In Anqi CMS template engine, the default automatic escaping mechanism is an important security feature, which can escape special characters in HTML tags and JS scripts (such as</>/&Convert to the corresponding HTML entity to effectively prevent cross-site scripting (XSS) attacks. However, in certain specific content output scenarios, we indeed need to allow the browser to parse and render the HTML or similar HTML code in the content as it is.safeThe filter is crucial.

We all know,safeThe most common use of the filter is to display HTML content generated by rich text editors (such as the Anqi CMS background article content editor).When you write articles, product descriptions, or single-page content in the background, use formats such as bold, italic, images, links, tables, etc., which are usually stored in the database in the form of HTML tags.If the variable is output directly without addingsafeThe filter, the user will see the original HTML code, not the beautifully formatted content. For example, on the article detail page, the document content{{ archive.Content|safe }}Must be added.|safeIn order to correctly display richly styled article content.

However,safeThe potential uses of the filter are not limited to this, it also plays a key role in handling the following situations:

1. Render HTML content converted from Markdown

With the popularity of Markdown editors, Anqi CMS also supports converting Markdown formatted content to HTML for display. When your document or category content has enabled the Markdown editor and contains Markdown syntax, it is displayed througharchiveDetailorcategoryDetailUse the tag to get contentrender=trueThe parameter indicates that the template engine should convert it to HTML. However, the converted HTML string still needssafeA filter that informs the template engine to skip escaping. This ensures that Markdown content is correctly rendered by the browser as formatted text, images, and even complex elements such as mathematical formulas and flowcharts mentioned in the document. For example,{{ content|render|safe }}This combination can achieve smooth display of Markdown content.

2. Dynamic embedded scripts and structured data

safeThe filter also plays an important role in processing some code that is not directly displayed to the user but is crucial for page functionality or search engine optimization.

JSON-LD structured data:JSON-LD is a format used to provide structured information to search engines, it is usually embedded in<script type="application/ld+json">Label. If these dynamically generated JSON strings contain quotes or other special characters, if notsafeFilter, may cause JSON structure to be escaped and damaged, affecting the correct parsing of search engines. Although Anqi CMS provides specialjsonLdLabel to simplify this kind of operation, but its internal principle is to rely on ensuring the 'safe' output of content.
Website statistics and tracking script:When you need to dynamically insert JavaScript code snippets generated from external services (such as Baidu Statistics, Google Analytics) or custom logic into templates, for example, the statistical code mentioned in the document{{- pluginJsCode|safe }},safeThe filter is the key to ensure that this code can be correctly identified and executed by the browser. It avoids<script>Tags and their internal code are escaped as plain text, thereby ensuring the normal operation of the script.
Inline SVG or CSS:In some advanced template customization, if you need to dynamically generate SVG graphics or inline CSS styles, and this content is dynamic and known to be safe,safeFilters can also help them be parsed and displayed correctly by browsers, rather than being mistaken for plain text.

3. Integrate the output of third-party modules or plugins.

If you have integrated some third-party modules or plugins in AnQi CMS, the output content may already include pre-formatted HTML fragments. In this case, if the output of the module is known to be safe and needs to maintain its original HTML structure, then usesafeThe filter is a necessary step to integrate it correctly into the page. This avoids double escaping, which can cause content to display abnormally.

UsesafeSecurity tips for the filter:

ThoughsafeThe filter provides great flexibility, but its use mustextremely cautious. As the name implies, it is to declare that 'this content is safe and should not be escaped'.This means, if you use user input content (such as comments, messages, etc.) without strict filtering and verification directlysafeThe filter output, so the potential malicious script code (XSS) may be executed, posing a serious security risk to the website. Therefore, when usingsafeMake sure the content source is completely trustworthy or has passed strict content filtering and disinfection processing on the server side before the filter.

In short, the Anqi CMS'ssafeThe filter is not just a tool for displaying rich text, it is also a key to processing all content that needs to be parsed exactly as the browser in template development. From the rich text generated from the backend, the HTML converted from Markdown, to the dynamically embedded scripts and structured data,safeThe filter ensures correct rendering of content while also requiring developers to be highly vigilant about the security of the content source in order to fully utilize its value.

Frequently Asked Questions (FAQ):

1. UsesafeDoes the filter mean that my website is not safe?Not.safeThe filter itself is a tool, its security depends on how it is used. It allows you to declare that certain content is safe and will not be escaped. If you directly use unprocessed user input withsafeFiltering together, it will indeed introduce XSS risk. However, if the content comes from a source you completely trust (such as content entered by an administrator in the background editor, or code that has been strictly filtered on the server side), then usingsafeIt is necessary and safe in these scenarios.

2. When should it be usedsafeWhen not to use a filter

Should use:When you need to display the HTML content generated by the backend rich text editor, the HTML converted from Markdown, dynamically inserted JSON-LD data, and known to be safe and need to be executed directly by the browser JS scripts or CSS styles.
Should not use:Any content directly from user input (such as comments, message form submissions) that has not been strictly filtered and sanitized on the server side.For this content, the default automatic escaping mechanism should be enabled to prevent potential XSS attacks.

3. How can I correctly display my article content that contains both Markdown syntax and HTML tags, and the Markdown editor is enabled on the backend?In this case, you should use first:render=trueThe parameter converts Markdown content to HTML and then appliessafethe filter. The correct order is:{{ archiveContent|render|safe }}.renderResponsible for parsing Markdown into HTML, andsafethen ensure that the generated HTML code is not escaped again by the template engine, so that it can be displayed correctly in the browser.

What are the potential uses of the `safe` filter in AnQiCMS besides displaying HTML?

What error message will the `archive/list` interface return when the `moduleId` parameter is invalid?

How to use the results of `archive/list` to implement click to view article details in conjunction with `archiveDetail.md`?

Does the AnQiCMS document list interface support complex queries on the returned data's `extra` field?

How to use the `archive/list` interface to dynamically load more documents on the front end (infinite scrolling)?

What is the help of `archive/list` interface returned `canonical_url` and `fixed_link` fields to SEO optimization?

What will `data` and `total` return if no documents meeting the criteria are found in the AnQiCMS document list?

How to prevent AnQiCMS template from automatically escaping HTML tags and output the original content directly?

How to call and safely display the `Content` field that contains HTML on the AnQiCMS document detail page?

Can I control whether Markdown content in AnQiCMS templates is automatically converted to HTML?

How does AnQiCMS template escape HTML to prevent XSS attacks when displaying user submitted content?

What are the differences and usage scenarios between the `escape` filter and the `e` filter in AnQiCMS?

How to handle JavaScript code output containing special characters (such as `<script>`) in AnQiCMS?