What are the potential uses of the `safe` filter in AnQiCMS besides displaying HTML?

In the template engine of AnQi CMS, the default automatic escaping mechanism is an important security feature, which can escape special characters in HTML tags and JS scripts (such as</>/&等）converted to corresponding HTML entities to effectively prevent cross-site scripting (XSS) attacks. However, in certain specific content output scenarios, we indeed need to allow the browser to parse and render the HTML or similar HTML code in the content as is.safeThe filter becomes crucial.

We all know,safesafeFilter, users will see the original HTML code rather than the beautifully formatted content. For example, in the article detail page, the document content{{ archive.Content|safe }}must be added|safe，only then can the rich content of the article be displayed correctly.

but,safeThe potential uses of the filter are far more than this, and it also plays a key role in handling the following situations:

1. Render HTML content converted from Markdown

With the popularity of Markdown editors, the Anqi CMS also supports converting Markdown formatted content to HTML for display. When your document or category content has the Markdown editor enabled, and the content contains Markdown syntax, througharchiveDetailorcategoryDetailWhen obtaining content with tags, you can userender=trueparameters to indicate that the template engine should convert it to HTML. However, the converted HTML string still needssafeThe filter to tell the template engine to skip escaping.This ensures that Markdown content is correctly rendered by the browser as formatted text, images, and even complex elements such as mathematical formulas and flowcharts mentioned in the document.{{ content|render|safe }}This combination can achieve smooth display of Markdown content.

2. Dynamically embedded scripts and structured data

safeThe filter also plays a crucial role in processing some幕后代码 that is not directly displayed to users but is essential for page functionality or search engine optimization.

JSON-LD structured data:JSON-LD is a format used to provide structured information to search engines, which is usually embedded in<script type="application/ld+json">Label in. If these dynamically generated JSON strings contain quotes or other special characters, if notsafeFilter, may cause the JSON structure to be escaped and destroyed, thus affecting the correct parsing of search engines. Although Anqi CMS provides specialjsonLdTags are used to simplify this type of operation, but its internal principle is precisely dependent on ensuring the "safe" output of content.
Website statistics and tracking script:When you need to dynamically insert JavaScript code snippets generated by external services (such as Baidu Statistics, Google Analytics) or custom logic into templates, for example, the statistical code mentioned in the document{{- pluginJsCode|safe }},safeThe filter is the key to ensure that these codes can be correctly identified and executed by the browser. It avoids<script>The label and its internal code are escaped as plain text, thus ensuring the normal operation of the script.
Inline SVG or CSS:In some advanced template customization, if you need to dynamically generate SVG graphics or inline CSS styles, and this content is dynamic and known to be safe,safeThe filter can also help them be correctly parsed and displayed by the browser, rather than being misinterpreted as plain text.

3. Integrate the output of third-party modules or plugins

If you have integrated certain third-party modules or plugins in the Safe CMS, their output content may already include pre-formatted HTML fragments. In this case, if the output of the module is known to be safe and needs to maintain its original HTML structure, then usesafeThe filter is a necessary step to correctly integrate it into the page. This avoids double escaping and results in abnormal content display.

UsesafeSafety tips for the filter:

AlthoughsafeThe filter provides great flexibility, but its use mustextremely cautious.Just as the name suggests, it is to declare 'This content is safe, do not escape'.safeFilter output, and potentially malicious script code (XSS) may be executed, posing serious security risks to the website. Therefore, when usingsafeBefore the filter, please make sure that the content source is completely trustworthy, or has passed strict content filtering and disinfection processing on the server side.

In summary, the security CMS ofsafeThe filter is not just a tool for displaying rich text; it is also a key element in template development for handling all 'content that the browser should parse as-is'. From rich text generated from the backend, HTML converted from Markdown, to dynamically embedded scripts and structured data, safeThe filter ensures the correct rendering of content while also requiring developers to maintain a high level of vigilance regarding the security of the content source, in order to fully utilize its value.

Frequently Asked Questions (FAQ):

1. UsesafeFilter does it mean that my website is not safe?No.safeThe filter itself is a tool, its security depends on how it is used. It allows you to declare certain content as safe, which will not be escaped. If you directly use unprocessed user input withsafeIf the filter is used together, it will indeed introduce XSS risks. However, if the content comes from a source you completely trust (such as content entered by administrators in the background editor, or code strictly filtered on the server side), then usingsafeIt is necessary and safe in these scenarios.

2. When should it be used?safeWhen should filters be used, when should they not?

It should be used:When you need to display HTML content generated by the backend rich text editor, Markdown converted HTML, dynamically inserted JSON-LD data, as well as JS scripts or CSS styles that are known to be safe and need to be executed directly by the browser.
Should not be used:Any content that directly comes from user input (such as comments, submission content of message forms) and has not been strictly filtered and sanitized on the server side.For these contents, the default automatic escaping mechanism should be effective to prevent potential XSS attacks.

3. If my article content includes both Markdown syntax and HTML tags, and the Markdown editor is enabled on the backend, how can I display it correctly?In this case, you should use first:render=trueThe parameter converts Markdown content to HTML and then appliessafethe filter. The correct order is:{{ archiveContent|render|safe }}.renderResponsible for parsing Markdown to HTML,safethen ensure that the generated HTML code is not escaped again by the template engine, so that it can be displayed correctly in the browser.

What are the potential uses of the `safe` filter in AnQiCMS besides displaying HTML?

AnQi CMS Website Case

AnQi CMS Usage Help

AnQi CMS Template Tag Manual

Security BLOG

Design Market

Anqi CMS API Help

Anqi CMS Update Log

Question Exchange

Feature Introduction

Video Tutorial

What error message does the `archive/list` interface return when the `moduleId` parameter is invalid?

How to use the result of `archive/list` to achieve clicking to view the article details with `archiveDetail.md`?

Does the AnQiCMS document list interface support more complex queries on the `extra` field of the returned data?

How to use the `archive/list` interface to dynamically load more documents on the front end (infinite scrolling)?

What help does the `canonical_url` and `fixed_link` fields returned by the `archive/list` interface provide for SEO optimization?

What will `data` and `total` return if no document meeting the conditions is found in the AnQiCMS document list?

How to prevent AnQiCMS template from automatically escaping HTML tags and outputting raw content directly?

How to call and safely display the `Content` field containing HTML on the AnQiCMS document detail page?

Can I control whether the Markdown content in AnQiCMS templates is automatically converted to HTML?

How does AnQiCMS template escape HTML when displaying user submitted content to avoid XSS attacks?

What are the differences and use cases between the `escape` filter and the `e` filter in AnQiCMS?

How to handle JavaScript code output containing special characters (such as `<script>`) in AnQiCMS?