Why does the `escape` filter sometimes cause HTML entities to be doubly escaped?

When using AnQiCMS for website content management and template development, we may encounter some confusing display issues, one of which is that HTML entities are 'double-escaped'. This usually manifests as HTML tags that should be displayed as formatted text on the page becoming<p>Such visible characters, even worse.&lt;p&gt;.This phenomenon not only affects the visual effects of the website, but may also cause the content to lose its original style.A deep understanding of the escape mechanism of the AnQin CMS template engine (Pongo2) can effectively avoid and solve this problem.

Firstly, we need to understand why template engines need to escape content.This is mainly for security reasons, especially to prevent cross-site scripting (XSS) attacks.<script>alert('XSS攻击！')</script>The code, while the template engine directly outputs it to the page, this script will be executed in the browsers of other users, causing a security vulnerability.To avoid this situation, the template engine of AnQi CMS defaults to treating all output content with great “caution”.</>,、"、'等，自动转换为它们对应的HTML实体，例如<会变成<，>会变成>`The default automatic escaping mechanism is an important safeguard for website security.

Then, how is the issue of double escaping generated?The content itself may already contain HTML tags when you enter content in the rich text editor in the background or import text containing HTML tags from the outside.<p>这是一个段落</p>, or for some reason, it may even have been initially escaped into<p>这是一个段落</p>.

When this content has already included (or has been initially escaped) HTML entities, and it is read and output by the security CMS template engine, if it encounters<p>This string, the template engine will consider it as plain text, not a HTML tag that needs to be parsed. Therefore, it will perform the escaping operation again, which&Character conversion&. This way, the original<p>has become&lt;p&gt;. If you manually add this output variable|escapeFilter, that is even more so, because the document explicitly states that due to the default escaping, it is used here|escapeThis will result in the content being escaped twice, even three times. This is the root cause of the content appearing on the page&lt;p&gt;This is the fundamental reason for the HTML entities that look like garbled code.

To resolve this double escaping problem, we need to explicitly tell the template engine which content is trusted HTML code and does not need to be escaped again. Anqi CMS provides several methods to handle this situation:

Use|safeFilter:This is the most commonly used and direct solution. When you are sure that the content contained in a variable has been safely reviewed HTML code, and you want it to be rendered in HTML format, you can use|safeFilter. For example, if you output the article content on the document detail page, you can write it like this:{{ articleContent|safe }}This filter will tell the template engine: “ThisarticleContentThe content in the variable is safe HTML code, please output it directly without any escaping. But please remember,|safeThe filter will bypass the default automatic escaping mechanism, therefore,Only content from sources you fully trust should be used.To avoid potential XSS risks.
Use{% autoescape %}Tags:If you need to control the behavior of automatic escaping in a specific code block,autoescapeLabels will be very useful. You can choose to turn off or on the automatic escaping of a certain area.
- Turn off automatic escaping: {% autoescape off %}and{% endautoescape %}All content between them will not be automatically escaped.{% autoescape off %} {{ some_html_content_variable }} {% endautoescape %}
- Enable automatic escaping:By default, it is enabled, but if you turn it off in a certain area and then want to turn it on again, you can use{% autoescape on %}This method is suitable for scenarios where you need more fine-grained control over escaping behavior, for example, when mixing escaped and unescaped content in a part of a template.

Summarizing, when you find HTML entities doubly escaped on an AnQi CMS website, it usually means the template engine is overly 'diligent' in protecting your content. By using|safeFilter to process the trusted HTML content, or use{% autoescape %}Tags can control the escape behavior of specific areas, ensuring that content is displayed correctly as expected while continuing to enjoy the security protection provided by Safe CMS.The key is to understand the default escaping mechanism and handle it specifically according to the security of the content source.

Common Questions (FAQ)

When should it be used|safeFilter?Answer:|safeThe filter should be used when you are sure that the content of a variable is safe, harmless HTML code, and you want it to be normally parsed and rendered by the browser.The most typical scenario is the content of articles, product descriptions, and other content edited in the backend rich text editor, as this content is usually entered by administrators and is considered trustworthy.safeotherwise it may bring XSS security risks.
Since the Safe CMS defaults to automatically escape,|escapewhat is the use of the filter?答：The default automatic escaping of the Anqi CMS template engine is designed to simplify development and ensure security. However,|escapefilters still have their specific uses. For example, when you are{% autoescape off %}When it is clearly needed to escape a variable in HTML,|escapeIt comes in handy.It allows you to manually and selectively escape specific content when default escaping is turned off, thereby achieving more flexible control.If used in a default auto-escape environment, it will indeed cause double escaping.
I see something appeared on the page&amp;lt;p&amp;gt;What's going on with this character?答：This usually means that your HTML entity has been escaped more than twice. The first time might be that the content itself contains or has been initially escaped.<p>，Second time is the default automatic escaping of the template engine converting it to&lt;p&gt;. If additional usage is made in the code|escapeof filters, or if the content has been processed through multiple layers, it may lead to the occurrence of&amp;lt;p&amp;gt;This three-level escaping situation.Check the original source of the content, the template output code, and whether there are multiple applications of escape operations or filter chains.|safeFilter, or use at the appropriate location{% autoescape off %}.

Why sometimes the `escape` filter can cause HTML entities to be doubly escaped?

AnQi CMS Website Case

AnQi CMS Usage Help

AnQi CMS Template Tag Manual

Security BLOG

Design Market

Anqi CMS API Help

Anqi CMS Update Log

Question Exchange

Feature Introduction

Video Tutorial

What error message does the `archive/list` interface return when the `moduleId` parameter is invalid?

How to use the result of `archive/list` to achieve clicking to view the article details with `archiveDetail.md`?

Does the AnQiCMS document list interface support more complex queries on the `extra` field of the returned data?

How to use the `archive/list` interface to dynamically load more documents on the front end (infinite scrolling)?

What help does the `canonical_url` and `fixed_link` fields returned by the `archive/list` interface provide for SEO optimization?

What will `data` and `total` return if no document meeting the conditions is found in the AnQiCMS document list?

How to use AnQiCMS tool to batch clean imported HTML content during content migration?

How to configure the HTML content filtering rules for all sites in a multi-site environment?

Does the 'pseudo original' function of AnQiCMS involve modifying the HTML structure of the article?

How to ensure that the rich text content of AnQiCMS backend editor is safe HTML when displayed on the frontend?

In AnQiCMS, can you set a default HTML content filtering strategy to be applied to all newly published content?

How to quickly view the original HTML content contained in the variable while debugging the AnQiCMS template?