In AnQiCMS template development,linebreaksbrFilter is a very commonly used tool, it is mainly used to process newline characters in text, so that they can be displayed as visible line breaks on web pages. So, if the user text already contains HTML tags,linebreaksbrHow will the filter handle it? It is a question worth in-depth discussion.
linebreaksbrThe main function of the filter
As the name implies,linebreaksbrThe core function is to convert the newline characters in the user input text to\nAutomatically converted to HTML's<br/>Label. This is very useful for those who want to preserve the original text formatting but do not want to manually insert HTML line break tags in the scene.For example, the content entered by the user in the multi-line text box in the background, afterlinebreaksbrAfter the filter is processed, it can be displayed line by line naturally on the web page.
linebreaksbrDefault processing of existing HTML tags: escaping is used by default.
aboutlinebreaksbrDoes the filter remove HTML tags that are already present in the user's text, more accurately said: By default, it will not 'filter' out, but will instead escape the existing HTML tags.
The template engine design of AnQiCMS, like many modern template systems, has built-in automatic HTML escaping mechanisms.This mechanism is to enhance the security of the website, effectively prevent cross-site scripting (XSS) attacks.When the template renders content, any character identified as an HTML tag, such as<and>, will be automatically converted to HTML entities such as<and>This means that even if your original text contains<p>这是一个段落</p>, it will be displayed on the page in a literal sense<p>这是一个段落</p>, rather than as an actual paragraph.
Therefore, whenlinebreaksbrThe filter acts on text containing HTML tags, it first processes the newline characters, by\nto<br/>. At the same time, the automatic escaping function of the template engine will continue to play a role, converting all the original HTML tags (such as<b>/<a>) andlinebreaksbras well as the ones generated by itself<br/>The tag is also escaped. The final result is that although you theoretically got a line break, all the HTML structures are "disabled", only plain text or escaped text is displayed, and the browser will not parse it as an HTML element.
How to make HTML tags display normally:配合|safeFilter
To solve this problem, and letlinebreaksbrThe filter correctly handles line breaks while retaining the HTML tags that should be in the user's text, you need to use it in conjunction with|safefilter.
|safeThe filter tells AnQiCMS template engine that the content you are processing is “safe”, and does not require automatic HTML escaping. It should be output directly to the browser as raw HTML code. When you uselinebreaksbrthe processing result passes again|safewhen filtering, the template engine will first complete the newline conversion, then the entire result (including the converted<br/>and any existing HTML tags within the user text are considered safe content and rendered directly.
For example, if you have a variablemy_contentwhich includes similar你好\n世界<b>AnQiCMS</b>The content, and you want it to be displayed on the page with line breaks and bold effects, you need to use it like this:
{{ my_content|linebreaksbr|safe }}
This is how the output will be你好<br/>世界<b>AnQiCMS</b>The browser will correctly parse and display this HTML with line breaks and bold effects.
Use|safeImportant notes
However,|safeThe filter is not without risk. Using it means you trust the source of the content and take on the risk that it may contain malicious scripts (XSS). Malicious users if they can insert into the text<script>alert('XSS')</script>Such code, and this content is being|safeAfter the filter is processed and directly output, then these malicious scripts will be executed in the visitor's browser, thereby causing a security vulnerability.
Therefore,It is strongly recommended to use content or system-generated content only from users you completely trust and confirm do not contain malicious code|safefilter.Use external or untrusted user input text cautiously and perform strict content purification and validation to ensure website security.
In practice, this combination filter is often used to process content generated by rich text editors (such as Markdown editors or WYSIWYG editors), which usually already contain valid HTML tags, and users also want these tags to be rendered correctly on the page. At the same time, if users enter simple multi-line text in a regular text box and want to maintain line breaks without involving complex HTML, it is also applicablelinebreaksbr|safe.
In conclusion, AnQiCMS includeslinebreaksbrThe filter itself does not actively 'filter' HTML tags, but the default security mechanism of the template engine escapes them. To makelinebreaksbrThe content processed and any HTML tags within it should display normally, be sure to append it afterwards|safeFilter, but also remember its potential security risks, and ensure the reliability of the content source.
Frequently Asked Questions (FAQ)
linebreaksandlinebreaksbrWhat are the differences between filters?linebreaksbrFilter will only remove newline characters from the text (\n) to HTML tags or using<br/>tags. AndlinebreaksThe filter goes further, it will convert individual newline characters to<br/>and will convert two or more consecutive newline characters (indicating paragraph breaks) to HTML's<p>and</p>Tagged paragraphs. Both need to be coordinated|safeThe filter must be used to correctly render HTML tags.Why does the AnQiCMS template engine default to escaping HTML tags?The template engine defaults to escaping HTML tags to enhance website security, mainly to prevent cross-site scripting (XSS) attacks.If the template engine does not automatically escape, malicious users can submit HTML or JavaScript code through the input box, and then execute malicious operations when other users browse the content, such as stealing cookies, modifying page content, and so on.By default, potential malicious code is converted into harmless text, thus protecting the website and users.
If my content is Markdown formatted, do I still need
linebreaksbr|safe?For Markdown formatted content, if the Markdown editor is enabled in the "Content Settings" of the AnQiCMS backend, the system will usually automatically convert Markdown