In the development of Anqi CMS templates, we often encounter the need to handle content display security issues, especially when the content may include user input or be obtained from external sources.This is especially important to escape special characters to prevent potential cross-site scripting (XSS) attacks.escapeandeThese two filters help us deal with such problems, their functions are completely the same,eJustescapeis an abbreviation alias.

What is the function of these two filters, and when should we use them?

escapeandeThe core function of the filter

escapeandeThe main task of the filter is to escape the specific HTML special characters in the string. Specifically, they convert the following five characters to their corresponding HTML entities:

  • <Converted to&lt;
  • >Converted to&gt;
  • &Converted to&amp;
  • "Converted to&quot;
  • 'Converted to&#39;

The purpose of this escaping is to ensure that these characters are interpreted as literal text in the browser and not as HTML tags, attributes, or executable script code. For example, if you have a string is<script>alert('XSS');</script>afterescapeoreAfter processing, it will become&lt;script&gt;alert(&#39;XSS&#39;);&lt;/script&gt;.So, the browser will not execute this JavaScript code while rendering the page, but will display it as plain text instead, thereby effectively preventing XSS attacks.

Auto CMS's default security mechanism

The template engine of Auto CMS has taken full consideration of security from the design. By default, all content that passes through{{ 变量 }}is output to the page in form.Automatic escapingThis means that even if a variable of yours contains<script>such HTML tags, the system will default to converting them into&lt;script&gt;such entities, without the need for you to add them manuallyescapeoreFilter.

This default behavior greatly simplifies the work of template developers and ensures the output safety of the website to a large extent.Most of the time, the system will automatically escape the text content you output directly from the database or users, which saves you a lot of concerns.

when you need to use them explicitlyescapeoreFilter?

Although the safe CMS defaults to automatically escaping output content, in certain specific scenarios, you still need to understand and may explicitly useescapeoreFilter:

  1. manual remediation after turning off automatic escaping: English CMS provided{% autoescape off %}Label, allows you to turn off the default auto-escaping feature in specific blocks of the template.This is usually used when you need to output a segment of HTML content, and you are sure that this HTML content is safe and does not require escaping (for example, rich text content obtained from a trusted source).{% autoescape off %}within a block, if you need to output certaincontent that should have been escaped(for example, from untrusted user input), you must explicitly useescapeoreFilter to manually force escaping. For example: “`twig {% autoescape off %}

    This content contains safe HTML tags, so I disabled automatic escaping.

    User submitted comments