In AnQiCMS, we pursue not only efficient and flexible content management, but also consider website security as a core element.In daily content creation and template development, a seemingly simple HTML tag output actually hides potential security risks, the most common of which is cross-site scripting (XSS) attack.Understanding how AnQiCMS handles HTML output and mastering security practices is crucial for building a solid and reliable website.

How does AnQiCMS handle the output of HTML content?

In AnQiCMS's template rendering mechanism, an important security feature is the default automatic escaping. This means that when you pass content (such as article content, user comments, or custom fields) directly through double curly braces{{ 变量名 }}When outputting to the page, the system will automatically convert special characters that may constitute HTML tags or JavaScript code. For example,《script》alert('XSS攻击')《/script》which will be converted to<script>alert('XSS攻击')</script>So that the browser will not parse it as executable code, thus effectively preventing XSS attacks.

This default behavior is the first line of defense for our website, ensuring that our content is safely displayed in most cases.When you enter a block of plain text or even some HTML fragments inadvertently from the background editor, they can be safely displayed as plain text on the front-end page, avoiding unexpected script execution.

When is it necessary to allow HTML tags to be output?

Even though automatic escaping is the foundation of security, in actual operation, we often need to output "rich text" content that includes HTML tags.For example, the main content of an article typically includes paragraphs, bold text, images, links, and other formatting, all of which need to be correctly parsed by the browser to display normally.又或者,你可能需要在文章中嵌入一个视频播放器代码,或者自定义一个复杂的排版结构,这些都离不开HTML标签的直接输出。

The template engine provided by AnQiCMS offers|safe{{ archiveContent|safe }}This usage. Here isarchiveContentThe variable may contain the main text of the article edited by the backend rich text editor, which is marked as 'safe', telling the template engine not to escape it.

However,|safeJust like a double-edged sword, it gives the template great flexibility while also meaning that the responsibility of safely outputting the content is passed on to the user. Once used|safeIt must ensure that the HTML content contained by the variable is completely clean and harmless.

Handling Rich Text Content Safely: Practical Recommendations

When using AnQiCMS to manage and display rich text content, following the following practices can greatly enhance security:

  1. Built-in protection of the rich text editor:AnQiCMS background document content editor (such as in "Publish Document" or "Page Management") should have certain HTML cleaning ability.This means that before saving content to the database, the editor will filter out some known malicious scripts or unsafe tag attributes, only retaining commonly used, safe HTML tags.|safeoutput, but the preliminary filtering of the front-end editor can reduce most of the risks. For Markdown editors, throughrender=trueParameters convert Markdown to HTML, AnQiCMS also has a mechanism to ensure the safety of the output.

  2. Use with caution|safeFilter:This is the most important principle. Only when the content is fromFully trustedThe source (for example, manually edited rich text by a security-conscious administrator, and the content has been sanitized by the editor) should be used when|safeFor any content from user input (such as unreviewed comments, messages submitted by visitors) or external collection, it should never be used directly unless strictly purified by the backend.|safeOutput.

  3. Understand the content source:Think about the source of the content before outputting it in the template.

    • Article/page main content:usually created by administrators through a rich text editor, generally considered safe, with|safeOutput.
    • custom field (text type):If the custom field is used for entering plain text and has not been specially processed, it should be avoided|safe.
    • User comments/leave a message:This is a high-risk area for XSS attacks.AnQiCMS should perform strict HTML filtering and escaping when processing comment content.|safeOr can it rely on the built-in escaping mechanism of AnQiCMS?
    • External content collection:For content obtained through the "Content Collection" feature, the source is complex and may contain malicious code. This type of content should be strictly sanitized before being stored, and it should be avoided using in templates unless confirmed by the backend that all unsafe factors have been removed.|safe.

  4. UtilizeautoescapeLabel local control:If most of the content in a template file needs to be automatically escaped, and only a small part needs to output original HTML, you can use{% autoescape off %}and{% autoescape on %}Label specific code blocks for fine control. This is clearer and safer than adding|safeto each variable.

  5. |escapejsspecial applications:Sometimes, we need to embed dynamic content into JavaScript code. At this time, it is simply using|safeIt is insufficient because it only handles the escaping of HTML contexts. To prevent JavaScript injection, AnQiCMS provides|escapejsFilter. For example, if you have a JavaScript variable that needs to receive the article title from the backend, you should write it like this: var articleTitle = "{{ article.Title|escapejs }}";This ensures that any special characters in the title will not disrupt the JavaScript syntax, thereby avoiding JavaScript injection vulnerabilities.

Summary

AnQiCMS was designed with full consideration of content security issues, providing a solid security foundation for our website through the default automatic escaping mechanism.However, the flexible template engine also gives us the ability to control HTML output.|safeWhen filtering, we should always be vigilant, understand the security implications behind it, and take appropriate security measures in combination with the content source and application scenario. By strictly sanitizing the content on the backend, reasonably utilizing the front-end templates, and continuously paying attention to security risks, we can enjoy the convenience brought by AnQiCMS while