In AnQiCMS template development,linebreaksbrFilter is a very commonly used tool, it is mainly used to process newline characters in text, so that they are displayed as visible line breaks on web pages. So, if the user's text already contains HTML tags,linebreaksbrHow will the filter handle it? This is a question worth in-depth exploration.
linebreaksbrThe main function of the filter is
As the name suggests,linebreaksbrThe core function is to handle the newline characters in the user input text (\n)自动转换成 HTML 的<br/>Label.This is very useful for those who want to preserve the original text formatting but do not want to manually insert HTML line break tags.linebreaksbr过滤器处理后,就能在网页上自然地分行显示。
linebreaksbr对已有 HTML 标签的处理:默认是转义
AboutlinebreaksbrFilter whether the filter will filter out the HTML tags already existing in the user's text, a more accurate statement is: By default, it will not 'filter' them out, but will instead escape the existing HTML tags.
AnQiCMS's template engine design, like many modern template systems, has built-in automatic HTML escaping mechanisms.This mechanism is designed to enhance the security of the website and effectively prevent cross-site scripting (XSS) attacks.<and>, all of which will be automatically converted to HTML entities, like<and>This means that even if your original text contains<p>这是一个段落</p>, it will be displayed on the page as a literal<p>这是一个段落</p>, rather than an actual paragraph.
Therefore, whenlinebreaksbrThe filter acts on text containing HTML tags, it first processes the newline characters, and then\nConverted to<br/>。But at the same time, the automatic escaping function of the template engine will continue to work, converting all the original HTML tags (such as<b>/<a>),as well aslinebreaksbrthose generated by itself<br/>Label, escape together.The final result is, although you obtained a newline theoretically, all the HTML structures are "invalid", only plain text or escaped text is displayed, and the browser will not parse them as HTML elements.
How to make HTML tags display normally: with|safeFilter
To solve this problem and makelinebreaksbrFilter preserves the HTML tags in the user text as intended while correctly handling newline characters, you need to use it in conjunction with|safeFilter.
|safeThe filter tells AnQiCMS template engine that the content you are handling is “safe”, and does not need to be automatically HTML-escaped. It should be output directly to the browser as raw HTML code. When you putlinebreaksbrThe processing result is again through|safeWhen the filter is applied, the template engine will first complete the newline conversion, then the entire result (including the converted<br/>视为安全内容,直接渲染。
For example, if you have a variablemy_content,其中包含类似你好\n世界<b>AnQiCMS</b>The content, and you want it to be displayed on the page with line breaks and bold effects, you need to use it like this:
{{ my_content|linebreaksbr|safe }}
Then, the output will be:你好<br/>世界<b>AnQiCMS</b>,The browser will correctly parse and display this HTML with line breaks and bold effects.
Use|safeImportant notes
However,|safeThe filter is not without risk. Using it means you trust the source of the content, and you assume the risk of potentially containing malicious scripts (XSS). Malicious users who can insert into the text<script>alert('XSS')</script>This code, and this content is being|safeexecuted directly after filtering, then these malicious scripts will be executed in the visitor's browser, thus causing a security vulnerability.
Therefore,strongly recommend using only for user-generated content or system-generated content from users you fully trust and confirm do not contain malicious code|safeFilter.For text coming from external or untrusted user input, it should be handled with caution or undergo strict content sanitization and validation to ensure the safety of the website.
In practical applications, this combination filter is often used to process content generated by rich text editors (such as Markdown editors or WYSIWYG editors), which usually already contains valid HTML tags and users also hope that these tags can be rendered correctly on the page. At the same time, simple multi-line text entered by users in a normal text box is also applicable if line breaks are to be maintained and complex HTML is not involvedlinebreaksbr|safe.
In summary, the AnQiCMSlinebreaksbrfilter itself does not actively filter HTML tags, but rather the default security mechanism of the template engine escapes them. If you want tolinebreaksbrThe processed content and its HTML tags can be displayed normally, be sure to append it afterwards|safeFilter, but also remember its potential security risks, and ensure the reliability of the content source.
Common Questions (FAQ)
linebreaksandlinebreaksbrWhat are the differences between filters?linebreaksbrFilter will only replace the newline characters in the text\n<br/>tags.linebreaksThe filter goes even further, converting individual newline characters to<br/>and converting consecutive two or more newline characters (indicating paragraph breaks) to HTML's<p>and</p>Tag wrapped paragraph. Both need to be matched.|safeThe filter needs to be applied correctly to render HTML tags.Why does AnQiCMS template engine default to escaping HTML tags?The template engine defaults to escaping HTML tags to enhance website security, mainly to prevent cross-site scripting (XSS) attacks.If the template engine does not automatically escape, malicious users can submit HTML or JavaScript code in the input box, and execute malicious operations when other users browse the content, such as stealing cookies, tampering with page content, and so on.Through default escaping, these potentially malicious codes are converted into harmless text, thereby protecting the website and users.
If my content is Markdown formatted, do I still need to?
linebreaksbr|safe?For Markdown formatted content, if the Markdown editor has been enabled in the "Content Settings" of the AnQiCMS backend, the system will usually automatically convert Markdown