Does the `prevArchive` tag automatically escape HTML in the document title and other text content?

AnQi CMS is an efficient and secure management system, its template engine provides great flexibility in content display, and also incorporates comprehensive security mechanisms. Regarding the question you raised,prevArchiveWill the tag get the document title and other text content automatically escape HTML?This question involves the core security strategy of template rendering, which is also a key point that we need to clearly understand in website operations.

From a professional website operation perspective, the template engine of AnQiCMS will by default executeHTML automatically escapes. This means that when you useprevArchive/nextArchive/archiveDetailetc. tags to get the title of the document (Title), description (Description), keywords (Keywords) etc. text fields, if these fields contain HTML special characters (such as</>/&/"/'），template engine will automatically convert them to the corresponding HTML entities (such as</>/&/"/')

Why does AnQiCMS default to HTML encoding?

This default behavior is not arbitrarily set, but based on importantsecurity considerations, the main purpose is to preventCross-Site Scripting (XSS). Suppose your document title or description inadvertently (or maliciously) contains executable JavaScript code, such as:

<script>alert('您被攻击了！');</script>

If the template engine does not perform escaping, this code will be executed directly in the visitor's browser, thereby causing serious security issues such as user information leakage and page tampering. Through automatic escaping, this code will be rendered as<script>alert('您被攻击了！');</script>In the browser, it will only be displayed as plain text and not as executable script, greatly enhancing the security of the website.

Therefore, no matter throughprevArchiveThe label retrieves the previous document'sTitle/Descriptionor througharchiveDetailThe label retrieves the current document'sKeywordsPure text attributes, they will all be safely filtered by the AnQiCMS template engine, and the default is to perform HTML escaping.

(content fieldContentand special considerations for|safeFilter

However, in website content management, we often need to display the article text edited by rich text editors, which naturally contains a large number of HTML tags, such as paragraphs (<p>), and images (<img>), link (<a>）If these contents are also indiscriminately escaped, then the article body will become a pile of unreadable HTML entity codes, rather than the beautiful layout we expect.

Therefore, AnQiCMS provided|safeThe filter (pipe operator) is a clear instruction to inform the template engine that the content of a variable is "safe" and does not require HTML escaping. It can be output directly as HTML code. For example, inarchiveDetailThe document talks aboutContentThe usage examples of the field clearly demonstrate this:

{# 默认用法，自动获取当前页面文档 #}
<div>文档内容：{% archiveDetail with name="Content" %}</div>
{# 自定义字段名称 #}
<div>文档内容：{% archiveDetail archiveContent with name="Content" %}{{archiveContent|safe}}</div>

As can be seen, when displaying the document'sContentcontent, it is usually used{{archiveContent|safe}}To ensure that the internal HTML structure can be correctly parsed and rendered by the browser. This means that for something likeprevArchiveThis tag retrieves the document content field, if you call it directly in the template, its default behavior is still HTML escaping; but if you want the HTML code in the content to take effect, you need to explicitly add|safefilter.

Moreover, AnQiCMS also supports the Markdown editor feature, when content is written in Markdown and the Markdown to HTML configuration is enabled, the Markdown text will be converted to HTML code. However, the generated HTML code also needs to be output to the template when it is displayed.|safeA filter to avoid double escaping, to ensure the page displays normally.archiveDetailinContentfield'srender=trueParameters, which are used to control the conversion from Markdown to HTML, but the final HTML output still needs|safe.

Actual Operation Suggestions and **Practice

As a website operations expert, our suggestion is:

1. Make full use of the default security mechanismsFor fields like titles, descriptions, and keywords, which are usually not supposed to contain complex HTML, relying on AnQiCMS's default automatic escaping behavior is the best choice.This not only ensures website security, but also saves the trouble of manual processing.
2. Use with caution.|safeFilter: Only use HTML code rendering when you are sure that the content source is trustworthy and you indeed need to render HTML code.|safeFilter. This is usually applicable to article text, custom HTML modules, and other situations. Any content that comes from user input, which has not been strictly filtered and purified, should be avoided from being used directly|safeTo prevent the injection of malicious code.
3. Root purification is the fundamentalAt the stage of content entry or import, it is the most effective means to prevent XSS attacks by strictly verifying and sanitizing all user input content.For example, use the HTML whitelist mechanism to allow only specific safe HTML tags and attributes to pass.In the design of AnQiCMS backend, the emphasis on content management and security mechanisms is also to assist operators in better achieving this.

By understanding the mechanism of AnQiCMS, we can flexibly display various types of text content under the premise of ensuring website security, thereby providing users with a better browsing experience.

---

Frequently Asked Questions (FAQ)

1. Q: Why does AnQiCMS not process all content directly?|safeInstead, it requires manual addition? A:AnQiCMS does not process by default|safeThe processing is to maximize the security of the website, prevent potential cross-site scripting (XSS) attacks. If all content is automatically|safeThen any user input containing malicious code may be executed directly on the page. Manually added|safeA filter is used to clearly declare that this part of the content has been reviewed and is safe, thus achieving a balance between functional flexibility and website security.

2. Q: I amprevArchiveThe title entered included<b>加粗标题</b>Why is it displayed on the page<b>加粗标题</b>? A:This is because the default HTML automatic escaping mechanism of the AnQiCMS template engine is in effect.prevArchiveobtainedTitleThe field is considered plain text, which includes the<b>tags are escaped into the<b>and>Therefore, it will be displayed on the page as plain text HTML code. If you want the HTML tags in the title to take effect, you need to explicitly use the title field.|safeFilter (but it is usually not recommended to use HTML in titles for safety and SEO reasons).

3. Q: If my article content is in Markdown format and I have enabled the Markdown to HTML conversion feature in the background, do I still need to use|safe? A:Yes, you still need to explicitly add the field to the output content of the article|safeFilter. The Markdown to HTML conversion feature is enabled on the backend, which simply converts Markdown text to standard HTML code.However, the default behavior of the AnQiCMS template engine is to escape all output content as HTML.Therefore, in order for the converted HTML code to be rendered correctly by the browser rather than displayed as escaped plain text, you must process it in the template.ContentExplicitly add the field|safefilter.