In today's network environment, website security is a top priority for operators, among which cross-site scripting attacks (XSS) are one of the common security threats.XSS attacks involve injecting malicious scripts into web pages to steal user data, tamper with page content, and even control user sessions.AnQiCMS as a content management system that focuses on security, when handling user submitted content and displaying it in templates, it built-in a series of powerful HTML escaping mechanisms to effectively prevent such attacks.

AnQiCMS模板的安全基石:自动HTML转义

AnQiCMS's template engine uses syntax similar to Django templates, one of its core security designs is the default enabled automatic HTML escaping feature. This means that when you use double curly braces in the template{{变量}}When the system outputs user-submitted or stored content in the database, it automatically escapes HTML special characters from the content. For example:

  • &will be escaped as&
  • <will be escaped as&lt;
  • >will be escaped as&gt;
  • "will be escaped as&quot;
  • 'will be escaped as&#39;

This mechanism ensures that even if the user tries to input<script>alert('XSS');</script>Such malicious code will also be displayed on the page&lt;script&gt;alert(&#39;XSS&#39;);&lt;/script&gt;Thus, it is displayed in plain text format, rather than being parsed as executable script by the browser, effectively preventing the occurrence of XSS attacks.This is the first and most important defense line against XSS attacks at the content output layer of AnQiCMS.

When do you need to 'trust' content? Understand|safeFilter

Even though the automatic HTML escaping mechanism provides strong protection, in some specific scenarios, we may need to display unescaped HTML content.For example, when the website backend provides a rich text editor (WYSIWYG editor), it allows content editors to insert custom HTML tags to achieve richer formatting effects. These contents cannot be simply escaped when displayed.

In this case, AnQiCMS template provides|safeFilter. When you are sure that the content of a variable is safe and harmless HTML, you can use{{变量|safe}}to output it. For example, when displaying the main content of an article, you might see something similar{{archiveContent|safe}}This usage is.

Use|safeThe filter means that you explicitly declare to the template engine: “I trust this content is safe HTML, do not escape it.” Therefore, when using|safeEnsure that the source of the content is trustworthy and has undergone strict input validation and filtering to avoid potential security vulnerabilities. If there are any doubts about the security of the content, it should be avoided.|safeFilter.

More fine-grained control:autoescapetags

除了全局默认的自动转义和|safe过滤器之外,AnQiCMS模板还提供了{% autoescape on/off %}标签,用于更精细地控制模板块内的自动转义行为。

  • {% autoescape off %}In this tag block, all outputs will be automatically escaped by default, unless explicitly using{{变量}}the filter for escaping.|escapeor|efilter to escape.
  • {% autoescape on %}In this tag block, all outputs will be automatically escaped by default, unless explicitly using{{变量}}All outputs will be automatically escaped by default, even if the external environment has disabled automatic escaping.

This tag is usually used to override the default auto-escaping settings in a local area.For example, you may temporarily disable automatic escaping in a complex template snippet to handle specific HTML structures, and then re-enable it after processing.|safeFilter.

Active escaping:escapeandeFilter

In{% autoescape off %}In the block, if you still need to escape a specific variable in HTML, you can use|escapeor its shorthand form|efilter. For example:{{ 变量|escape }}This is equivalent to manually applying HTML escaping rules, even if the current template environment defaults to not escaping, it can ensure the content is displayed safely.

In addition, for user submitted content that needs to be inserted into JavaScript code, AnQiCMS also provides|escapejsFilter. This filter will convert special characters in the content to JavaScript-safe encoding format, for example, newline characters\nConverted to\u000APrevent users from launching XSS attacks by injecting malicious JavaScript code.

In summary, AnQiCMS uses the default enabled automatic HTML escaping mechanism, as well as|safe/autoescape/escape/escapejsSeveral control methods, providing comprehensive and flexible XSS protection strategies for website operators.Understanding and using these functions properly is the key to building a secure and stable AnQiCMS website.However, content security in the end does not only depend on the system itself, but also requires the careful attitude and safety awareness of operation personnel in the process of content publication.

Common Questions (FAQ)

1. What is an XSS attack? Why does my website need to prevent it?

XSS (Cross-Site Scripting, Cross-Site Scripting Attack) is a common network security vulnerability, where an attacker injects malicious client-side scripts (usually JavaScript) into your website, which will be executed in the browsers of other users when they access the page.This may lead to the theft of sensitive information (such as cookies, session tokens), tampering with the user interface, phishing attacks, and even being redirected to malicious websites.To protect user data security, maintain the reputation of the website, and ensure the normal operation of the website, all websites must strictly prevent XSS attacks.

2. When should it be used?|safeWhat risks are associated with using filters to display content?

You should only consider using it in the following two main cases|safeFilter:

  • Rich text editor content:When your backend allows content editors to use a rich text editor (such as a WYSIWYG editor) to create content containing HTML tags (such as bold, italic, links, images, etc.), and you want these HTML tags to be parsed and displayed normally.
  • Trusted static HTML:When you are sure that the content to be displayed is hardcoded by the website developer, or comes from a static HTML fragment from an absolutely trustworthy and strictly reviewed third-party source. Use|safeFilter hashigh risk.Once used, you have given up the automatic safe escaping of content by the template engine in English.If content marked as 'safe' actually contains malicious scripts, these scripts will execute in the user's browser, leading to an XSS attack.|safeMake sure that all user inputs have been strictly validated and filtered on the server side and that the source of the content is absolutely trustworthy before.

3. If accidentally closedautoescapeWhat security risks will my website have?

If you accidentally or improperly use it in the template{% autoescape off %}Label, then all the default outputs in that label block will no longer be HTML escaped. This means that any user input containing HTML special characters, if directly passed through{{变量}}the output will no longer be HTML escaped. This means that any user input containing HTML special characters, if directly passed through{{变量}}Output, all of which will be parsed by the browser as original HTML or JavaScript code.This will greatly increase the risk of your website being attacked by XSS, attackers can easily inject malicious scripts, thereby endangering user safety and website integrity.autoescapeFeature is enabled.