AnQi CMS has always paid great attention to security from the very beginning, which is fully reflected in its concise and efficient Go language architecture, aiming to provide users with a secure and stable content management environment.In the daily content release and template creation, we often encounter various template tags and filters. Among them,safeThe filter is a powerful tool but also one that requires our special vigilance.It allows us to output raw HTML content in the template, but it is precisely this 'freedom' that hides some risks that should not be ignored, especially in preventing cross-site scripting (XSS) attacks.

safeThe function and convenience of the filter

In the template development of AnQi CMS,safeThe filter is a very practical tool. It allows us to render HTML code directly on the page instead of escaping them into plain text.For example, when we use a rich text editor to edit an article with pictures and text, or customize some HTML fragments with special styles, if we output these contents directly, the template system, for security reasons, will default to outputting HTML tags (such as<script>/<img>/<div>Convert to the corresponding entity character (such as&lt;script&gt;), resulting in these contents not being displayed in the expected style and structure

At this time,safeThe filter comes into play. By adding to the variable|safesuch as{{ archiveContent | safe }}In fact, we are telling the template system: "This"archiveContentThe content in the variable has been confirmed safe, please parse and display it as HTML without any escaping.So that images, paragraph styles, custom links, and other elements in the article can be perfectly displayed on the page.

safeXSS attack risk brought by the filter

However, it issafeThe feature of the filter to disable automatic escaping makes it a potential risk point.Cross-site scripting (XSS) attack is a common network security vulnerability. Attackers inject malicious scripts into web pages, and when users visit these pages, the malicious scripts will execute in the user's browser, thereby stealing user information, hijacking sessions, tampering with page content, and even performing phishing operations.

When we usesafeWhen the filter is used, the system's default security escaping mechanism is bypassed. This means that if malicious scripts (such assafeare included in the variables passed to the filter<script>alert('XSS');</script>),and these scripts have not been properly handled before entering the template, then the browser will directly execute these malicious scripts, resulting in XSS attacks.

Common risk scenarios

In practical application, the following situations are particularly worth being vigilant aboutsafePossible risks of the filter:

  1. User submitted content:This is the most common source of XSS attacks. Whether it is the comment section, message board, forum posts, or custom fields in user profiles, any content that allows user input and is eventually displayed on the page may be maliciously injected with scripts.If this content is not strictly purified and directlysafeWhen the filter is rendered, the website is exposed to risks.

  2. Untrusted external data source:Sometimes, we may obtain content from external APIs, RSS subscriptions, or other third-party services. If these external data sources themselves have security vulnerabilities, or if the content they provide has not been thoroughly reviewed, then the malicious scripts hidden within may be passed throughsafeAfter the filter is rendered, XSS attacks may still occur on our website.

  3. Even the content of backend management is not absolutely secure:We might think that the content published by the background administrator is absolutely safe.But the actual situation is not like that. The administrator's account has been compromised, or the administrator has unknowingly copied and pasted content from an unsafe source containing malicious code, all of which can lead to contamination.Once this contaminated content issafeThe filter processes and displays on the front, the risk still exists.

  4. Developer's misunderstanding and negligence:Some developers may mistakenly believesafeThe filter can "purify" content or be used arbitrarily during development debuggingsafeIgnoring the security of the content source. This misconception or negligence is prone to vulnerabilities

How to effectively prevent risks

Understood the risks, the next step is how to effectively prevent them.safeThe filter itself is not 'evil', it is just a functional tool, the key is how we use it correctly:

  • Input validation and content purification is the core:No matter where the content comes from, if there is a possibility that it contains user input or data from untrusted sources, it must undergo strict server-side validation and sanitization before storing it in the database and before rendering it into the template. This means that all HTML tags and attributes that could cause script execution (such as<script>tags,onerrorProperties,javascript:Protocols,). Although front-end input validation can enhance user experience, server-side purification is an indispensable part of the security defense line.

  • Use only on content that is confirmed to be secure.safe: safeThe filter should be considered a 'whitelist' mechanism. Only when weAbsolutely certainThe HTML content in a variable should be carefully constructed and completely harmless before using it. For example, only HTML content that has been strictly processed on the backend or generated by a trusted rich text editor is worth trusting and usingsafe.

  • UnderstandingautoescapeTags:AnQiCMS's template system also providesautoescapeA tag can control the automatic escaping behavior within a certain area. If a template area indeed requires a large amount of raw HTML, and we have fully assessed the source and security of these HTMLs, then it can be used{% autoescape off %}and{% autoescape on %}Enclose it to avoid repeatedly wrapping each variable|safeBut this also requires a high degree of vigilance and content traceability.

  • Regular security audits and code reviews:Develop the habit of regularly reviewing template code, especially focusing on|safeThe use location, check the source and purification process of the corresponding variable. At the same time, performing security vulnerability scanning and penetration testing on the website can help us find potential XSS vulnerabilities.

In short, Anqi CMS providessafeThe filter brings great convenience to us for flexible handling of HTML content, but its essence is to remove an important security protection.When using it, we must always be vigilant, making input validation and content purification our top priority, and ensuring that only content that has undergone strict security review can be marked as 'safe', thereby effectively preventing XSS attacks and protecting the security of the website and user data.

Frequently Asked Questions (FAQ)

1.|safeFilters and{% autoescape off %}What are the differences between tags? Which one should I use?

|safeThe filter acts on a single variable, telling the template system not to escape the value of this variable as HTML. And{% autoescape off %}The tag applies to a code block, it closes the automatic HTML escaping within it until it encounters{% autoescape on %}or code block ends. Usually, if you only need to disable escaping on a few variables,|safeMore convenient and with a smaller range. If you are sure that all variables in a certain area (such as displaying the full content of a rich text article) do not need to be escaped, and that these contents have been fully sanitized on the backend, then use{% autoescape off %}Can reduce the redundancy of template code. But regardless of which one is used, the premise is absolute control over the content safety.

2. Why does AnQi CMS provide a feature that may lead to XSS riskssafeFilter?

safeThe existence of a filter is to meet certain legitimate needs, such as displaying the text and image content edited by the background rich text editor, preset HTML code snippets, or structured HTML obtained from a trusted source.In these scenarios, the content itself contains HTML tags, and enforcing escaping may cause display anomalies. Therefore,safeThe filter is a necessary tool that gives developers flexibility, but it also requires developers to take corresponding security responsibilities, ensuring that the content passed to it is truly safe. The default automatic escaping mechanism of Anqi CMS has provided basic protection,safeIt should be used only when the developer is fully aware and willing to take the risk.

3. Do I need to sanitize the content again on the backend if my website's frontend uses a rich text editor and has built-in content sanitization features?

Yes, backend purification is absolutely necessary and is the last and most crucial line of defense.The frontend purification function can enhance user experience, such as real-time filtering of non-compliant inputs, but it is easily bypassed.Malicious users can bypass front-end validation by directly sending requests to the server, disabling JavaScript, or modifying front-end code.Therefore, no matter how the front-end handles it, all data submitted by users or coming from external sources must be strictly validated, filtered, and sanitized on the server side to ensure that the data entering the database and templates is secure.