Anqi CMS, as an efficient and secure management system, its template engine provides great flexibility in content display, while also incorporating comprehensive security mechanisms. Regarding the "prevArchiveWill the text content of the document title obtained by the tag automatically be HTML escaped?This question involves the core security strategy of template rendering, and it is also a key point that we need to clearly understand in website operations.

From a professional website operation perspective, AnQiCMS's template engine will default to execute when processing text content from the database and outputting it to the web page.HTML Auto-escapeThis means that when you useprevArchive/nextArchive/archiveDetailtags to get the document's title (Title), description (Description), keywords (Keywords) and other text fields, if these fields contain HTML special characters (such as</>/&/"/'),Template engine will automatically convert them to the corresponding HTML entities (such as&lt;/&gt;/&amp;/&quot;/&#39;).

Why does AnQiCMS default to HTML escaping?

This default behavior is not arbitrary, but based on importantsecurity considerations, the main purpose is to preventcross-site scripting attacks (XSS)Assuming your document title or description accidentally (or maliciously) contains executable JavaScript code, such as:

<script>alert('您被攻击了!');</script>

If the template engine does not perform escaping, this code will be executed directly in the visitor's browser, causing serious security issues such as user information leakage and page tampering. Through automatic escaping, this code will be rendered as&lt;script&gt;alert(&#39;您被攻击了!&#39;);&lt;/script&gt;The content will only be displayed as plain text in the browser, and will not be treated as executable script, which greatly enhances the security of the website.

Therefore, no matter how you accessprevArchiveThe label fetches the previous document'sTitle/Descriptionor througharchiveDetailThe label fetches the current document'sKeywordsPlain text attributes, they will all be passed through the AnQiCMS template engine's security filtering, and the default is to perform HTML escaping.

content field ()Contentspecial considerations and|safeFilter

However, in website content management, we often need to display the article content edited by rich text editors, which naturally contains a large number of HTML tags, such as paragraphs (<p>)、picture(<img>), link (<a>) etc. If these contents are also escaped without distinction, the article body will become a bunch of unreadable HTML entity codes, rather than the beautiful layout we expect.

Therefore, AnQiCMS provides|safeFilter (pipe operator), this is a clear instruction that tells the template engine that the content of a variable is 'safe' and does not require HTML escaping, and can be output directly as HTML code. For example,archiveDetailThe document of the tag, aboutContentthe usage examples of the field clearly demonstrates this:

{# 默认用法,自动获取当前页面文档 #}
<div>文档内容:{% archiveDetail with name="Content" %}</div>
{# 自定义字段名称 #}
<div>文档内容:{% archiveDetail archiveContent with name="Content" %}{{archiveContent|safe}}</div>

As can be seen, when displaying the document'sContentcontent, it is usually used to{{archiveContent|safe}}Ensure that the internal HTML structure can be correctly parsed and rendered by the browser. This means that for something likeprevArchiveThis tag retrieves the document content field. If you call it directly in the template, its default behavior is to escape HTML; but if you want the HTML code in the content to be effective, you need to explicitly add.|safeFilter.

In addition, AnQiCMS also supports the Markdown editor feature. When content is written in Markdown and the Markdown to HTML conversion configuration is enabled, the Markdown text will be converted to HTML code. Even so, these generated HTML codes also need to be|safeA filter to avoid double escaping to ensure the page displays normally.archiveDetailinContentfield'srender=trueParameters, which are used to control the conversion from Markdown to HTML, but the final HTML output still needs|safe.

Suggested actions and **practice

As a website operations expert, our recommendation is:

  1. Make full use of the default security mechanismsFor fields like title, description, keywords, which generally should not contain complex HTML, relying on AnQiCMS's default automatic escaping behavior is the best choice.This not only ensures website security, but also saves the trouble of manual handling.
  2. Use with caution|safeFilter[en] Only use when you are sure the content source is trustworthy and you actually need to render HTML code.|safeFilter. This is usually applicable to article content, custom HTML modules, and similar situations. Content from user input should be avoided for direct use unless it has been strictly filtered and sanitized.|safeTo prevent the injection of malicious code.
  3. Purifying the source is fundamental.In the content entry or import stage, it is the most effective means to prevent XSS attacks to conduct strict verification and purification of all user input content.For example, the HTML whitelist mechanism allows only specific secure HTML tags and attributes to pass.The AnQiCMS backend design emphasizes content management and security mechanisms, which is also to assist operators in achieving this better.

By understanding the mechanism of AnQiCMS, we can flexibly display various types of text content while ensuring website security, thereby providing users with a better browsing experience.

Common Questions (FAQ)

  1. Q: Why does AnQiCMS not directly process all content?|safeInstead, it requires manual addition? A:AnQiCMS does not process by default|safeProcessing is to maximize website security and prevent potential cross-site scripting (XSS) attacks. If all content is automatically|safeThen any user input containing malicious code may be executed directly on the page. Manually added|safeFilter, which allows developers or operators to explicitly declare that this content has been reviewed and is safe, thus achieving a balance between functional flexibility and website security.

  2. Q: I amprevArchiveThe title entered contains<b>加粗标题</b>Why is it displayed on the page like this&lt;b&gt;加粗标题&lt;/b&gt;? A:This is because the default HTML auto-escape mechanism of the AnQiCMS template engine is in effect.prevArchiveobtainedTitleThe field is treated as plain text, which includes the<b>The tags have been escaped into&lt;b&gt;and&gt;Therefore, it will be displayed as plain text HTML on the page. If you want the HTML tags in the title to take effect, you need to explicitly use|safeFilter (but it is usually not recommended to use HTML in titles for safety and SEO considerations).

  3. Q: If my article content is in Markdown format and I have enabled the Markdown to HTML conversion feature in the background, do I still need to use|safe? A:Yes, you still need to explicitly add to the output article content|safeFilter.The background has enabled the Markdown to HTML conversion feature, which simply converts Markdown text to standard HTML code.However, the default behavior of AnQiCMS template engine is still to escape all output content.Contentthe field|safeFilter.