In the template design process of AnQiCMS, understanding when to explicitly usesafeA filter is crucial for ensuring the correct rendering of rich text content while maintaining website security. AnQiCMS's template engine, similar to many modern CMS systems, defaults to filtering all content to prevent security vulnerabilities such as cross-site scripting (XSS).{{ 变量 }}The content output in this manner is HTML-escaped. This means that if you directly output a piece of text containing HTML tags, for example,{{ 文章内容 }}while文章内容is stored in reality,<p>这是一段加粗的<b>文字</b></p>Then what is displayed on the page will not be a formatted text, but will be displayed as is<p>这是一段加粗的<b>文字</b></p>The browser will not parse it as HTML, but treat it as plain text.
In which cases do we need to explicitly tell the AnQiCMS template engine that 'this content is safe and should be parsed as HTML directly'? This mainly occurs in the following core scenarios:
Firstly,When the content comes from the backend rich text editorwe need to explicitly usesafeFilter.The AnQiCMS backend provides a rich text editor with rich features, whether it is the 'Document Content' in document management or the 'Single Page Content' in page management.Users often insert images, set text styles (such as bold, italic), create lists or tables, and other operations when they input content in these editors, which will generate corresponding HTML tags in the content.safeIf the filter is set, the content that the user has meticulously edited and formatted will only display as a pile of uninterpreted HTML code on the front end, severely affecting user experience and the beauty of the page. For example, we havearchiveDetailWhen calling document content in tags, you often see such a style:{{ archiveContent|safe }}Here,archiveContentThis is the content obtained from the rich text editor, through|safeThe browser can render it correctly as HTML structure only when,.
Secondly,When the content has enabled the Markdown editor, and it is necessary to render Markdown syntax into HTML on the frontend,safeThe filter is equally indispensable.AnQiCMS supports Markdown editor, the Markdown text itself is plain text, but when rendered on the front end, it is parsed and converted into HTML structure.help-markdown.mdThe document mentions that after enabling the Markdown editor, its content, when displayed on the front end, will be rendered into HTML. Although in certain tags such asarchiveDetailyou can userender=trueThe parameter indicates its conversion from Markdown to HTML, but the generated HTML string still needssafea filter to prevent it from being escaped twice. For example,{{ archiveContent|render|safe }}This combination is to first render Markdown into HTML, thensafeensure that HTML is output correctly.
In addition,When processing clearly uploaded and managed by administrators or developers, and the content is absolutely reliable HTML fragments.It can also be used,safe.This may include some predefined advertisement codes, specific HTML block structures, or HTML fragments introduced by means of 'custom content tags', which have been confirmed to contain no malicious scripts or unsafe tags.safe.systemthe tag inSiteCopyrightand may also be necessary if the backend allows HTML to be included.|safeMake sure its format is correct.
In short,safeThe filter is an inevitable but cautious tool in AnQiCMS template design.The core function is to inform the template engine that a certain piece of content has been manually or programmatically strictly checked and confirmed as safe HTML, which can be safely parsed directly.However, this 'trust' also means you are taking the corresponding security risks.safeWhen, we must ensure that the content source is highly credible and has been thoroughly audited for security, to avoid potential issues such as XSS attacks.
Common Questions (FAQ)
Q1: If I do not usesafeFilter, how will rich text content be displayed?A1: If you do not use on the variable that contains rich text contentsafeFilter, the template engine will default to escaping all HTML tags (such as<p>/<img>/<strong>etc.) to their corresponding HTML entities (such as<p>/<img>/<strong>This means that on the web page, you will see a pile of unprocessed HTML code, not formatted and rendered text content.
Q2: Can it be used on any variable in rich text content?safeIs this safe to do?A2: Theoretically, you can use it on any variablesafeBut this is not always safe.safeThe filter bypasses the default security protection mechanism of AnQiCMS and directly outputs HTML. If the content of this variable comes from untrusted user input, or contains malicious JavaScript code (such as through comments or front-end forms), then the use ofsafeThis will directly cause these malicious codes to be executed in the visitor's browser, leading to security vulnerabilities such as cross-site scripting (XSS). Therefore,Only use it when you are 100% sure that the content source is trustworthy, the content itself has been strictly filtered, and does not contain any malicious code.safeFilter.
Q3: Besides the content of the article or single-page content, where else might one needsafeFilter?A3: In addition to the main content area of an article or a single page (usually generated by a rich text editor), some custom fields (defined in content models or category settings) may also be needed to store and display HTML snippets (such as product feature lists, specific format introductions, or embedded third-party code).safeFilter. Moreover, if your website has enabled Markdown content and rendered it as HTML for display, the rendered HTML string also needssafeIn summary, any HTML structure generated by the backend through an editor or program logic and needs to be displayed on the frontend in HTML form may be requiredsafe.