support HTML content?How can one ensure safe rendering of it in the template?Let us together uncover the mystery.

The "Description" field of the model: its original intention and default behavior

Firstly, from the original intention of design, the "introduction" in AnQi CMS (whether it is the model introductionmoduleDetailofDescriptionAn introduction field for a document, category, or single page is usually considered a concise text overview. It is mainly used in list pages, search engine results (such as throughtdktag outputmeta descriptionor a quick preview of the content provided at the top of the page.In these scenarios, we typically expect it to be plain text content without any HTML tags to maintain consistency and simplicity of the information.

AnQiCMS default uses Django template engine syntax, one of its core concepts is 'security first'. This means that when you use double curly braces in your template{{变量}}When outputting the content of any variable, the template engine will enable the default HTML automatic escaping feature. That is to say, ifDescriptiona field contains words like<p>/<a>/<strong>Such HTML tags, they will not be parsed and rendered by the browser, but will be converted to<p>/<a>/<strong>Entity characters are directly displayed as text on the page. This is to effectively prevent potential cross-site scripting attacks (XSS), ensuring that the content output by the website is always secure.

When HTML meets unexpectedly:|safeThe double-edged sword of filters

Although the original intention of the "Introduction" field is plain text, in actual operation, there may occasionally be a need for it to support simple HTML formats. For example, to highlight a key word, you might edit the "Introduction" content in the background to "We provide"}]Efficient/CustomizableContent Solutions. If directly output in the template{{moduleDetail with name="Description"}}, the result you see will be:我们提供<strong>高效</strong>、<strong>可定制</strong>的内容解决方案。, bold effects will not be displayed.

At this moment, the AnQiCMS template engine provides a named|safeThe filter, which is a double-edged sword, can explicitly tell the template engine: 'I know this content contains HTML, and I have confirmed that it is safe. Please render it directly without escaping.'

Use|safeThe method of the filter is very simple:

{# 假设这是您在模板中获取模型简介的地方 #}
<div>
    <h3>模型简介：</h3>
    {% moduleDetail modelDescription with name="Description" %}
    {{ modelDescription|safe }}
</div>

When|safeAfter the filter is applied, ifmodelDescriptionthe variable contains<strong> tag, they will be correctly parsed and displayed in bold by the browser.

Practice recommendations for the (Description) of the Safe Rendering Model

Although|safeThe filter allows HTML content to be rendered, but as a senior operator, we must be aware of the security risks it brings. Once used|safeRendered content that has not been strictly reviewed or from untrusted sources may open the door to XSS attacks.The attacker can inject malicious scripts, steal user cookies, modify page content, even redirect users, and the consequences are unimaginable.

Therefore,moduleDetailofDescriptionField, my suggestion is:

1. Clear content location:Model'sDescriptionThe field should be as plain text as possible.It is more suitable as a brief text description rather than a rich text area.archiveDetailofContentfield), these fields will provide a rich text editor in the background, and support a safer Markdown to HTML rendering mechanism (for example,render=trueparameters).
2. Use with caution|safe:Only when you are one hundred percent sureDescriptionthe HTML content in the field is strictly reviewed and the source is absolutely trustworthy should it be used|safeFilter. For example, if this HTML is manually entered by the site administrator and the administrator is clear about its meaning and risks, it can be used under controlled conditions.
3. Avoid|safeis used for<meta>Tags:In<head>Partial, do not useDescriptionfield with|safefilter to be used withmeta name="description"[en]Tags. Search engines usually only read plain text as descriptions. Injecting HTML is not only futile but may also destroy the page structure or be considered malicious behavior.
4. [en]Content filtering and cleaning:If you indeed needDescriptionIf a field contains a small amount of HTML and may come from user input, it is essential to perform strict HTML filtering and cleaning through the backend or frontend before storing the content. Only tags and attributes from the whitelist should be allowed through. This can reduce XSS risks from the source, even if there is an accidental use of|safeCan also be guaranteed.

In summary, AnQiCMS'smoduleDetailtags obtainedDescriptionfield is technicallycanPass|safeFilter rendering HTML content. However, given its original design intent and potential security risks, I strongly recommend that you use it mainly for plain text, and when it is necessary to render HTML, be sure to evaluate the source and security of the content with the utmost seriousness.|safeThe filter is considered a high-level and risky operation.

Code example: Render in the templateDescription

{# 获取 ID 为 1 的模型简介，并赋给 modelDescription 变量 #}
{% moduleDetail modelDescription with name="Description" id="1" %}

<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <title>{% tdk with name="Title" siteName=true %}</title>
    {# 错误示例：Description 含有 HTML 标签时，不应在 meta 描述中使用 |safe #}
    <meta name="description" content="{{ modelDescription }}"> 
</head>
<body>
    <h1>我的模型页面</h1>
    
    <div class="model-info">
        <h3>模型简介 (默认转义，显示纯文本或转义后的HTML):</h3>
        {# 默认行为：HTML内容会被转义，以纯文本显示 #}
        <p>{{ modelDescription }}</p> 
        
        <h3>模型简介 (使用 |safe 渲染 HTML):</h3>
        {# 使用 |safe 过滤器，如果 modelDescription 包含 HTML，将会被浏览器渲染 #}
        {# 警告：请确保此处内容绝对安全，否则存在XSS风险！ #}
        <div class="model-description-html">{{ modelDescription|safe }}</div>
    </div>
</body>
</html>

Common Questions (FAQ)

1. Q: What is the specific function of HTML auto-escape? Why does AnQiCMS default to enabling it?A: HTML automatic escaping feature will convert HTML tags (such as<script>/<img>) to their corresponding entity characters (such as<script>/<img>), make these tags not be parsed by the browser as executable code or structure, but as plain text.AnQiCMS enables this feature by default to effectively prevent cross-site scripting attacks (XSS), which is a common network security vulnerability. Attackers inject malicious scripts to steal user data or disrupt website functions. Automatic escaping is the first and most basic line of defense against security threats.

2. **Q: If I am inDescriptionFields input content in Markdown format, `|safe