safeThe filter plays a crucial role.

Markdown to HTML conversion: Convenience and default escaping

In AnQiCMS, we usually use the Markdown editor to create articles, product descriptions, and other content.Markdown with its concise syntax allows content creators to focus on the text itself without worrying too much about the formatting details.For example, bold text can be easily achieved with a few asterisks, and a hash can be used to set a title.When we save and publish these Markdown content, AnQiCMS will automatically parse and convert it to HTML format on the backend, so that it can be correctly rendered and displayed on the frontend page.

However, for the security of the website, modern web development frameworks and template engines usually default to escaping all variables output to the page as HTML entities. This means that if your Markdown content contains<p>/<a>/<img>English tags, the system will not directly recognize them as HTML tags during rendering, but will convert them to&lt;p&gt;/&lt;a&gt;/&lt;img&gt;Entities encoding, which will be presented on the page will be these original text with angle brackets, rather than styled paragraphs, links, or images.This mechanism is to prevent potential cross-site scripting (XSS) attacks, to avoid malicious code from being injected and executed on the page.

safeThe appearance of filters: ensuring the normal display of content

It is in this context,safeThe filter is particularly important.Its core function is to explicitly tell AnQiCMS's template engine: "This content is safe, please do not perform HTML entity encoding on it, and parse and render it as HTML code directly."

Imagine if you wrote an article with a lot of images and explanations, including a lot of Markdown syntax such as headings, paragraphs, lists, images, and links. If you don't havesafeFilter, all these HTML tags converted by AnQiCMS will be displayed on the page in plain text form. Your users will see a mess of HTML code instead of well-structured, beautifully formatted content. For example,<h2>文章标题</h2>Will become&lt;h2&gt;文章标题&lt;/h2&gt;.

Through the use of content variables converted from Markdown in the template|safeFilter, AnQiCMS ensures that this content is correctly interpreted by the browser as HTML, thereby displaying the layout, style, and functionality you expect. For example, when fetching the details of the article,ContentWhen the field is, the common writing in the template is{{ archiveContent|safe }}Here,archiveContentIt is the HTML string processed by the AnQiCMS Markdown engine,|safeThen it ensures that these HTML can be normally rendered by the browser.

Security and responsibility: usingsafePrecautions

AlthoughsafeFilter is crucial for correctly displaying the HTML content converted from Markdown, but it is also a 'privileged' feature that needs to be used with caution. Because once it is usedsafeYou are essentially assuring the template engine that this part of the content is absolutely safe and does not contain any malicious code.

This means that if the source of your content is not clear, or if user input content (such as comments, messages, or unverified custom fields) is used directly without strict filteringsafeFilter output may open the door to XSS attacks. Attackers can inject malicious scripts, steal user data, or even tamper with page content.

AnQiCMS emphasizes "software security" and "content security management" in the project design, built-in "sensitive word filtering" and other functions, committed to providing a secure operating environment. As a content operator, when usingsafeThe filter also requires us to take on the corresponding responsibilities:

  1. For content that can be trusted:Ensure the applicationsafeThe content of the filter is generated by the backend editor (such as Markdown editor or rich text editor), and the content itself is trusted.
  2. Avoid using directly unreviewed user input:For comments, messages, and other content submitted by users, AnQiCMS usually has a default filtering and escaping mechanism. If it needs to be displayed, ensure that the content has been strictly filtered and sanitized on the server side, or avoid using it in the template.safe.

In short,safeThe filter is the bridge that connects convenient Markdown creation with perfect HTML display in AnQiCMS.It allows our content to be presented in rich formats, greatly enhancing the user experience.But at the same time, it also requires us to maintain vigilance and responsibility for web security while enjoying convenience, ensuring the healthy and stable operation of the website.

Common Questions (FAQ)

  1. AnQiCMS中Markdown内容不使用Englishsafe过滤器会怎么样?English如果Markdown转换后的HTML内容不使用EnglishsafeFilter, then HTML tags (such as<p>,<h1>,<a>,<img>etc.) will not be parsed by the browser as corresponding elements, but will be displayed directly on the page as plain text, for example, the user will see&lt;h1&gt;标题&lt;/h1&gt;It is not a styled title, but rather a plain one.

  2. When not to use content stylingsafeFilter?English should not be used to directly input content from any user who is not fully trusted or who has not undergone strict security filtering (for example, user submitted text on message boards, comment sections)safeFilter.Because this could lead to malicious users injecting HTML or JavaScript code, which could trigger cross-site scripting (XSS) attacks, posing a threat to the website and user safety.

  3. safeFilters and document detail tagsContentfield'srender=trueWhat are the differences between parameters? render=trueParameters (inarchiveDetailorpageDetailtags are used forContentthe role of fields is to clearly indicate that AnQiCMS performs Markdown to HTML when retrieving contentTranslation processThat is, it determines whether the content is converted from Markdown format to HTML. AndsafeThe role of the filter is in the HTML contentafter it has been generatedIndicates that the template engine should not perform default HTML entity escaping when outputting to the browser.Do not perform default HTML entity escaping.In short,render=trueresponsible for converting Markdown to HTML,saferesponsible for making these HTML be displayed "normally" instead of being escaped as plain text. Usually, both are used, firstrender=trueconverted, then|safedisplayed.