In the daily use and template development of AnQiCMS, handling special characters in the content is a common occurrence.addslashesThe filter is a tool used to escape specific characters in a string. However, a common and worth-discussing issue is that when the content of our website contains things like<Such special HTML entities,addslashesWill the filter perform a "double escaping" on it, further processing? To answer this question, we need to understand deeply.addslashesthe working principle and the essence of HTML entities.
addslashesthe working mechanism of the filter.
according to the instructions in the Anqi CMS document,addslashesThe primary function of the filter is to add a backslash before the specified predefined characters. These 'predefined characters' specifically refer to: single quote ()'), double quote ()"), backslash (\)as well as NUL (null character).
Its original design intention is usually to avoid syntax errors or security issues when embedding string data into other contexts.For example, when inserting user input into JavaScript strings, if the input contains quotes, it may cause the JavaScript code to break; similarly, improper handling of quotes when building SQL queries may also lead to SQL injection.addslashesBy inserting a backslash before these specific characters, they can be 'escaped' to be interpreted as ordinary characters rather than part of the syntax structure.
HTML entity (such as<) in essence
Now, let's look at entities like<. It is actually the less-than symbol (<The HTML encoding representation of ). In an HTML document, the less than sign<is a very special character, it usually indicates the beginning of an HTML tag. In order to display the original<To prevent the browser from mistaking it for a tag, you need to use its HTML entity<.
Other common HTML entities include>(representing greater than)>),&(representing and)&)et al. These entities are a sequence by&starting with,;Combinations of ending strings, which are not the original special symbols, but the 'safe representation' of these special symbols in the HTML context.
addslashesAnalysis of the handling behavior of HTML entities
Made clearaddslashesThe scope of the function and the definition of HTML entities, we can draw a conclusion:In the Anqi CMSaddslashesThe filter will not<such special HTML entities for secondary escaping.
The reason is as follows:addslashesWhen the filter performs its task, it searches for and escapes the original character symbols (',",\), not the HTML entity representations of these symbols. WhenaddslashesProcess a string containing<When it scans this string character by character.<In this sequence, it will see&/l/t/;such characters. These characters are not inaddslashesthe target escape character list.addslashesWill simply skip<It will be retained as is without adding a backslash before it.
Further speaking, the template engine of AnQi CMS (based on Pongo2 in Go language, similar to Django) escapes all output variable content by default to prevent cross-site scripting (XSS) attacks. This means that if you directly output a string containing original<Characters variable (e.g.,){{ my_variable }}) it will automatically convert it to<. At this point, if you apply another<filter toaddslashesthe already escaped string,addslashesThe content seen is still a string<It will not find the necessary escape single quotes, double quotes, or backslashes, so it will not perform any operations. Even if you use|safeFilter cancels the default HTML entity escaping of the template engine, allowing the original<character to be output directly, `addsl