In daily website content operations, we often use the rich text feature of the AnQiCMS backend editor to meticulously arrange articles, product details, or single-page content to present more beautiful and attractive page effects.From setting title styles, inserting images, creating lists, to embedding videos, rich text editors bring us great convenience and creative freedom.However, behind these flexible typesetting capabilities, there is also a hidden, non-negligible security issue - how to ensure that the content containing custom HTML structures is displayed safely and correctly on the website front end?In the end, any unvetted HTML can become an entry point for malicious attacks.

AnQiCMS handles the security of rich text content, integrating multiple considerations from system design to template rendering.

first, AnQiCMS from its enterprise-level positioning in Go language has always placed system security at the coreIt is committed to providing an efficient, customizable, and secure content management solution, focusing on avoiding potential security risks from the outset.The project clearly mentions 'Security mechanisms: including anti-interference codes, content security management, sensitive word filtering, and other functions, which lay a solid foundation for the overall content security of the website.' These have laid a solid foundation for the overall content security of the website.This means that even though we, as users, have a high degree of freedom in content creation, the system will also provide a certain level of protection at the bottom layer.

At the rich text input stage, AnQiCMS provides a feature-rich editor.Whether it is the conventional WYSIWYG editor or the newly added Markdown editor in the new version, both allow us to organize content in different ways.It is worth mentioning that the system provides a mechanism to automatically convert Markdown syntax to HTML for content edited with the Markdown editor.This means that even if we input Markdown format, the structured HTML is presented on the front end.This transformation process itself is controlled by the system, which will ensure the standardization of generated HTML to a certain extent.Moreover, in the "Content Settings", we can configure options such as "whether to download remote images", "whether to automatically filter external links", and so on. These features prevent potential risks from the source of content, such as filtering out unsafe external links or automatically adding them to external links.rel="nofollow"Property.

However,The key to safely display rich text content on the front end lies in the template rendering mechanism of AnQiCMS. To prevent cross-site scripting (XSS) and other common web security vulnerabilities, AnQiCMS's template engine (similar to Django template engine) defaults to automatically escaping all HTML content output from the backend editor to the frontend.This means, if we output a potentially malicious HTML snippet directly in the template, such as<script>alert('XSS');</script>，it will not be treated as executable JavaScript code by the browser, but will be escaped into<script>alert('XSS');</script>Such plain text strings lose their aggressiveness. This automatic escaping is the first and most basic security barrier provided to us by the system.

What should we do when we indeed need to output native HTML content, such as article text, complex layout structures?At this point, we need to explicitly tell the template engine that this part of the content is 'safe' and does not need to be escaped.This is usually done by using in template code|safecan be implemented by a filter, for example.{{ archiveContent|safe }}. The document explicitly mentions this filter and explains its function. In addition,{% autoescape off %}and{% autoescape on %}tags can also control the automatic escaping behavior of a block of content in the template.

However, using|safeFilter or disable the automatic escaping feature means that we have transferred the responsibility of reviewing the security of this content from the default system mechanism to ourselves.The system will now completely trust this content and will no longer perform default escaping.If content that has not been strictly reviewed and whose source is unreliable is incorrectly marked assafeIt could open the door to the injection of malicious scripts, leading to a website being attacked. Therefore, in practice, we must follow a strict set of rules:

Take advantage of the system's default automatic escaping featureFor most text content that does not require complex HTML structures, choosing the default automatic escaping is**the option, it saves the trouble of manually reviewing the content and provides basic security protection.
Use with caution.|safeFilter: Only when we are sure that the content source is reliable, strictly reviewed, and indeed need the original HTML structure (such as article content, published by system administrators, or fixed content with specific styles or layouts) should it be used|safe.
Be vigilant about user-generated content: For comments, messages, personal profiles, and other content submitted by users that may contain malicious code,Absolutely notdirectly|safeOutputting. This type of content should always be automatically escaped by the template engine, or more rigorous HTML sanitization should be performed on the backend to ensure that only safe HTML tags are allowed through.
Regularly check the "Content Settings"Ensure that security configurations such as 'Automatic filtering of external links' comply with the latest security and operational requirements of the website.

AnQiCMS through built-in security design, intelligent template automatic escaping processing, and flexible configurable content filtering options, provides multiple guarantees for the safe display of rich text content on the front end.As a website operator, understanding and making good use of these features is the key to ensuring the stable and secure operation of the website.

Frequently Asked Questions (FAQ)

Q1: Why is the HTML code I enter in the AnQiCMS backend editor displayed as plain text or garbled on the front end?

A1: This is usually because the AnQiCMS template engine has the default HTML escaping feature enabled. To prevent cross-site scripting (XSS) attacks, the system will escape HTML tags such as<script>/<img>etc

How to ensure that the rich text content of AnQiCMS back-end editor is safe HTML when displayed on the front end?

Frequently Asked Questions (FAQ)

What error message will the `archive/list` interface return when the `moduleId` parameter is invalid?

How to use the results of `archive/list` to implement click to view article details in conjunction with `archiveDetail.md`?

Does the AnQiCMS document list interface support complex queries on the returned data's `extra` field?

How to use the `archive/list` interface to dynamically load more documents on the front end (infinite scrolling)?

What is the help of `archive/list` interface returned `canonical_url` and `fixed_link` fields to SEO optimization?

What will `data` and `total` return if no documents meeting the criteria are found in the AnQiCMS document list?

Why does the `escape` filter sometimes cause HTML entities to be doubly escaped?

How to use AnQiCMS tool to batch clean imported HTML content during content migration?

How to configure the HTML content filtering rules for all sites in a multi-site environment?

In AnQiCMS, can you set a default HTML content filtering strategy to be applied to all new published content?

How to quickly view the original HTML content contained in the variable when debugging the AnQiCMS template?

How to use AnQiCMS filter to batch modify specific attribute values in HTML content?