In AnQiCMS template creation, handling character escaping is a very important topic, especially related to website security and the correct display of content. When people first encounter such issues, they might naturally think of some common escaping functions, such asaddslashesHowever, in the template environment of AnQiCMS, we actually have more suitable alternatives in terms of design philosophy and security, and they can more accurately meet the needs of escaping in different scenarios.
First, let's understandaddslashesThis function is usually used for what. Literally, it is mainly used to add a backslash before specific characters (such as single quotes, double quotes, backslashes).This operation is usually to safely insert a string into a context where a string literal is required, such as when constructing SQL query statements or in some old-style JavaScript strings.It mainly focuses on preventing string injection rather than protecting against browser parsing behavior for HTML or JavaScript code.
In the AnQiCMS system based on the Go language and Django-style template engine, the security of content output has been given very comprehensive consideration. This system has always focused on security and ease of expansion from the very beginning, and it has built-in powerful security mechanisms, the most core of which isAuto-escaping (Auto-escaping).
The core security mechanism of AnQiCMS template: Auto-escaping
When you use double curly braces in AnQiCMS templates{{ 变量 }}When outputting content, the system will automatically escape the values of these variables. This means that if your variables contain HTML special characters, such as</>/&/"/'They are automatically converted to the corresponding HTML entity encoding, such as</>/&etc. This mechanism is the first and most important line of defense against cross-site scripting attacks (XSS).
For example, if a user submits a comment content that is<script>alert('XSS');</script>when you output it directly in the template in the form of{{ comment.Content }}it will automatically become<script>alert('XSS');</script>, the browser will treat it as plain text to display, rather than executing malicious scripts.This default behavior greatly simplifies the work of template developers, allowing everyone to focus more on content display without having to manually consider HTML escaping issues.
for more precise control of HTML output:escapeFilter
Although AnQiCMS templates are automatically escaped by default, in certain cases, you may need to control the escaping behavior more explicitly. AnQiCMS providesescape(or its aliaseFilter, which can explicitly convert HTML special characters in strings to HTML entities.
In what scenarios is this filter useful? It is mainly when you go through{% autoescape off %}The tag explicitly turns off the automatic escaping function of a certain module, but when a specific variable within the block still needs HTML escaping.{{ variable | escape }}You can ensure that a specific variable can be safely output even in environments without automatic escaping.
For example:
{% autoescape off %}
<p>这个内容不会自动转义:{{ user_input }}</p>
<p>但是这个变量被强制HTML转义了:{{ user_input | escape }}</p>
{% endautoescape %}
This ensures that while flexibly controlling automatic escaping, necessary data security is still maintained.
The exclusive tool for processing JavaScript content:escapejsFilter
Insert dynamic content into a JavaScript code block, which requires special handling different from HTML escaping because JavaScript has its own special characters and syntax rules.If only HTML escaping is used, it may lead to JavaScript syntax errors or new security vulnerabilities.AnQiCMS provided for thisescapejsfilter.
escapejsThe filter will remove special characters from strings (such as\rcarriage return\nand single quotes', double quotes"、backslash\Can be safely parsed as a JavaScript string literal\uxxxxThis is. This is important for embedding dynamic data as JavaScript variables, function arguments, or JSON strings into HTML pages.<script>Especially important within the tag.
For example, if you want to assign a string variable to a JavaScript variable:
<script>
var dynamicMessage = "{{ article.Title | escapejs }}";
alert(dynamicMessage);
</script>
HereescapejsEnsured even ifarticle.TitleIt contains quotation marks and special characters, which will not break the JavaScript syntax, thus avoiding potential XSS vulnerabilities.
When should it be used with caution.safeFilter?
withescapeFilter is relative, AnQiCMS also providessafefilter.safeThe function of the filter isThe content of the marked variable is safe, no need for any escaping. Once usedsafeThe system will completely trust the content of the variable and output it as raw HTML or text.
Because of its power,safethe filter mustextremely cautiousbe used properly. Its main application scenarios are:
- Rich text editor content:If you are sure that the content entered through the backend rich text editor has been strictly sanitized and validated on the server side, and does not contain any malicious scripts, then you can use
safeTo display the HTML format it contains. - A completely trusted, pre-rendered HTML fragment:For example, static HTML content obtained from a trusted source.
Any data coming from user input or unreliable sources, if not strictly sanitized on the server side,should never be used directlysafeFilter outputIf not, it will directly expose the risk of XSS attacks, which is contrary to the original intention of AnQiCMS to provide a secure website.
Practical advice: How to choose the correct escaping method
Choosing the correct character escaping method in AnQiCMS template creation is actually very simple:
- In most cases: trust automatic escaping.For the output of ordinary text content (such as article titles, descriptions, etc.), the default automatic HTML escaping function of AnQiCMS is sufficiently secure.
- Embed dynamic values in HTML attributes:Similarly, in most cases, automatic escaping is sufficient. However, if the attribute value may contain special URLs or JS, it is recommended to combine additional encoding or verification with specific scenarios.
- Embed dynamic values in a JavaScript code block:Must be used.
escapejsFilter. This is the key to preventing JavaScript injection and XSS attacks. - Output rich text editor content:If the background has a perfect security filtering mechanism for rich text content, it can be used
safeFilter. If you cannot fully trust the content source, you may need to perform additional server-side purification or reconsider the design of the scheme. - Avoid
addslashes:In AnQiCMS templates,addslashesThis filter is mainly used to add a backslash before the predefined characters in a string, its purpose is relatively narrow, and it is usually not used to handle security issues in HTML or JavaScript output.Overusing or using it incorrectly may cause the content to display abnormally (such as additional backslashes).
By reasonably using the automatic escaping mechanism provided by AnQiCMS andescape/escapejs/safeFilters can not only ensure the correct display of website content, but also build a solid security barrier, allowing your AnQiCMS website to operate efficiently while keeping potential security risks at bay.
Frequently Asked Questions (FAQ)
1. I found that some HTML tags were displayed instead of<p>being parsed, why is that?
This is the default automatic HTML escaping mechanism of the AnQiCMS template system. It will convert</>Special characters should be converted to HTML entities to prevent cross-site scripting (XSS) attacks. If your content is from a rich text editor, and you confirm that it is safe HTML, you can use|safeA filter to unescape, so that HTML tags can be parsed normally.
2. After embedding AnQiCMS variables in my JS code, the page JS reported an error, is this related to character escaping?
It is likely related. Directly embedding a string variable containing special characters (such as quotes, newline characters) into JavaScript code may break the JS syntax.You should use|escapejsFilter comes in