In website operations, ensuring the security of content is a crucial link, especially when your website allows users to submit content or display data from different sources.Cross-site scripting (XSS) attacks are one of the common threats that can lead to data leakage of website users, session hijacking, or even website tampering.For those of us who use AnQiCMS to manage content, understanding how to safely display strings that may contain HTML tags in templates is the foundation of preventing such attacks.
AnQiCMS's template engine will take a very important security measure by default when handling variable output: automatically escaping HTML special characters. This means that when you use{{变量}}The content displayed in the form of "auto" if变量contains "auto"</>/&/"/'such as "auto", they will be automatically converted to</>/&/"/'English entities.This default behavior is the key defense against cross-site scripting (XSS) attacks, which can effectively prevent malicious HTML code or JavaScript scripts from being parsed and executed by the browser.
However, in some specific operating scenarios, you may indeed wish to display content that includes real HTML tags.For example, when you retrieve the article content from the backend rich text editor, or display some strictly reviewed and confirmed harmless HTML fragments.safeThe filter explicitly tells the template engine that this content is safe and does not need to be HTML escaped. Its usage is very intuitive: add it after the variable that needs to be unescaped.|safe. For example, when you need to display article contentarchiveContentyou may use{{ archiveContent|safe }}. Once you have usedsafefilter, it means you have explicitly taken on the responsibility of ensuring the safety of the content. You need to ensurearchiveContentAll HTML code is validated and harmless, does not contain any malicious scripts, otherwise it may leave an opportunity for XSS attacks.
Except for using for a single variablesafeFilter, AnQiCMS templates also provide{% autoescape on/off %}tags to control the automatic escaping behavior within a code block. Usually, when using{% autoescape off %}after,{{变量}}The output will no longer be HTML-escaped until encountering{% endautoescape %}Or the entire template ends.Therefore, within such a block, you must be particularly vigilant about the content of each variable to ensure they are safe.|escapefilter. For example, if you have{% autoescape off %}block{{ malicious_string|escape }}so thatmalicious_stringthe HTML special characters within will still be escaped.
When handling rich text or Markdown content, AnQiCMS also provides the corresponding filters.For example, when the Markdown editor is enabled on the backend, the system will automatically convert Markdown-formatted content to HTML.At this point, if the content contains potentially malicious HTML, the converted output also needs to be properly handled.|safeUse it, on the premise that you have a full understanding of the source and security of the content.
To comprehensively enhance website security, in addition to the application of technical filters, the content operation strategy should also be kept up with.For comments, messages, and other content submitted by users, strict backend validation and content review must be conducted.Can set sensitive word filtering or limit the whitelist of HTML tags that can be used in the rich text editor.In addition, regularly updating the AnQiCMS system to keep its core security mechanisms up to date is also indispensable.
By understanding the default security mechanism of AnQiCMS template engine and using it appropriately.safe/autoescape等功能,我们可以在提供丰富内容展示的同时,有效地防范XSS注入攻击,为用户提供一个安全可靠的浏览环境。
Common Questions (FAQ)
What is XSS attack, why do we need to defend against it in AnQiCMS templates?XSS (Cross-Site Scripting, English for 'Cross-Site Scripting') attack is a common network security vulnerability.An attacker injects malicious scripts (usually JavaScript) into a website. When other users visit pages containing these scripts, the malicious code executes in the user's browser, allowing the attacker to steal user information, hijack sessions, modify web content, and more.AnQiCMS as a content management system, users (or administrators) may input code snippets containing HTML or scripts. If not defended, these contents displayed directly on the page may lead to XSS attacks.The default HTML escaping mechanism of AnQiCMS is to prevent unauthorized script execution.
|safeCan filters be used arbitrarily in any situation?Absolutely not.|safeThe filter is equivalent to telling the AnQiCMS template engine: "I know this content is safe, please parse it as HTML directly, do not escape." Therefore, only when youvery sureThe content of a variable should be pure and harmless HTML before using it|safe.For example, these HTML come from your own, strictly reviewed rich text editor, and the editor itself has powerful XSS protection capabilities.|safeIt is almost certain to introduce XSS vulnerabilities.If I am not sure whether the user input content is safe, how should I handle it?When you are unsure whether the user input content is safe, or the content may contain HTML but you do not want these HTML to be parsed, the **method isDo notUse
|safeFilter. Keep AnQiCMS template engine in its default HTML escaping behavior. This way, any HTML tags input by users will be displayed as plain text, for example<script>Will become<script>Thus, it effectively avoids the execution of malicious scripts.For scenarios that require displaying partially formatted text, consider using a Markdown editor and ensuring that the backend Markdown parser itself has XSS protection capabilities, or adopting a whitelist mechanism to only allow specific secure HTML tags to pass.