When using AnQiCMS for website content display, the flexibility and security of the templates are the focuses of developers. The template engine of AnQiCMS provides a rich set of filters for content processing, among whichlinebreaksand|safeThese filters often appear together and often cause some developers who are new to the field to wonder: whenlinebreaksAfter converting plain text to HTML content, do you still need to combine it with|safeWhat is the output of the filter? This article will delve into this issue in depth.

linebreaksThe role and output form of the filter

First, let's understandlinebreaksThe core function of the filter. Its original design was to solve the problem that the newline character (\n) cannot be directly interpreted as a newline by the browser when displaying plain text content on the web page.linebreaksThe filter will intelligently convert line breaks in plain text to HTML paragraph tags<p>and newline tags<br/>In particular, it will convert consecutive single line breaks into<br/>Convert two or more consecutive newline characters (usually representing a blank line) into a pair<p>Use tags to wrap a paragraph.

For example, if your text content is:

这是第一行。
这是第二行。

这是第三行。

afterlinebreaksAfter the filter, it may generate an HTML structure like this:

<p>这是第一行。<br/>这是第二行。</p>
<p>这是第三行。</p>

It is evident,linebreaksThe task is to generate HTML tags with formatted effects, making plain text content appear more beautiful and readable in web pages.

The default security mechanism of AnQiCMS template engine and|safeFilter

The template engine of AnQiCMS defaults to a strict security strategy when handling variable output:All output variable content will be escaped using HTML entitiesThis means that if a variable contains HTML tags (such as<p>/<a>/<script>etc.), without any additional processing, these tags will be converted to their HTML entity forms, for example<Will become&lt;,>Will become&gt;This default escaping mechanism is to prevent cross-site scripting attacks (XSS), to ensure that user input or content from other untrusted sources will not be executed on the page as HTML or JavaScript code, but will be displayed as plain text.

And|safeThe function of the filter is precisely to remove this default escaping. When you use a variable|safeAt this time, you are explicitly telling the template engine: "I know the content of this variable is safe HTML, please do not escape it and output it directly to the page according to the original HTML structure."

linebreakswith|safeThe combination use: why is it necessary?

Now let's go back to our core question: whenlinebreaksAfter the HTML content has been generated, is it still necessary?|safe? The answer isDefinitely, usually it is necessary..

Understanding this is crucial:linebreaksThe filter is responsible for converting plain text to HTML structure, but it does not mark whether the generated HTML content is 'safe'.The template engine will independently execute its default HTML entity escaping logic when rendering the page. IflinebreaksGenerated some HTML, but this HTML has not been|safeMarking, then the template engine will still treat it as an unchecked string and escape all HTML tags within it.

This means, evenlinebreaksHardly\nconverted to<p>and<br/>If you omit the output|safeThe browser will see the literal form of&lt;p&gt;and&lt;br/&gt;This is not the actual paragraph and line break effect. The page will display the original, uninterpreted HTML tag text, losinglinebreaksthe formatting meaning it brings.

Therefore, when you uselinebreaksA filter to add HTML structure to text, since you have already specified the source of the content and its HTML structure intention, and consider these structures to be harmless, then in order for the browser to correctly interpret these HTML tags and display the expected format, combine|safeThe filter output is necessary. For example:{{ archive.Description|linebreaks|safe }}.

Practical recommendations and safety considerations

In AnQiCMS template development, when you are dealing with text obtained from reliable sources (such as manually input by backend editors, or reviewed content) that you wish to format,linebreaks|safeIt is a very practical combination. It can ensure that your text content can maintain the ease of editing of plain text and present it elegantly in structured HTML on the front end.

However,|safeIt is not a panacea and its use should be cautious. If the content comes from user submissions or other unreliable external sources, even if it is usedlinebreaks, directly apply|safeIt may also pose a security risk because it 'trusts' all the incoming HTML. In this case, it is better to:

  1. Perform strict backend validation and filtering of user input, allowing only safe HTML tags and attributes to pass.
  2. Consider using a more advanced rich text editor, they usually perform security filtering when saving content or provide read-only mode on the front end to reduce direct use|saferisk.
  3. AnQiCMS's documentation mentions that when the Markdown editor is enabled,archiveDetailThe content will be automatically converted from Markdown to HTML, and it is recommended to combine|safe. This also proves that even though the content is converted to HTML,|safeIt is indispensable when outputting.

Summary

linebreaksThe filter is responsible for converting newline characters in plain text to HTML tags to achieve better formatting effects; and|safeThe filter is responsible for indicating the AnQiCMS template engine to output the content containing HTML tags as 'safe' HTML directly, rather than performing HTML entity encoding.Both have their respective focuses, and only through collaboration can the content of the page present the structure and style expected by the developer while ensuring safety.Therefore, in most cases, uselinebreaksThe content converted indeed needs to be combined|safeFilter output.

Frequently Asked Questions (FAQ)

  1. Why does the AnQiCMS template engine default to escaping HTML?The AnQiCMS template engine defaults to HTML escaping to enhance website security, mainly to prevent cross-site scripting attacks (XSS).XSS attacks involve injecting malicious scripts into web pages, which may steal user data, tamper with page content, or perform other malicious operations.Through default escaping, all variable content within</>Special characters will be converted to&lt;/&gt;HTML entities to prevent malicious scripts from being parsed and executed by the browser, thereby ensuring the safety of the website and users.

  2. exceptlinebreaksWhat are some filters that might generate HTML content and need|safeto be output together?exceptlinebreaks,AnQiCMS template engine also has some filters that generate HTML structures, and they usually also need|safeto ensure correct rendering:

    • urlize: Will automatically convert URLs and email addresses in the text to clickable links<a>.
    • truncatechars_htmlandtruncatewords_htmlWhen truncating HTML content, the integrity of the HTML structure is maintained as much as possible, and an ellipsis is generated, and the output result includes HTML tags.
    • render: such asarchiveDetailWhen mentioned, if the content is Markdown and needs to be rendered as HTML,renderThe filter performs a conversion, its output is also HTML. In short, any filter that outputs HTML tags instead of plain text may be needed under the premise that the content is secure and controllable.|safe.

  3. If I use|safeWhat are the consequences of outputting user comments containing malicious scripts? How can the risks be avoided?If you use|safeOutputting malicious scripts (such as<script>alert('XSS')</script>) user comments, then when other users visit the page, the malicious script will be executed by the browser.This could lead to serious consequences such as session hijacking, data leakage, and website tampering.Methods to avoid risk include:

    • Strict input validation and filteringBefore the user submits content to the database, all inputs should be validated on the server side to remove or escape all potentially malicious HTML and JavaScript code. A whitelist mechanism can be used to allow only a few known safe tags (such as<b>/<i>Pass
    • Contextual escapeAvoid using in unnecessary scenarios|safeUse only when you are sure the content is safe HTML
    • Content moderation: For user-generated content (UGC), implement manual or machine review to ensure compliance and safety.
    • Use a secure rich text editor.If allowed, users should choose rich text editors that come with built-in security filters, which will clean up unsafe HTML during saving and loading.