In website content operation, displaying user input information is one of the core functions, especially for content like article body which may contain rich formatting.However, how to safely and accurately present these user-input HTML contents on the website while preventing potential security risks (such as cross-site scripting XSS attacks) is a problem that every website operator needs to ponder.AnQiCMS provides us with flexible and powerful tools for template design and content processing to meet this challenge.
AnQiCMS的默认安全机制:自动转义是基石
AnQiCMS uses the Django template engine syntax, which by default has built-in strong security mechanisms for handling variable output. This means that when you use double curly braces in the template{{变量}}When displaying content, the system will automatically escape the HTML tags and special characters contained within. For example, if the user enters<script>alert('XSS')</script>,it is not parsed by the browser as executable JavaScript code, but is safely displayed as<script>alert('XSS')</script>.
This automatic escaping is the first and most crucial defense against XSS attacks, as it can effectively prevent malicious code from executing on your website, thereby protecting the website and visitors.For those who do not expect plain text content without HTML formatting, or any input from untrusted sources, this default behavior is **selected**.
When do you need to display raw HTML?——Understanding|safeFilter
However, not all user input should be treated as plain text.For example, the main text of the article is often written using a rich text editor, which includes bold, italic, images, links, and other HTML formats.If this content is also escaped, the formatting and style of the article will be completely lost, turning into a pile of unreadable raw tags.
This is,|safeThe filter comes into play. When you determine that the content in a variable is carefully designed and trusted HTML and needs to be rendered directly in HTML format, you can add it after the variable.|safeFilter. For example, when displaying the article detail page,Contentyou would usually use it like this:
{% archiveDetail articleContent with name="Content" %}
{{ articleContent|safe }}
Pass|safeyou clearly tell AnQiCMS, thisarticleContentIt is safe, no need for HTML escaping.This is like opening a 'green channel' for content that you trust, you need to ensure that this part of the content is strictly reviewed and from a reliable source to avoid potential cross-site scripting (XSS) attacks.|safeGranted you great flexibility, also with corresponding security responsibilities.
Secure rendering of Markdown content:renderThe clever use of parameters
The new AnQiCMS has added support for Markdown editors, which brings great convenience to content creators.Markdown content itself is plain text, but it is designed to be easily converted to HTML.AnQiCMS in displaying Markdown formatted text also provides an intelligent and safe handling method.
If the Markdown editor is enabled in the background content settings, thenContentthe field isarchiveDetail
If you need more detailed control, or want to override the default settings of the background in specific scenarios,archiveDetailandpageDetailof the tagsContentfields supportrenderparameters.render=trueorrender=false,You can manually specify whether to render Markdown content:
{# 明确要求渲染Markdown内容为HTML #}
<div>文档内容:{% archiveDetail archiveContent with name="Content" render=true %}{{archiveContent|safe}}</div>
{# 明确要求不渲染Markdown内容,保持原始Markdown文本 #}
<div>原始Markdown:{% archiveDetail archiveContent with name="Content" render=false %}{{archiveContent}}</div>
Please note that even if you go throughrender=trueEnabled Markdown to HTML conversion, still need to be配合 in the template output|safeFilter, so that the converted HTML is correctly parsed by the browser and not escaped again. This again emphasizes|safethe core role in displaying HTML content.
English control: stripping, conversion and validation
In addition to the aforementioned core mechanisms, AnQiCMS's template filters also provide more refined content processing options to meet the safety and formatting needs of different scenarios:
Remove unnecessary HTML tags Sometimes, you may only want to allow partial HTML tags (such as
<b>/<i>) while prohibiting all other tags (such as<script>/<img>).striptagsThe filter can remove all HTML tags and retain only plain text content; whileremovetags:"标签1,标签2"The filter can remove specified HTML tags and retain the rest. This is very useful in scenarios that require strict HTML restrictions, such as user comments.{# 移除所有HTML标签 #} {{ userComment|striptags }} {# 只移除script和style标签 #} {{ userComment|removetags:"script,style"|safe }}Securely convert URLs and email addresses: When users input URLs or email addresses in the text, we want them to automatically become clickable links while ensuring their security.
urlizeThe filter will automatically identify URLs and email addresses in the text and convert them into links.rel="nofollow"attributes<a>Label, to enhance security and prevent spam links. If you need to limit the display length of the link text, you can useurlizetrunc:长度.{# 自动将文本中的URL和邮箱转换为链接 #} {{ articleDescription|urlize|safe }} {# 转换链接并截断显示文本为15个字符 #} {{ articleDescription|urlizetrunc:15|safe }}Insert data in JavaScript: If you need to dynamically insert data from user input into JavaScript code, directly inserting unprocessed HTML can lead to serious JS injection vulnerabilities.
escapejsThe filter can escape special characters (such as newline characters, quotes, etc.) in strings, ensuring that the data is safely handled as a string in the JS environment.<script> var userName = "{{ userInputName|escapejs }}"; alert("Hello, " + userName); </script>
Summary: Balance of security and flexibility
AnQiCMS provides multi-level tools at the template level, ensuring a balance between flexibility and security in content display.The core principle is “Default Security, Release as Needed”: the system defaults to HTML-escaping all outputs to maximize the avoidance of XSS risks.|safeFilter. Combined with Markdown'srenderparameters,striptags/urlizeFilters, you can fully utilize the expressiveness of HTML to provide visitors with rich and high-quality content experience under the premise of ensuring website security.