During the development and content operation of AnQiCMS templates, we often encounter situations where we need to display dynamic content on the web page.This content may come from a database, be input by a user, or be generated by the system.<Converted to&lt;,"Converted to&quot;This effectively prevents common cross-site scripting (XSS) attacks.

However, in certain specific scenarios, simple HTML escaping may not be sufficient to handle all cases, and may even lead to new problems. At this time,addslashesThe filter comes into play. So, thisaddslashesWhat is the filter used for? What role does it play in the AnQiCMS template?

addslashesFilter: The guardian of predefined characters

As the name suggests,addslashesThe core function of the filter is to add a backslash before some "predefined characters" in a string.\)。These predefined characters include single quotes'), double quote ()") and the backslash (\)\)。Imagine that you are building a dynamic web page and you need to embed a string containing these special characters into JavaScript code as a variable, or as an HTML attribute value.If these special characters are not handled properly, they may 'escape' from their expected context, leading to grammatical errors, and even introducing security vulnerabilities.

For example, a user's nickname isO'ReillyIf you embed it directly into a JavaScript string, it might become something like this: 

let userName = 'O'Reilly'; // 这会导致语法错误,因为 'Reilly' 会被解析为额外的代码

This is,addslashesThe filter acts like a conscientious 'guardian', adding a backslash before these characters that might cause ambiguity, 'harmlessifying' them, ensuring they are correctly treated as part of the string.addslashesAfter processing,O'Reillywill becomeO\'ReillyEnglish translation: ,such that it can be correctly parsed in JavaScript:

let userName = 'O\'Reilly'; // 正确,单引号被转义

Why is it needed?addslashesEnglish translation: What problems does it solve?

In content management systems like AnQiCMS, rendering dynamic content is a common occurrence.addslashesFilters mainly solve the following key issues:

  1. Prevent JavaScript syntax errors:This isaddslashesThe most common application scenarios.When you need to pass backend data as a JavaScript string variable to the front end, if the data itself contains single quotes or double quotes, and these quotes conflict with the delimiters of JavaScript string literals, it will cause a syntax error, resulting in the page script not running properly.addslashesEnsure these internal quotes are correctly escaped to maintain the integrity of the JavaScript code.
  2. Enhance the stability of content output:In addition to JavaScript, dynamic content may be used in some cases where strict string literal parsing is required.By pre-escaping special characters, it can avoid parsing issues caused by the content itself containing special characters, making the output more stable and reliable.
  3. Supplement security protection:Although AnQiCMS template engine usually has a default HTML escaping mechanism to prevent XSS,addslashesProvided an additional escaping layer for specific characters (especially the quotes and backslashes in string literals).This allows for more fine-grained control over escaping when embedding dynamic data into JavaScript scripts or certain data attributes, further reducing injection risks.

How to use in AnQiCMS templateaddslashes

Used in AnQiCMS templateaddslashesThe filter is very simple, you just need to apply it to the variables that need to be processed.

The basic syntax is as follows:

{{ 变量名|addslashes }}

For example, there is a document titlearchive.TitleContains special characters, do you want to safely embed it into a JavaScript string?

<script>
    // 假设 archive.Title 是 "安企 CMS's 最新功能"
    // 如果不使用 addslashes,JavaScript 会报错:
    // let title = '安企 CMS's 最新功能';

    // 使用 addslashes 处理后:
    let title = "{{ archive.Title|addslashes }}";
    // 此时 title 变量将变为:'安企 CMS\'s 最新功能',在 JavaScript 中被正确解析
    alert(title);
</script>

An important detail:addslashesWithsafeCombining the use of filters

AnQiCMS template engine defaults to escaping all output variables to HTML. This meansaddslashesthe backslashes added may also be escaped.&amp;#92;The HTML entities, which would makeaddslashesthe effect fail.

In order toaddslashesThe backslash added is preserved in the final HTML output, ensuring that the browser (especially the JavaScript parser) recognizes it as a true escape character. We usually also need toaddslashesAfter combining use|safeFilter.|safeTell the template engine that this content is 'safe' and does not need to be HTML escaped by default.

The correct usage is usually like this:

<script>
    let dynamicValue = "{{ 后端变量|addslashes|safe }}";
    console.log(dynamicValue);
</script>

Example demonstration:

Assume后端变量has a value ofThis is "AnQiCMS"\'s feature!

{{ 后端变量|addslashes|safe }}

The displayed result will be:

This is \"AnQiCMS\"\\\'s feature!

This ensures that when this content**is entered into<script>the JavaScript string literal inside a tag,"and\it is properly escaped to avoid syntax errors.

Summary

addslashesThe filter is a small but powerful tool in AnQiCMS templates, which effectively resolves syntax errors and potential security issues that may arise when embedding dynamic content in JavaScript string contexts by escaping specific predefined characters (single quotes, double quotes, backslashes). Correctly combining|safeFilter usage, ensuring that the escaping effect is fully preserved, thereby enhancing the robustness and security of your website content output.

Common Questions (FAQ)

1.addslashesWhat is the difference between the default escape of filters and AnQiCMS templates?

The default escape of AnQiCMS templates is mainly HTML escape, which is</>/&/"Convert characters like this to their corresponding HTML entities (such as&lt;/&gt;/&amp;/&quot;), to prevent malicious HTML or JavaScript code from being injected into the webpage structure.addslashesThe filter focuses on adding backslashes before single quotes, double quotes, and backslashes, which is an escaping for string literals (especially in JavaScript or other code) to ensure that these characters are not mistakenly parsed as part of the structural elements of the code.Both are for safety, but the context and method of operation are different.

2. I should use English when outputting all variablesaddslashesFilter?

Generally, it is not necessary. In most cases, when you output text content directly to the internal HTML elements (such as<div>{{ content }}</div>)or the standard HTML attributes (such as<p title="{{ title }}">)when, the default HTML escaping of AnQiCMS templates is sufficient. Only when you explicitly need to use the variable content asJavaScript String LiteralsWhen embedded into other code fragments that require special escaping rules,addslashes. Overuse may cause unnecessary backslashes to appear on the page, affecting the display.

3. UseaddslashesWhat security issues should be noted after filtering?

addslashesFilter primarily handles the escaping of quotes and backslashes to prevent the "escaping" problem within string literals.It is not a universal security solution.addslashesto handle, if used directly|safeOutput to HTML structure may still contain XSS risks. It is always recommended to perform strict backend validation and filtering on all user input and based on the output,