When using AnQiCMS for content creation and website operation, we often encounter situations where we need to handle multiline text. To better display these texts, the template provides various filters to assist in formatting, wherelinebreaksThe filter is a commonly used one. However, when these multiline texts contain&/</>When special HTML characters are present, many users are concerned about their display security, worried that they may lead to cross-site scripting (XSS) and other vulnerabilities.

The AnQi CMS template system was designed with content security in mind, it is based on a syntax similar to the Django template engine and has a powerful security mechanism. To understandlinebreaksThe security of filters when handling special characters, we first need to understand the default behavior of the Anqi CMS template engine as well aslinebreaksthe specific role of the filter.

linebreaksThe filter is mainly responsible for converting line breaks in text (\n) into HTML paragraph tags (<p>) and line break tags (<br/>). Specifically, it converts consecutive line breaks into<p>and</p>paragraphs wrapped, while single line breaks are converted into<br/>For example, a text like "First line\nSecond line" such as, after being processedlinebreaksit may become<p>第一行<br/>第二行</p>. Its core responsibility is to handle text layout to make it more in line with reading habits on the web, rather than dealing with the escaping of HTML special characters.

A key security feature of the AnQi CMS template engine isDefault automatic HTML escapingThis means that when you use double curly braces in the template{{ 变量 }}When any content is output, the system will automatically convert the HTML special characters in the content to their corresponding HTML entities. For example,<Will be escaped to&lt;,>Will be escaped to&gt;,&Will be escaped to&amp;,"Will be escaped to&quot;,'Will be escaped to&#39;.This default mechanism effectively prevents malicious HTML code or JavaScript scripts from being injected into the page through text content, thereby resisting common XSS attacks.

Then,linebreaksHow does the filter work in conjunction with this automatic escaping mechanism? In fact, the template processing flow of Anqi CMS is as follows: First, when the template engine encounters{{ 变量 }}it will first process变量The value is escaped by default. Only after the escaping is complete, if this变量value is passed tolinebreaksFilter,linebreakswill line breaks be found and converted in the already escaped text.

For example, if your multiline text contains<script>alert('xss')</script>such content, when it is{{ 文本 | linebreaks }}outputted, the actual processing order is:

  1. text content<script>alert('xss')</script>is first escaped by default HTML&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;.
  2. Then,linebreaksThe filter will find and convert the newline character in the escaped text (if it exists).Therefore, the final output to the page will be safe HTML entities, not executable malicious scripts, and the browser will display them as plain text instead of executing them.

In summary,linebreaksThe filter handles multiline text with special characters safely in AnQi CMS.This safety is notlinebreaksThe filter itself does not provide, but relies on the default automatic HTML escaping mechanism of the Anqi CMS template engine. As long as you do not actively disable this security mechanism, you can use it with confidence.linebreaksTo beautify your multi-line text display.

However, special attention needs to be paid to a certain situation:|safefilter. |safeThe filter's role is to explicitly tell the template engine that the content it processes is 'safe' and does not require HTML escaping. If you were to|safewithlinebreaksuse in combination, for example{{ 文本 | safe | linebreaks }}Therefore, the system will not escape the text content, and if there is malicious HTML or JavaScript code in the text, this code will be output to the page as is and may be executed by the browser, leading to security vulnerabilities. Therefore,If you are not 100% sure that the content source is absolutely可信 and has been strictly sanitized on the server side, do not use user-generated content or any untrusted content|safefilter.

SafeCMS greatly simplifies the work of content operators through this default security strategy, while also effectively ensuring the safety of the website and richly presenting content in various forms.

Frequently Asked Questions (FAQ)

  1. linebreaksandlinebreaksbrWhat are the differences between filters? linebreaksThe filter will convert consecutive newline characters in the text to HTML paragraph tags (<p>and</p>and will convert a single newline character to<br/>HoweverlinebreaksbrThe filter is simpler, it will simply replace all newline characters with<br/>tags, it will not add them automatically<p>Label for paragraph division. Choose which one depends on how you want the text to be formatted for paragraph and line breaks.

  2. When do I need to use it|safeFilter, and what are the risks of using it? |safeThe filter is used to explicitly inform the Anqi CMS template engine that the variable content it handles is "safe" HTML code and does not require the default HTML escaping. You may need to use it in the following situations:

    • The content stored in your database is itself professionally edited and verified HTML, such as standard HTML generated by some rich text editors.
    • Are you sure that the value of a variable is obtained from a trusted source and has been thoroughly sanitized and verified on the server side to ensure that it does not contain any malicious code. But please note that the use of|safeIt will disable the default security protection of the template engine.If the content being processed contains unescaped malicious scripts or HTML tags, it will directly lead to an XSS vulnerability.|safe.

  3. If my content is entered through the AnQi CMS Markdown editor, do I still need to worry about the security of special characters?Generally, it is not necessary. Anqi CMS's Markdown