In AnQiCMS, we strive not only for efficient and flexible content management, but also consider website security to be a core element.In the daily content creation and template development, a seemingly simple HTML tag output actually hides potential security risks, the most common of which is cross-site scripting (XSS) attack.Understanding how AnQiCMS processes HTML output and mastering security practices is crucial for building a robust and reliable website.

How does AnQiCMS handle HTML content output?

In the template rendering mechanism of AnQiCMS, an important security feature is the default automatic escaping. This means that when you pass content (such as article text, user comments, or custom fields) directly through double curly braces{{ 变量名 }}When outputting to the page, the system will automatically convert special characters that may constitute HTML tags or JavaScript code. For example,《script》alert('XSS攻击')《/script》It will be converted to<script>alert('XSS攻击')</script>This way, the browser will not parse it as executable code, thereby effectively preventing XSS attacks.

This is the default behavior, which is the first line of defense for our website, allowing our content to be safely displayed in most cases.When you enter a paragraph of ordinary text from the back-end editor or even accidentally mix in some HTML fragments, they can be displayed safely in the front-end page as plain text, avoiding unexpected script execution.

When is it necessary to allow HTML tags to be output?

Although automatic escaping is the foundation of security, in actual operation, we often need to output rich text content containing HTML tags.For example, the main content of an article usually includes paragraphs, bold text, images, links, and other formats, which all require the browser to correctly parse HTML tags to be displayed properly.Or perhaps, you may need to embed a video player code in the article, or customize a complex layout structure, all of which rely on the direct output of HTML tags.

The AnQiCMS template engine provides|safeA filter to handle this situation. When you are sure that the content of a variable is strictly reviewed, trusted HTML code, and needs to be directly parsed by the browser, you can use this filter.For example, on the article detail page, we usually see something similar{{ archiveContent|safe }}This kind of usage. Here is the.archiveContentThe variable may contain the article content edited by the backend rich text editor, which is marked as 'safe', instructing the template engine not to escape it.

However,|safeIt is like a double-edged sword, it gives the template great flexibility, but also means that the responsibility of safely outputting the content is handed over to the user. Once used|safeMake sure that the HTML content contained in the variable is completely clean and harmless.

Practical recommendations for safely handling rich text content

When using AnQiCMS to manage and display rich text content, following these practices can greatly improve security:

  1. Built-in protection of rich text editor:The AnQiCMS backend document content editor (such as in "Publish Document" or "Page Management") should inherently have certain HTML purification capabilities.This means that before saving the content to the database, the editor will filter out some known malicious scripts or unsafe tag attributes, retaining only the commonly used, safe HTML tags.Even if the content will eventually be used|safeOutput, but the preliminary filtering of the front-end editor can reduce most of the risks. For Markdown editors, byrender=trueThe parameter converts Markdown to HTML, and AnQiCMS also has a mechanism to ensure the safety of the output.

  2. Use with caution.|safeFilter:This is the most important principle. Only when the content is fromCompletely trustThe source (for example, manually edited by a security-conscious administrator and the content has been sanitized by the editor) should be used when|safe. Any content coming from user input (such as unreviewed comments, messages submitted by visitors) or externally collected content should not be used directly unless it has been strictly sanitized by the backend.|safeOutput.

  3. Understand the source of the content:Think about the source of the content before outputting it in the template.

    • Article/page content:Created by administrators through a rich text editor, generally considered safe, with|safeOutput.
    • Custom field (text type):If a custom field is used for entering plain text and has not been processed specially, it should be avoided.|safe.
    • User comments/post:This is a high-risk area for XSS attacks. AnQiCMS should perform strict HTML filtering and escaping when processing comment content.In the template, if the comment content is output directly, it should be reviewed again to see if it is really necessary|safeOr can we rely on the escaping mechanism built into AnQiCMS?
    • External content collection:For content obtained through the "Content Collection" function, the source is complex and may contain malicious code. Such content should be strictly sanitized before being stored, and should be avoided in templates unless confirmed by the backend that all unsafe factors have been removed.|safe.

  4. UtilizeautoescapeTag for local control:If most of the content in a template file needs to be automatically escaped, only a small part needs to output original HTML, you can use{% autoescape off %}and{% autoescape on %}Labels fine-tune specific code blocks. This is clearer and safer than adding it to each variable.|safeIt is clearer and safer.

  5. |escapejsSpecial application:Sometimes, we need to embed dynamic content into JavaScript code. At this time, it is only|safeIt is not enough because it only handles the escaping of HTML contexts. To prevent JavaScript injection, AnQiCMS provides|escapejsFilter. For example, if you have a JavaScript variable that needs to receive the article title from the backend, you should write it like this:var articleTitle = "{{ article.Title|escapejs }}";This can ensure that any special characters in the title will not break the JavaScript syntax, thus avoiding JavaScript injection vulnerabilities.

Summary

AnQiCMS was designed with full consideration of content security issues, providing a solid security foundation for our website through the default automatic escaping mechanism.However, the flexible template engine also gives us the ability to control HTML output. When using|safeWhen filtering, we should always be vigilant, understand the security implications behind it, and take appropriate security measures in combination with the content source and application scenario. By strictly purifying the content on the backend, reasonably using the front-end template, and continuously paying attention to security risks, we can enjoy the convenience brought by AnQiCMS at the same time