In website operation, ensuring that content is safely and correctly presented to users is one of the core tasks.It is particularly important to prevent potential security risks when handling user input or content obtained from other sources (such as cross-site scripting attacks XSS).AnQiCMS as a content management system developed based on the Go language provides a rigorous security mechanism in data output, and also provides flexible string processing tools.
This article will deeply explore the default HTML escaping mechanism in AnQiCMS templates as well asaddslashesthe different roles of filters, helping you better understand and apply these features.
The default HTML escaping mechanism of AnQiCMS templates: safety first
The AnQiCMS template inherits the security philosophy of similar Django template engines when processing data output. This means that when you use it in the template,{{ 变量 }}When displaying content, the system will default to escaping these contents as HTML.
The core goal of this mechanism is to prevent cross-site scripting attacks (XSS). XSS attacks are usually carried out by injecting malicious HTML or JavaScript code into a page, while the default HTML encoding mechanism recognizes and converts special characters in the content, causing the browser to no longer interpret them as executable code or tags but to display them as plain text.
In particular, AnQiCMS's default HTML escaping will convert the following five key characters:
<(less than sign) will be converted to<>(greater than sign) will be converted to>&(ampersand) will be converted to&"(double quotes) will be converted to"'(single quotes) will be converted to'
For example, if you try to output<h1>你好</h1><script>alert('XSS');</script>Such a string, when escaped by default, it will be displayed in the browser as<h1>你好</h1><script>alert('XSS');</script>but not as an actual title and popup, thereby effectively ensuring the security of the website.
When do you need to turn off default escaping?In some cases, for example, when you retrieve content from a rich text editor and the content itself contains valid HTML structures (such as paragraphs, images, etc.), you would like these HTML tags to be correctly parsed by the browser. At this time, AnQiCMS provides|safeThe filter explicitly tells the template engine that you trust this part of the content is safe and does not need to be escaped.
The usage is very simple, just add it after the variable.|safe:{{ archiveContent|safe }}.
It is worth emphasizing that using|safeThe filter means that you are responsible for the security of the content. It should only be used when you completely trust the source and are sure that it does not contain any malicious code.It is strongly recommended to retain the default HTML encoding for any content that may come from user input without strict review.In addition, you can also go throughautoescapeTags to control the escape behavior of specific code blocks.
addslashesFilter: escaping of string literals
Different from the default HTML escaping mechanism,addslashesThe filter does not care about HTML tags or XSS attacks. It is a lower-level string processing tool, which adds a backslash before the specified predefined characters.\)
addslashesThe filter will process the following characters:
- Single quote (
') - Double quote (
") - Backslash (
\) - NUL character (NULL character)
Its main purpose is to escape these special characters, so that they can be correctly parsed in certain contexts (such as inserting strings into database query statements that require escaped quotes, or when constructing JavaScript string literals that need to escape backslashes and quotes), rather than being misunderstood as part of the syntax.
For example, if you have a stringThis is "AnQiCMS" project.AfteraddslashesAfter the filter is processed, it will becomeThis is \\"AnQiCMS\\" project..
addslashesApplication scenariosIn modern web development, especially when using systems like AnQiCMS that have mature template engines,addslashesFilters are rarely directly applied to HTML output.Because database operations are usually handled automatically by ORM (Object-Relational Mapping) libraries, there is no need to manually perform this escaping;And the construction of JavaScript strings is often completed through JSON serialization and other safer, more automated methods.
However, in some scenarios where it is necessary to manually construct a specific format string, or when interacting with some old systems or specific data formats (such as some command-line parameters, certain configuration file formats),addslashesIt might come in handy. It ensures that specific characters within a string are represented literally rather than interpreted as control characters.
Summarize the core differences and application scenarios of both.
Different purposes:
- Default HTML escaping:Focuses on web security, preventing the browser from interpreting string content as executable HTML or JavaScript code, avoiding XSS attacks.It converts special characters to HTML entities.
addslashesFilter:Focuses on string literal escaping, ensuring that specific characters within a string are correctly identified as literals in other contexts (such as in some programming languages, database queries), rather than as part of the syntax.It adds a backslash before a specific character.
Different handling:
- Default HTML escaping is:ReplaceSpecial characters are HTML entities.
addslashesThe filter isInsertThe backslash precedes certain characters.
Pay attention to different character ranges:
- The default HTML escaping pays attention to special characters in the HTML syntax(
<,>,&,",') addslashesThe filter focuses on the special characters used as escape characters in string literals (',",\)
- The default HTML escaping pays attention to special characters in the HTML syntax(
In the daily template development and website operation of AnQiCMS, you should always prioritize the default HTML escaping mechanism to ensure the display safety of user content. Only when you are sure that the output content does not contain malicious code and needs to retain its HTML structure, should you use it cautiously.|safeFilter. AndaddslashesFilter is a more professional and low-level string processing tool that can be considered when it is necessary to escape literal strings to adapt to specific backend or non-HTML text formats.Understanding the difference between these two will help you control the presentation of website content more accurately and safely.
Frequently Asked Questions (FAQ)
Why should AnQiCMS template variables be default HTML escaped?AnQiCMS performs default HTML encoding to enhance website security, mainly used to prevent cross-site scripting attacks (XSS).When user input or content obtained from outside is displayed directly on the web page, if it contains malicious HTML or JavaScript code, the default escaping will convert it to harmless plain text, avoiding the browser from executing these potentially harmful codes, thereby protecting the website and the safety of visitors.
When should I use
|safeFilter to turn off the default HTML escaping?You should use only in one of the following two cases|safeFilter:- When the content you output is completely trusted and you are sure that it contains valid HTML structure (such as content edited from a background rich text editor, which has been strictly reviewed), the browser needs to parse it as HTML elements rather than plain text.
- When you are sure that this part of the content cannot be exploited by an attacker to inject malicious code, please use it with caution.
|safeBecause once misused, it may cause serious security vulnerabilities to the website.
addslashesWhat are the common practical application scenarios of the filter in the AnQiCMS template?addslashesFilters are not very common in the AnQiCMS template for direct use in the final HTML output.Its main function is to add backslashes to escape the literal characters such as single quotes, double quotes, backslashes, and NULL characters in the string. If