`moduleDetail` tag fetches the model introduction (`Description`) does it support HTML content?How to safely render in the template?

As an experienced website operations expert, I fully understand the specific problems you may encounter in AnQiCMS template development and content operations.Flexible content display is the core advantage of CMS, but the content security and correct rendering that come with it also require our careful consideration.Today, let's delve deeply into the topic ofmoduleDetailLabel to obtain model introduction (Description) Does it support HTML content, and how to safely render in the template.

Unveil AnQiCMSmoduleDetailModel introduction under label: HTML content and safe rendering practice

When using the flexible content model feature of AnQiCMS,moduleDetailtags are an important tool for obtaining model metadata, among whichDescriptionThe field is usually used to display a brief introduction of the model. So, does this "model introduction" field support HTML content?How can we ensure safe rendering in the template? Let's uncover the mystery together.

The "Description" field of the model: its original intention and default behavior

Firstly, from the original intention of design, in Anqi CMS, the "introduction" (whether it is the model introductionmoduleDetailofDescriptionThe brief introduction field for a document, category, or single page is usually considered a concise text overview. It is mainly used on list pages, search engine results (such as throughtdkLabel outputmeta description) or a quick preview of the content provided at the top of the page. In these cases, we usually expect it to be plain text without any HTML tags to maintain consistency and conciseness.

AnQiCMS defaults to using Django template engine syntax, one of its core concepts is "security first". This means that when you use double braces in the template{{变量}}When outputting any variable content, the template engine will enable HTML automatic escaping by default. That is to say, ifDescriptiona field contains characters like<p>/<a>/<strong>Such HTML tags, they are not parsed and rendered by the browser, but are converted into<p>/<a>/<strong>Special characters are directly displayed as text on the page. This is to effectively prevent potential cross-site scripting attacks (XSS) and ensure that the content output by the website is always safe.

When HTML meets unexpectedly:|safeThe double-edged sword of filters

Although the original intention of the "Introduction" field was plain text, in actual operation, occasionally there is a need to support simple HTML format. For example, to highlight a keyword, you may edit the "Introduction" content in the background to "We provide"}Efficient/CustomizableContent solutions."If output directly in the template"}{{moduleDetail with name="Description"}}The result you will see is:我们提供<strong>高效</strong>、<strong>可定制</strong>的内容解决方案。Bold effects will not display.

At this time, the AnQiCMS template engine provides a named|safeThe filter, it is like a double-edged sword, can clearly tell the template engine: 'I know this content contains HTML, and I have confirmed that it is safe, please render it directly without escaping.'

Use|safeThe method of the filter is very simple:

{# 假设这是您在模板中获取模型简介的地方 #}
<div>
    <h3>模型简介：</h3>
    {% moduleDetail modelDescription with name="Description" %}
    {{ modelDescription|safe }}
</div>

When|safeAfter the filter is applied, ifmodelDescriptionVariables contain<strong> tag, they will be correctly parsed by the browser and displayed in bold.

Practical suggestions for the introduction of the safe rendering model (Description)

Although|safeThe filter allows HTML content to be rendered, but as a senior operator, we must be fully aware of the security risks it brings. Once used|safeRendered content that has not been strictly reviewed or from untrusted sources may open the door to XSS attacks.An attacker can inject malicious scripts, steal user cookies, modify page content, even redirect users, and the consequences are unimaginable.

Therefore, regardingmoduleDetailofDescriptionField, my suggestion is:

1. Locate the content clearly:Model'sDescriptionThe field should be kept as plain text. It is more suitable as a brief description rather than a rich text area.If you really need rich text content, we usually define a special 'details' or 'content' field in the content model (for examplearchiveDetailofContentfield), these fields will provide a rich text editor, and support a safer Markdown to HTML rendering mechanism (such asrender=trueparameters).
2. Use with caution.|safe:Only when you are one hundred percent sureDescriptionThe HTML content in the field should be used only when it has been strictly reviewed and the source is absolutely可信|safeFilter. For example, if this HTML is manually entered by the site administrator and the administrator is clear about its meaning and risks, it can be used under controlled conditions.
3. Avoid|safeused for<meta>Tags:In<head>Part, do notDescriptionfield is distinct from|safeUse the filter withmeta name="description"In the tag. Search engines usually only read plain text as a description, injecting HTML is not only useless but may also damage the page structure or be considered malicious behavior.
4. Content filtering and cleaning:If you indeed needDescriptionThe field contains some HTML and may come from user input, so it is necessary to strictly filter and clean the HTML through backend or frontend means before storing the content, allowing only safe tags and attributes from the whitelist to pass through. This can reduce XSS risks from the source, even if used unexpectedly.|safeAlso, there is a guarantee.

In summary, AnQiCMS'smoduleDetailTagging for obtainingDescriptionThe field is technicallyYesBy|safeThe filter renders HTML content. However, given its original design and potential security risks, I strongly recommend using it mainly for plain text, and when it is necessary to render HTML, always assess the source and security of the content with the utmost seriousness, to|safeThe filter is considered an advanced and risky operation.

Code example: rendering in the template.Description

{# 获取 ID 为 1 的模型简介，并赋给 modelDescription 变量 #}
{% moduleDetail modelDescription with name="Description" id="1" %}

<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <title>{% tdk with name="Title" siteName=true %}</title>
    {# 错误示例：Description 含有 HTML 标签时，不应在 meta 描述中使用 |safe #}
    <meta name="description" content="{{ modelDescription }}"> 
</head>
<body>
    <h1>我的模型页面</h1>
    
    <div class="model-info">
        <h3>模型简介 (默认转义，显示纯文本或转义后的HTML):</h3>
        {# 默认行为：HTML内容会被转义，以纯文本显示 #}
        <p>{{ modelDescription }}</p> 
        
        <h3>模型简介 (使用 |safe 渲染 HTML):</h3>
        {# 使用 |safe 过滤器，如果 modelDescription 包含 HTML，将会被浏览器渲染 #}
        {# 警告：请确保此处内容绝对安全，否则存在XSS风险！ #}
        <div class="model-description-html">{{ modelDescription|safe }}</div>
    </div>
</body>
</html>

Frequently Asked Questions (FAQ)

1. Q: What is the specific function of HTML automatic escaping and why does AnQiCMS default to enabling it?A: The HTML automatic escaping feature will convert HTML tags (such as<script>/<img>) to their corresponding entity characters (such as<script>/<img>)， make these tags no longer be parsed by the browser as executable code or structure, but as plain text.AnQiCMS The default enable of this feature is to effectively prevent cross-site scripting attacks (XSS), which is a common network security vulnerability. Attackers inject malicious scripts to steal user data or disrupt website functionality, and automatic escaping is the first and most basic line of defense.

2. **Q: If I wereDescriptionThe field contains Markdown formatted content, `|safe