I found that backslashes are displayed incorrectly while debugging, could it be that something is wrong with the `addslashes` filter?

Have you ever encountered such a situation while debugging website content in AnQiCMS: You have only entered a single backslash in a certain field\When it is displayed on the front-end page, it becomes two in an eerie way\\This often leaves people puzzled, intuitively feeling that whetheraddslashesThe filter is having what problem?

Today, let's delve deeper into this issue and take a look at what is in the security CMS.addslashesHow the filter works and what unexpected results its interaction with the template engine may cause.

Deep understandingaddslashesFilter

Firstly, let's review.addslashesThe original design intention of the filter. According to the document description of AnQi CMS,addslashesThe core function is to specify the predefined characters (including single quotes) in English', double quotes)"and backslash)\English前面添加一个反斜杠。This is usually to ensure the integrity and correctness of strings in scenarios where special characters need to be escaped, such as embedding strings into JavaScript code or SQL queries.

For example, if a string isI'm an "AnQiCMS" user.afteraddslashesFilter processed, it will becomeI\'m an \"AnQiCMS\" user.The backslash here is used so that these quotes can be correctly identified as part of the string in the target environment, rather than syntax structures.

The crux of the problem: double escaping.

Why do we see extra backslashes on the page? This is because of an important feature of the Django template engine syntax used by Anqi CMS:Automatic escaping.

To enhance the security of the website and prevent cross-site scripting (XSS) attacks, the template engine of Anqi CMS defaults to checking all content passed through{{ 变量 }}方式输出到页面的内容进行 HTML 自动转义。这意味着，像 English<will be escaped as<,>will be escaped as>while反斜杠\本身，也会被模板引擎的默认机制转义为 English\\.

当你同时使用了 EnglishaddslashesFiltering may result in the phenomenon of "double escaping":

1. Assuming your original data contains a backslash\.
2. addslashesThe filter operates first, it detects this backslash and adds another one in front, making it become\\.
3. Then, the template engine's automatic escaping mechanism comes into play.addslashesFilter processed.\\Then, the first\escaped to\\one\is also escaped to\\, which eventually causes the display on the page to show\\\\.

The single backslash that we originally had becomes the extra backslashes that we see after being escaped twice. That's why sometimes you just want one\but you get\\even more.

Solution: Reasonable control of escaping

To resolve the issue of double escaping, we need to inform the template engine that certain content has been manually processed and does not require automatic escaping. Anqi CMS provides several ways to achieve this:

1. UsesafeFilter (recommended for single variable) safeFilter is used to declare that the content of a variable is "safe" and should not be automatically escaped by the template engine. When you have alreadyaddslashesProcessed the string carefully and ensured its security, then it can be used immediately afterwardssafeFilter.

   {# 原始变量可能导致双重转义的问题 #}
   {{ my_string_with_slashes|addslashes }}
   
   
   {# 正确的用法：使用 safe 过滤器阻止二次转义 #}
   {{ my_string_with_slashes|addslashes|safe }}
   

   This is,addslashesThe filter will first escape the content, generating\'/\"/\\then,safeThe filter will prevent the template engine from processing this content again, ensuring that it is output to the page as is.

2. Useautoescape offTags (recommended for code blocks)If you have a large code snippet containing multiple variables or HTML structure, and you want all the content within the snippet to be unaffected by automatic escaping, then you can use{% autoescape off %}and{% endautoescape %}Label this area with tags.

   {% autoescape off %}
       <script>
           var data = "{{ json_data_with_slashes|addslashes }}";
           // 这里的内容不会被自动转义，json_data_with_slashes 经过 addslashes 处理后会正确显示
       </script>
       <p>{{ another_content_with_slashes|addslashes }}</p>
   {% endautoescape %}
   

   All variables output within this code block will not be automatically escaped by the template engine.

**Practice and Safety Considerations

When usingsafeFilter orautoescape offWhen labeling, always remember one thing: you are explicitly telling the template engine to disable its default security protection mechanism.This means that if your variable contains malicious script code (such as XSS attack code), it will not be escaped and will be executed directly, thus posing a serious security risk.

Therefore,Only when you are completely sure that the content is safe and you indeed need precise control over escaping, should you use it.safeorautoescape off.

In most cases, the backend program of Anqi CMS is responsible for escaping when accessing the database, and the default automatic escaping of the template engine is sufficient to deal with page display.addslashesThe filter is more often used to prepare strings for specific scenarios, such as JavaScript string literals or JSON strings. When withsafeWhen used in conjunction, please strictly verify and filter the data source to ensure website security.

UnderstandingaddslashesInteraction with the template engine's automatic escaping mechanism is the key to solving the backslash display problem.Reasonably and safely using these tools can help us better control the display of content, enhancing the functionality and user experience of the website.

---

Common Questions (FAQ)

1. I used it in the templateaddslashesAfter filtering, the HTML tags in the content are also escaped, which is not the result I want. What should I do?

This is exactlyaddslashes