During the template design process of AnQiCMS, understanding when to explicitly usesafeA filter is crucial for ensuring that rich text content is rendered correctly and that website security is maintained. The AnQiCMS template engine, like many modern CMSs, defaults to blocking all inputs to prevent cross-site scripting attacks (XSS) and other security vulnerabilities.{{ 变量 }}The content output in a way that performs HTML escaping. This means that if you output a text containing HTML tags, for example{{ 文章内容 }}while文章内容is actually stored in<p>这是一段加粗的<b>文字</b></p>That is not a formatted text displayed on the page, but is displayed as is<p>这是一段加粗的<b>文字</b></p>The browser will not parse it as HTML, but treat it as plain text.
In which cases do we need to explicitly tell the AnQiCMS template engine that this content is safe and should be parsed directly as HTML? This mainly occurs in the following core scenarios:
first, When the content comes from the backend rich text editorwe need to explicitly usesafeFilter. AnQiCMS backend provides a rich text editor with rich features for both document management's 'Document Content' and page management's 'Single Page Content'.Users usually insert images, set text styles (such as bold, italic), create lists or tables, and other operations, which will generate corresponding HTML tags in the content.If these contents are not used in the templatesafeThe filter, then the user's hard work in editing and formatting the content will only display a pile of unprocessed HTML code on the front end, seriously affecting the user experience and page aesthetics. For example, we arearchiveDetailWhen calling document content in a tag, you often see such a style:{{ archiveContent|safe }}. Here,archiveContentIt is the content obtained from the rich text editor, through|safe, browsers can render it as HTML structure correctly.
secondly,When the content enables the Markdown editor and needs to render Markdown syntax into HTML on the front end,safeThe filter is also indispensable. AnQiCMS supports Markdown editor, Markdown text itself is plain text, but when rendered to the front-end, it will be parsed and converted into HTML structure. For example,help-markdown.mdThe document mentions that after enabling the Markdown editor, its content is rendered into HTML when displayed on the front end. Although in certain tags likearchiveDetailyou can userender=trueThe parameter indicates that it should perform Markdown to HTML conversion, but the final HTML string still needssafea filter to prevent re-escaping. For example,{{ archiveContent|render|safe }}This combination is to first render Markdown to HTML, and thensafeEnsure that the HTML is output correctly.
Furthermore,Processing HTML fragments that are clearly uploaded, managed by administrators or developers, and whose content is absolutely reliableyou can also use them.safeThis may include some predefined ad codes, specific HTML structure blocks, or HTML fragments introduced through 'custom content tags', which have been confirmed to not contain any malicious scripts or unsafe tags.For example, copyright information at the bottom of a website or a specific custom code block, if the backend allows HTML input and you trust these content sources, then it is also necessary to output it.safe.systemin the labelSiteCopyrightAlso, if the backend allows HTML to be included, it may be necessary as well|safeMake sure its format is correct.
In summary,safeThe filter is an inevitable but cautious tool in the design of AnQiCMS templates.Its core function is to inform the template engine that a certain piece of content has been strictly checked and confirmed as safe HTML, which can be safely parsed directly.However, this 'trust' also means you take on the corresponding security risks.Therefore, in usingsafeAt that time, we must ensure that the source of the content is highly credible and has undergone a thorough security audit to avoid potential problems such as XSS attacks.
Frequently Asked Questions (FAQ)
Q1: If I do not usesafeFilter, how will rich text content be displayed?A1: If you do not use it on a variable containing rich text contentsafeA filter that will by default escape all HTML tags (such as<p>/<img>/<strong>to their corresponding HTML entities (such as<p>/<img>/<strong>This means that on the web page, you will see a pile of unprocessed HTML code rather than formatted rendered text content.
Q2: Can you use it in any rich text content variable?safeIs it safe to do so?A2: In theory, you can use it in any variable.safeBut this is not always safe.safeThe filter bypasses the default security protection mechanism of AnQiCMS and directly outputs HTML. If the content of the variable comes from untrusted user input, or contains malicious JavaScript code (such as through comments or front-end forms), then usesafeThis will directly cause these malicious codes to be executed in the visitor's browser, causing security vulnerabilities such as cross-site scripting attacks (XSS) and so on. Therefore,Only when you are one hundred percent sure that the content source is reliable, the content itself has been strictly filtered, and does not contain any malicious code, should you use itsafefilter.
Q3: In addition to article content or single-page content, where else might there be a needsafeFilter?A3: Besides the main content area of an article or a single page (usually generated by a rich text editor), some custom fields (defined in the content model or category settings) may also need to store and display HTML snippets (such as product feature lists, specific format summaries, or embedded third-party code) if their intended use is to do so.safeFilter. Moreover, if your website has enabled Markdown content and rendered it into HTML for display, the rendered HTML string also needssafeIn short, if the HTML structure is generated by the backend through an editor or program logic and needs to be displayed in HTML on the frontend, it may be necessarysafe.