Building website templates in AnQiCMS, the secure display of content is a core issue, especially when the content may contain HTML tags or JavaScript code. How to effectively prevent cross-site scripting (XSS) attacks is particularly important.AutoCMS is a Go language content management system that emphasizes security, and it considers these security challenges from the very beginning, providing corresponding mechanisms to help users manage and control the rendering of content.
Understand XSS attacks and their dangers
Firstly, we need to understand what XSS attack is.XSS, i.e. Cross-Site Scripting, refers to an attack where the attacker injects malicious scripts (usually JavaScript) into web pages. When the user accesses the page with the injected script, these scripts will execute on the user's browser.Malicious scripts can steal users' Cookie information (which may include session credentials, leading to account theft), modify web content (for phishing scams), redirect users to malicious websites, and even exploit browser vulnerabilities for deeper attacks.For a website, XSS attacks not only harm the interests of users, but also seriously affect the reputation and security of the website.
The default security mechanism of the Anqi CMS: Automatic escaping
The template engine of Anqi CMS adopts syntax similar to Django template engine, one of its core advantages being the default automatic escaping of output content. This means that when you use it directly in the template{{变量}}When displaying any content from the background, the system will automatically convert HTML tags (such as<script>/<img>/<a>etc.) and special characters (such as&/"/'/</>) into their corresponding HTML entities.
For example, if a content field contains<script>alert('XSS');</script>By default, it will not be parsed by the browser as executable JavaScript code, but displayed as text<script>alert('XSS');</script>This automatic escaping mechanism is the first and most important line of defense against XSS attacks, ensuring the security of user input content in the vast majority of cases.
When do you need to display native HTML or JavaScript?
Although automatic escaping provides strong protection, in certain specific business scenarios, we indeed need the template to be able to render HTML content directly. The most common scenarios include:
- Rich text editor content:When content (such as article details, product descriptions, single-page content, category introductions, etc.) is entered through the backend rich text editor, the content typically includes paragraphs, images, links, bold, italic, and other HTML tags. These contents are expected to be parsed and presented with formatted effects by the browser.
- Custom embedded code:Sometimes, in order to integrate third-party services (such as video players, maps, ad codes, etc.), it may be necessary to embed a section of HTML or JavaScript code manually added by the administrator in the template.
- A small amount of trusted HTML fragments:Certain specific, strictly reviewed HTML structures, which may need to be rendered directly in the template.
In this case where it is necessary to display native HTML content, Safe CMS provides|safeFilter, allowing us to explicitly tell the template engine: 'This content is safe, please do not escape it.'
Use|safeFilter: Trust and responsibility
When we need to display unescaped HTML or JavaScript content, we can add it after the variable.|safeFilter. For example, in the document detail page, we usually display the article content like this:
<div>
{%- archiveDetail articleContent with name="Content" %}
{{articleContent|safe}}
</div>
Or in the page detail:
<div>单页内容:{% pageDetail pageContent with name="Content" %}{{pageContent|safe}}</div>
|safeThe function of the filter is to bypass the automatic escaping mechanism of the template engine, and output the content of the variable as is to the HTML.
However, using|safeThe filter means a huge transfer of security responsibility.Once used,|safeThis means that you are declaring to the template engine:
- “I confirm that this variable
articleContentcontains content that has been strictly reviewed and verified.” - I guarantee that this content does not contain any malicious scripts, even if it comes from user input.
If user input containing malicious script is stored in the database without review, then through|safeThe filter is displayed in the template, which will trigger XSS attacks. Therefore, when using|safeEnsure that the content source is trustworthy, or that the content has been strictly sanitized (Sanitization) before being stored in the database.
The rich text editor content entered in content management (such as document content, page content, category content, tag content, etc.) in AnQi CMS will be treated as input by administrators or trusted users, therefore it is used in templates.|safeRendering this content is common and reasonable. But if some of your fields allow ordinary users to directly input HTML or JavaScript, and you have used|safeGo ahead and show it, but it requires extreme caution.
For more detailed control:autoescapeTags and|escapeFilter
Except|safeThe filter, the template engine of AnQi CMS also providesautoescapeTags and|escapeA filter for more finely grained control over escaping behavior:
{% autoescape off/on %}Tags:Can be used to turn on or off the automatic escaping feature within a module section.{% autoescape off %}to{% endautoescape %}The content between the two will not be automatically escaped.{% autoescape on %}The status is usually implicit, and it will force the enable of escaping, even if the external environment has set it to be disabled. In actual use, since the security CMS is set to enable automatic escaping by default,onthe status is usually implicit,offStatus should be used with caution, and is typically used for those specific content blocks that you completely trust and need to parse HTML.
|escapeFilter:This filter will force the content to be escaped as HTML entities. In the default automatic escaping environment of Anqi CMS,|escapeIt is usually redundant because it merely repeats the default behavior. However, in certain specific scenarios, like when you have turned offautoescape, but a variable still needs to be escaped, you can use it.
JavaScript content special processing:|escapejsFilter
If your content needs to be embedded into a JavaScript code block (for example, as a value of a JavaScript variable), simply use|safeIt may not be enough to prevent all types of JS injection by automatically escaping. At this point,|escapejsthe filter comes into play.
|escapejsThe filter will replace special characters in the content (such as"/'/\/\nEnglish"English\"English\nThis can effectively prevent attackers from executing malicious JavaScript by closing the string or injecting new code lines.
Example usage:
`twig