Manage website content in AnQi CMS, entering diverse information is the norm.Whether it is the main text of an article, user comments, or form submissions, the user-generated content that injects vitality into the website also brings potential security risks, among which the most common and harmful is XSS (Cross-site Scripting attack).addHow filters work together to process user input content and build a strong defense against XSS attacks.
AnQi CMS has always attached great importance to the security of the system from its initial design, it is developed based on the Go language, and is committed to preventing the occurrence of many security issues at the architectural level, ensuring the stability and reliability of the software.The built-in template engine automatically escapes content when outputting HTML, which is an important mechanism to prevent XSS attacks.But as a content operator, a deep understanding and correct application of various filters can make our website content safer.
addThe filter's role in the template is to concatenate strings or numbers. For example, when we want to concatenate a fixed text with a variable, {{ "欢迎您,"|add:userName }}This writing can facilitate the implementation. However, whenuserNameThis variable comes from user input and has not been processed safely, problems may arise. If a malicious user isuserNameSimilar was entered<script>alert('您被攻击了!')</script>If the content is entered, the malicious scripts will be concatenated and executed, resulting in an XSS attack.
To prevent such situations from occurring, we need toaddThe filter concatenates the user's input content and then immediately introduces other security filters to clean the content.
Firstly, the most core and commonly used security filter isescape(or its abbreviated alias)eIts main responsibility is to convert special characters in HTML, such as</>/"/'/&, to their corresponding HTML entity encoding. For example,<script>It will be converted into<script>.Once these special characters are encoded, the browser will no longer parse them as executable HTML tags or JavaScript code, thereby effectively preventing XSS attacks.
When we pass user input through existing content,addAfter the filter is concatenated, it should be used immediatelyescapeThe filter is processed. For example:
{# 假设userInput是来自用户输入的内容 #}
<div>用户留言:{{ "来自访客: "|add:userInput|escape }}</div>
Even ifuserInputContains malicious scripts, processed byescapeAfter processing, they will only be displayed as plain text on the page and will not be executed by the browser.This is the most basic and important security practice when outputting user input in the HTML context.
exceptescape,A safe CMS also provides other filters for different scenarios, used for more detailed protection:
When the content entered by the user may be embedded in a JavaScript code block, for example as a JavaScript variable or literal string, simply useescapeMay not be enough to completely prevent XSS. At this point, it is necessary to useescapejsfilter.escapejsIt will escape special characters in JavaScript, such as newline characters, quotes, etc.\uxxxxEnsure that malicious scripts do not execute in the JavaScript environment.
{# 假设userInput要在JavaScript变量中使用 #}
<script>
var message = "{{ "新消息: "|add:userInput|escapejs }}";
alert(message);
</script>
If certain input areas of a website, such as usernames or profiles, explicitly prohibit the inclusion of any HTML tags and should only display plain text, thenstriptagsandremovetagsThe filter comes into play.
striptagsIt will remove all HTML tags from the content, leaving only plain text.removetagsIt allows you to specify and remove specific HTML tags, while retaining other tags.
For example, when concatenating user nicknames, we can ensure its purity by doing so:
<div>昵称:{{ "用户"|add:userName|striptags }}</div>
Finally, we need to pay special attention tosafethe use of filters.safeThe filter's role is to inform the template engine that this content is safe, no HTML escaping is required, and it should be parsed and output as raw HTML. AbusesafeIt is one of the most common vulnerabilities leading to XSS attacks. Therefore, it is never advisable to use user input directly unless you completely trust the source of the content and it has been strictly filtered on the server side (for example, the output of rich text editors is filtered through a whitelist on the backend).safe.
SummarizeUse it to handle user input in Anqi CMSaddThe core principle when filtering content concatenation is: always assume that user input is unsafe.Before outputting the concatenated content to the front-end page, be sure to choose an appropriate safety filter according to its final presentation context (HTML content, JavaScript code, etc.)escapeAs the default choice for HTML context output, supplemented with special casesescapejs/striptagsetc., and always be vigilantsafeThe use of filters is essential to truly build a secure and reliable website.
Frequently Asked Questions (FAQ)
Q: When should it be used?
safeFilter?A:safeThe filter should be used in very few cases, such as when you are sure that the content of a string is completely safe and needs to be parsed as HTML. The most common scenario is to obtain content from a rich text editor, but even so, it is strongly recommended to perform strict HTML filtering (such as whitelist filtering) on the backend before outputting to the frontend to ensure that the content is safe before usesafe.Q:
escapeandescapejsWhat are the differences, how should I choose?A:escapeIt is mainly used in the HTML context, it converts HTML special characters to entity encoding, preventing the browser from interpreting malicious content as HTML tags.escapejsIt is used in the JavaScript context, it converts special characters in JavaScript to\uxxxxForms, to prevent malicious content from being treated as executable JS code. The choice of filter depends on where your user input will be placed in the HTML: if placed in the content of a regular HTML element, useescapeIf placed<script>within the tag as a JS variable, useescapejs.Q: If my website uses a rich text editor, does the content still need to be manually filtered?A: Yes, even if a rich text editor is used, it is usually necessary to perform backend filtering.Rich text editors allow users to input HTML code, which may contain malicious scripts.
safeFilter, because the content has been confirmed to be safe HTML.