In the daily use and template development of AnQiCMS (AnQiCMS), dealing with special characters in content is a common occurrence. Among them,addslashesThe filter is a tool used to escape specific characters in strings. However, a common and worth discussing issue is when our website content contains things like<When encountering special HTML entities,addslashesDoes the filter perform 'double escaping' on them and further process them? To answer this question, we need to understand more deeplyaddslashesThe principle and the essence of HTML entities.

addslashesThe mechanism of the filter

According to the Anqi CMS document.addslashesThe main function of the filter is to add a backslash before the specified predefined characters. These "predefined characters" specifically refer to: single quote ('Punctuation marks (and) quotation marks ("), backslash (\) and NUL (null character).

Its original purpose is usually to avoid syntax errors or security issues when embedding string data into other contexts.For example, when inserting user input into a JavaScript string, if the input contains quotes, it may cause the JavaScript code to break;Likewise, improper quotation handling when constructing SQL queries may also lead to SQL injection.addslashesBy inserting a backslash before these specific characters, you can 'escape' them, making them interpreted as ordinary characters rather than part of the syntax structure.

Such as HTML entities (like)<the essence of them.

Now, let's take a look at something like&lt;This is an HTML entity. It is actually the HTML encoding representation of the less-than sign (<). In an HTML document, the less-than sign<It is a very special character, which usually marks the beginning of an HTML tag. In order to display the original<Symbol instead of letting the browser misinterpret it as a tag, you need to use its HTML entity&lt;.

Other common HTML entities include&gt;(Denotes greater than sign>)、&amp;(Denotes and sign&)et al. These entities are a string consisting of&starting with;Combinations of string at the end, which are not the original special symbols, but the 'safe representation' of these special symbols in the HTML context.

addslashesAnalysis of the handling behavior of HTML entities

ClarifiedaddslashesAfter defining the scope and definition of HTML entities, we can draw a conclusion:In AnQi CMSaddslashesThe filter will not&lt;apply a second level of escaping to such special HTML entities.

The reasons are as follows:addslashesThe filter looks for and escapes the original character symbols during its task execution, not the HTML entities of these symbols. When',",\processing a string that containsaddslashesa string containing&lt;When encountering a string, it scans the string word by word.&lt;In this sequence, it will see&/l/t/;such characters. These characters are not inaddslashesthe target escape character list. Therefore,addslashesit simply skips&lt;Keep it as is, without adding a backslash before it.

Further said, the Anqi CMS template engine (based on Go language Pongo2, similar to Django) by default, in order to prevent cross-site scripting (XSS) attacks, will escape all output variable content as HTML entities. This means that if you directly output a string containing original<Character variables (such as{{ my_variable }}) will be automatically converted to&lt;. At this point, if this escaped string is applied&lt;you will still see the stringaddslashesFilter,addslashesas it is&lt;It will not find the single quotes, double quotes, or backslashes that need to be escaped, so it will not perform any operations. Even if you use|safeThe filter cancels the default HTML entity escaping of the template engine, allowing the original<characters to be output directly, `addsl