During the development of AnQiCMS templates, the security of data output is one of the key aspects we need to pay attention to. We often encounter issues regardingescapeFilters andeThe problem with filters, many users may wonder if there are differences in their functions. After a deep understanding of the AnQiCMS template engine, we can clearly give the answer: in the AnQiCMS template system, escapeFilters andeFilterFunction is completely the same,eIsescapeAbbreviation of one.

These filters are both used to escape the output string in HTML, with the purpose of preventing security vulnerabilities such as cross-site scripting attacks (XSS).When dynamic content is directly embedded into an HTML page, if this content contains malicious HTML tags or JavaScript code, the browser may incorrectly parse and execute them, leading to security issues.Escape processing will convert these special characters into their HTML entities, making the browser treat them as plain text rather than executable code.

To be specific,escapeandeThe filter mainly escapes the following five HTML special characters:

  • <Will be escaped to&lt;
  • >Will be escaped to&gt;
  • &Will be escaped to&amp;
  • "Will be escaped to&quot;
  • 'Will be escaped to&#39;

Understanding the default automatic escaping mechanism

An important background knowledge is that the template engine used by AnQiCMS is inBy default, HTML escaping will be automatically applied to all output variablesThis means that even if we do not explicitly useescapeoreThe filter, most of which is passed from the background to the template and the output content is also automatically processed for security.This design is aimed at maximizing safety and reducing the XSS risks introduced by developers due to negligence.

Therefore, in many cases, it is explicit to add|escapeor|eThe filter is unnecessary and will not change the final output. Its main value lies in the following specific scenarios:

  1. CancelsafeEscape after the filter effect:If a variable was previously set|safeThe filter is marked as safe (i.e., explicitly indicating that the template should not escape it), but due to changes in business logic, this part of the content needs to be escaped again when it can be used|escapeor|eEscape must be enforced. For example:{{ some_variable|safe|escape }}
  2. Inautoescape offLocal escaping within blocks:When a template uses{% autoescape off %}When closing the automatic escaping feature of a code block, if a specific variable within the block still needs HTML escaping, you can use|escapeor|efilter. For example:
    
{% autoescape off %}
    <p>这是未转义的内容: {{ user_input }}</p>
    <p>这是经过escape转义的内容: {{ user_input|escape }}</p>
{% endautoescape %}
    In this case,user_inputthe first output will remain unchanged (there may be XSS risk), while the second output will beescapeescaped.
  3. Code readability and clear intention:Even though they are redundant in the default auto-escape environment, some developers may still choose to add them explicitly to indicate that a certain output has been safely processed or to maintain a consistent coding style.|escapeor|e.

withescapejsThe difference between filters

It is worth mentioning that there is also another in the AnQiCMS templateescapejsfilter. Although it is also used for "escaping", its application scenarios and escaping rules are different fromescape/eThe filter is completely different.escapejsThe filter mainly targetsJavaScript codeEscape the special characters in it, converting them to\uxxxxThe form is used to ensure that data dynamically inserted into the JavaScript context does not disrupt the structure of the script or cause injection issues.It does not handle HTML character entities, but for the safety of JS syntax.<script>It should be used inside tags or as a JavaScript string literalescapejs.

Summary

In summary,escapeandeThe filter works the same in AnQiCMS templates, it is a convenient way to escape HTML content.Due to the default automatic HTML escaping in AnQiCMS templates, they are usually not necessary.safeas well as filtersautoescapeThe usage of tags, which can help us write secure and efficient AnQiCMS templates more effectively. In cases where it is necessary to force escaping or perform local escaping within blocks where automatic escaping is turned off,escapeoreThe filter came into play.

Frequently Asked Questions (FAQ)

  1. Q: Why does my template not useescapeoreThe filter, HTML tags will still be escaped?A: This is because the AnQiCMS template engine has the default automatic HTML escaping mechanism enabled.This security measure is designed to protect your website from cross-site scripting attacks (XSS).</>/&Convert to HTML entities to ensure they are displayed as text rather than being parsed by the browser as executable HTML or JavaScript code.

  2. Q: When should it be used?safeFilter, rather thanescapeore?A:safethe filter meetsescape/eThe filter function is exactly opposite. When you are sure that the content of a variable is completely safe, and the HTML code contained in it needs to be normally parsed and displayed by the browser (for example, from articles obtained from a trusted rich text editor), then it should be used|safeFilter. UsesafeIt will explicitly tell the template engine not to escape this content. Please use with caution.safeApply only to data sources you fully trust to avoid introducing security vulnerabilities.

  3. Q:escapeFilters andescapejsWhat are the differences between filters? Which one should I use?A:escapeFilter (ore) is mainly used forHTML contextIt escapes special HTML characters as HTML entities to prevent HTML injection.escapejsFilter is used forJavaScript contextIt escapes special characters in JavaScript strings (such as newline, single quotes, double quotes, etc.)\uXXXXThe form of escaping to prevent JavaScript code injection. Simply put: if the data is to be displayed inside HTML tags, useescapeIf data needs to be used as part of a JavaScript variable or code, useescapejs.