In website content management, security is always one of the core considerations.Especially in the template rendering phase, if not prevented, maliciously designed external JavaScript code may be injected through HTML, leading to cross-site scripting attacks (XSS), which can further steal user data, tamper with page content, or hijack sessions, posing huge risks to websites and users.Understanding how AnQiCMS handles security issues in template rendering and mastering the corresponding preventive strategies is crucial for maintaining the healthy operation of the website.

AnQiCMS template engine's security cornerstone: automatic escaping mechanism

AnQiCMS uses a syntax similar to Django template engine, this design philosophy lays the foundation for security from the very beginning.其中最核心的安全机制就是“自动转义”。{{变量}}The form of output to the template will be, when the special HTML characters in the data are escaped by default in the AnQiCMS template engine.

For example, if a user enters in the content<script>alert('XSS');</script>This code, if output directly, will be recognized as JavaScript by the browser. However, due to the automatic escaping mechanism of AnQiCMS, these angle brackets<and>Would be converted to HTML entity encoding, for example&lt;script&gt;alert('XSS');&lt;/script&gt;.This way, the browser will only display it as plain text and will not execute the JavaScript code within it, effectively preventing most HTML injection and XSS attacks.This is the first and most basic security barrier provided by AnQiCMS template from its initial design.

Deep understandingsafeFilter: flexibility and risk coexist

Although automatic escaping is the default and safe behavior, in certain specific scenarios, we may need to output content containing HTML structure, such as article details, rich text editor generated content, etc.This will actually distort the normal display of the content.safeFilter.

When you know for sure that the content of a variable is safe and needs to be rendered in HTML format, you can use{{变量|safe}}To indicate that the template engine should skip automatic escaping. For example, the content of an article edited with a rich text editor, if it contains image tags<img>or link tags<a>Then, when outputting in the template, you need to add.|safeTo ensure that these HTML structures can be correctly parsed and rendered by the browser.

However,safeFilters are a 'double-edged sword'.safeYou are essentially telling the template engine: 'I believe the content of this variable is safe, no need to check, please output it directly.' This means that if the source data contains malicious JavaScript code (such as through untrusted user input or unverified third-party content), and you use|safe, then these malicious codes may be successfully injected and executed, leading to XSS attacks. Therefore, when usingsafeThe filter must be handled with caution to ensure that the content source is absolutely trustworthy.

ExceptsafeThe filter, AnQiCMS also providesescapeFilter (or its alias)e) as well asautoescapeLabels can be used to more finely control the escaping behavior. Usually, since it is already automatically escaped by default,escapefilters are rarely used explicitly.autoescapeThe tag allows you to turn on or off automatic escaping in specific areas of the template, providing more flexible control. For example,{% autoescape off %}...{% autoescape on %}It can be used to wrap a code block that you do not want to be escaped.

Construct a defense line for input content: source governance

It is not enough to rely solely on the escaping mechanism of the template engine; the content should be strictly reviewed when entering the AnQiCMS system, to build the first line of defense.

  1. Back-end content management configuration:AnQiCMS provides the function “Whether to automatically filter external links” in the “Content Settings”.Although this is mainly for SEO considerations, reducing unnecessary external links, it can also indirectly reduce the risk of introducing malicious scripts through external links.In processing content, the built-in 'sensitive word filtering' feature can be utilized to block some known high-risk keywords or phrases from entering the content, although this cannot completely prevent all complex JavaScript injections.
  2. Rich text editor and Markdown:AnQiCMS supports rich text editor and Markdown editor.These editors usually come with some security filtering features, which help to sanitize user input when converting it to HTML.But please note that these filters are not foolproof.renderThe filter renders it into HTML, and the source of Markdown content should also be cautious.
  3. Editor safety awareness:The most important aspect is the safety awareness of content editors. Train editors to emphasize not to directly copy and paste content from untrusted sources, especially including<script>Label or suspicious event attribute (such asonerror/onload) HTML snippet. Try to use the built-in features of the editor for formatting and content organization, rather than manually writing HTML.

External Resource Introduction and Template Code Review

In addition to the content entered by the user, the external JavaScript files introduced by the template itself also need to be strictly managed.

  1. Static Resource Management:The static resources of AnQiCMS (such as JS scripts, CSS styles) are usually stored in/public/static/Table of contents. It is recommended to place all custom or third-party JS files in this controlled directory and ensure that these files are reviewed and secure.
  2. Introduction of external JS libraries:If you need to include external JavaScript libraries (such as jQuery, Vue.js, etc.) in your template, please make sure to load them from the officially recommended CDN or a reliable source.Avoid loading scripts dynamically from unknown websites or through user-controllable fields.
  3. Counting code and plugin script:AnQiCMS provides the "Counting Code Tag"(pluginJsCodeThe function [auto] allows you to configure and insert third-party statistical scripts in the background.Although this provides convenience, it also means that you must trust the security of these third-party scripts.When pasting any statistical code or third-party script, please check its content carefully to ensure it does not contain any suspicious malicious code.

Summary and **Practice

Preventing external JavaScript code from being injected into HTML is an ongoing task. Combined with the built-in security mechanisms of AnQiCMS and the careful use ofsafeFilter, strengthen content input review and strictly manage external resources, you can greatly improve the security of the website:

  • Default to trust automatic escaping:Do not use unless absolutely necessary|safeFilter.
  • Use with cautionsafe:Use only when you fully trust the content source and need HTML structure|safeand review it regularly|safecode.
  • Strengthen content input:Utilize the background content filtering feature and enhance the safety awareness of editors to avoid pasting suspicious code.
  • Review all external JS:Whether it is a JavaScript file written by yourself or provided by a third party, it should ensure that its source is reliable and does not contain malicious code.
  • Keep up to date:Update AnQiCMS to the latest version to get the latest security patches and feature enhancements.

By these strategies, you can build a stronger security defense for the AnQiCMS website, protecting your website and users from the threat of malicious HTML injection.

Common Questions (FAQ)

Q1: Why do I not execute directly in the AnQiCMS template?<script>alert('hello');</script>without executing?

A1: AnQiCMS template engine defaults to processing all through{{变量}}The content to be output is HTML entity encoded. This means that characters like</>are converted to&lt;/&gt;This prevents the browser from recognizing it as executable script by encoding entities. It is designed as a default security mechanism to prevent HTML injection and cross-site scripting (XSS) attacks.

Q2: I entered HTML code in the background article editor, such as adding an image tag, but only text was displayed on the front end without rendering the image. Why is that?

A2: This is very likely because you did not use it when outputting article content in the template|safeFilter.AnQiCMS for security defaults to escape all HTML tags.{{ archive.Content|safe }}Make sure to verify the credibility of the content source to avoid introducing unsafe HTML code.

Q3: I need to load an external JavaScript statistics script in the template. How should I operate to ensure safety?

pluginJsCodeLabels ({{- pluginJsCode|safe }})In the footer of the page, safely introduce these scripts. Avoid directly embedding from untrusted sources in article content or template files deep.<script>tags, especially when using|safe.