AnQiCMS (AnQiCMS) as a content management system provides strong support in content publishing and display.For those who are accustomed to writing content in Markdown format, the convenience of Markdown is self-evident.However, when Markdown content is converted to a browser-readable HTML format, a namedsafeThe filter plays a crucial role.

Markdown to HTML conversion: convenience and default escaping.

In AnQiCMS, we usually use the Markdown editor to create articles, product descriptions, and other content.Markdown with its concise syntax allows content creators to focus on the text itself without having to worry too much about formatting details.For example, bold text can be easily achieved with a few asterisks, and a hashtag can be used to set a title.When we save and publish this Markdown content, AnQiCMS will automatically parse it and convert it to HTML format on the backend, so that it can be correctly rendered and displayed on the frontend page.

However, to ensure the security of the website, modern web development frameworks and template engines usually default to escaping all variables output to the page. This means that if your Markdown content contains<p>/<a>/<img>Tags such as HTML, the system will not directly recognize them as HTML tags during rendering, but will convert them into&lt;p&gt;/&lt;a&gt;/&lt;img&gt;The entity encoding, ultimately displayed on the page will be this original text with angle brackets, rather than styled paragraphs, links, or images.This mechanism is designed to prevent potential cross-site scripting (XSS) attacks, to avoid malicious code from being injected and executed on the page.

safeThe appearance of filters: ensuring the normal display of content

It is against this background,safeThe filter is particularly important. Its core function is to explicitly tell the AnQiCMS template engine: "This content is safe, please do not escape it as HTML entities, and parse and render it as HTML code directly."

Imagine if you wrote an article with lots of pictures and descriptions, including a lot of Markdown syntax like headings, paragraphs, lists, images, and links. If you don'tsafeFilter, all these HTML tags converted by AnQiCMS will be displayed on the page as plain text. Your users will see a mess of HTML code, not clear, beautiful, and well-formatted content. For example,<h2>文章标题</h2>Will become&lt;h2&gt;文章标题&lt;/h2&gt;.

Use the content variables after Markdown conversion in the template|safeFilter, AnQiCMS ensures that this content can be correctly interpreted as HTML by the browser, thus presenting the layout, style, and functionality you expect. For example, when obtaining the details of the article,ContentWhen the field{{ archiveContent|safe }}. Here,archiveContentIt is the HTML string processed by the AnQiCMS Markdown engine, and|safeThen it ensured that these HTML could be rendered normally by the browser.

Safety and Responsibility: UsesafeAttention事项

ThoughsafeThe filter is crucial for correctly displaying the HTML content converted from Markdown, but it is also a 'privileged' feature that needs to be used with caution. Because once used,safeYou are essentially assuring the template engine that this content is absolutely safe and does not contain any malicious code.

This means, if the source of your content is unclear, or if you allow unfiltered user input content (such as comments, messages, or unverified custom fields) to be used directlysafeThe output of the filter may open the door to XSS attacks. Attackers can inject malicious scripts, steal user data, or even tamper with page content.

AnQiCMS emphasizes "software security" and "content security management" in the project design, built-in functions such as "sensitive word filtering", and is committed to providing a safe operating environment. As a content operator, when usingsafeWhen filtering, we also need to take on the corresponding responsibility:

  1. Only for trusted content:Ensure applicationsafeThe content of the filter is generated by a backend editor (such as a Markdown editor or a rich text editor) and the content itself is trusted.
  2. Avoid using directly for unreviewed user input:For comments, messages submitted by users, AnQiCMS usually has a default filtering and escaping mechanism. If it needs to be displayed, ensure that the content has been strictly filtered and sanitized on the server side, or avoid using it in the template.safe.

In summary,safeThe filter in AnQiCMS is the bridge connecting the convenient creation of Markdown and the perfect display of the final HTML.It allows our content to be presented in rich formats, greatly enhancing the user experience.But it also requires us to always maintain vigilance and responsibility for web security while enjoying the convenience, ensuring the healthy and stable operation of the website.

Frequently Asked Questions (FAQ)

  1. Do not use Markdown content in AnQiCMSsafeHow will the filter work?If the HTML content converted from Markdown is not usedsafeIf a filter is applied, HTML tags (such as<p>,<h1>,<a>,<img>etc.) will not be parsed by the browser as corresponding elements, but will be displayed as plain text directly on the page, for example, the user will see&lt;h1&gt;标题&lt;/h1&gt;It is not a title rendered with style.

  2. When should content not be used.safeFilter?It is usually not advisable to allow any untrusted or unsafely filtered users to directly input content (such as user submitted text in comment sections, message boards)safeFilter. This could lead to malicious users injecting HTML or JavaScript code, thus triggering cross-site scripting attacks (XSS), which could endanger the website and users' safety.

  3. safeFilters and document detail tags inContentfield'srender=trueWhat is the difference between parameters? render=trueParameters (inarchiveDetailorpageDetailTags used inContentThe field is used to explicitly indicate that AnQiCMS performs Markdown to HTML conversion when fetching content.Conversion processThat is, it determines whether the content is converted from Markdown format to HTML. AndsafeThe role of the filter is to process HTML contentafter it has been generatedindicating the template engine not to escape HTML entities when outputting to the browser,do not perform the default HTML entity escaping. In short,render=trueresponsible for converting Markdown to HTML, andsafeResponsible for making these HTML display normally instead of being displayed as plain text. Usually, both are used together, firstrender=trueconvert, then|safeDisplay.