Managing and displaying content in AnQiCMS is the core task of website operation, but it is also crucial to ensure that these contents are presented to users safely and securely.Among them, cross-site scripting (XSS) attacks are a risk that cannot be ignored. They may allow malicious code to be executed in the user's browser when accessing your website, thus causing a series of security issues, such as stealing user data, tampering with page content, and even hijacking user sessions.
To effectively prevent such attacks, understanding and correctly applying content escaping is a basic skill in website development and operation.An QiCMS, as a content management system that focuses on security and efficiency, provides a comprehensive mechanism in template output to help us deal with XSS risks.
The default protection mechanism of AnQiCMS template
Fortunately, AnQiCMS's template engine, which adopts a powerful parser similar to Django template syntax, was initially designed with default protection for output content. This means that when you use double curly braces in the template{{ 变量 }}The form of outputting any content when the system will automatically escape any special characters that may constitute HTML or JavaScript code.
For example, a content that originally contains<script>alert('XSS')</script>The string is converted by default<script>alert('XSS')</script>.This, the browser will treat it as plain text rather than executable code, effectively preventing XSS attacks.This automatic escaping is the first and most important line of defense for your website's security.
When and how to disable escaping:|safeFilter
However, not all content needs to be escaped, especially that which you trust and which already contains HTML formatted rich text content, such as the body of an article.This content is usually input through the backend rich text editor, which itself needs to be presented in HTML format (for example, including images, links, bold styles, etc.).
In this case, if the default escaping is enabled, then all HTML tags in the article will be escaped, causing the original HTML code to be displayed on the page instead of a beautifully formatted layout.In order to display this content correctly, you need to explicitly tell the template engine that this content is 'safe' and does not require escaping.
At this point, we can use|safeA filter to indicate that the template engine should skip the automatic escaping of specific content. For example, to output the main content of the article details, you can use it like this:
<div>
{{ archive.Content|safe }}
</div>
Important reminder: |safeThe filter should be used with great caution and only for content sources you completely trust. Once you have used|safeThis means you are fully responsible for the security of the content. If the content comes from unfiltered user input, then using|safeit will directly open the door to XSS attacks.
Explicit control of escaping:|escapeand{% autoescape %}Tag
Although AnQiCMS is default to enable automatic escaping, sometimes you may need more fine-grained control.
|escapeThe filter can explicitly escape content to HTML. Since the content is automatically escaped by default, in most cases,{{ 变量|escape }}the effect is with{{ 变量 }}It is the same. It is mainly used in the following scenarios:
- When you go through
{% autoescape off %}The tag temporarily disables the automatic escaping function of a code block, but also wants a specific variable within the block to still be escaped. - To express the intention that a variable needs to be escaped for code readability, even though it is escaped by default.
{% autoescape on/off %}Tags allow you to turn on or off the automatic escaping feature in a certain block of the template. This is very useful for areas containing a lot of mixed content that may or may not require escaping.
{# 默认开启转义,这里显式关闭 #}
{% autoescape off %}
<p>这个段落的HTML内容不会被转义:{{ unsafe_html_content }}</p>
{# 但我希望这个变量仍然被转义 #}
<p>这个变量会被转义:{{ user_input|escape }}</p>
{% endautoescape %}
Handle output in JavaScript:|escapejsFilter
When you need to output variable values in JavaScript code, HTML escaping rules do not always apply. At this point,|escapejsThe filter becomes particularly important.It escapes content suitable for JavaScript context, preventing quotes, slashes, newline characters, and other characters from breaking the structure of JavaScript code or introducing malicious scripts.
For example, if you want to insert the article title into a JavaScript variable:
<script>
var articleTitle = "{{ archive.Title|escapejs }}";
alert(articleTitle);
</script>
Ifarchive.TitleThe content isO'Reilly Says <script>alert('XSS')</script>After|escapejsprocessed, it will becomeO\x27Reilly Says \x3cscript\x3ealert(\x27XSS\x27)\x3c/script\x3eThus, it can be safely used in JavaScript without executing malicious scripts.
Summary of practical application scenarios
- Common text field (title, summary, custom short text):For most user input or backend short text fields, such as
{{ archive.Title }}/{{ archive.Description }}It is usually possible to rely on AnQiCMS's default automatic escaping mechanism. This is the safest and most convenient way. - Rich text content (article body, single-page content, categorized content, etc.):For content entered through a rich text editor, which inherently contains HTML tags (such as
archive.Content/page.Content/category.Content),You need to judge according to your actual needs whether to parse HTML. If this content is trusted and needs to be displayed in HTML format, then use{{ archive.Content|safe }}It is necessary. Make sure that these contents have been disinfected at least once on the server before entering the database. - User-generated content (comments, messages, usernames, etc.):For any content coming from users that is not fully under your control and strict filtering, the default automatic escaping should always be enabled when outputting in the template, or explicitly use
{{ user_comment|escape }}.Absolutely notUse for user-generated content|safeFilter, unless you have a very professional backend purification mechanism as a guarantee. - Variable in JavaScript context:At any
<script>Within tags or HTML event attributes (such asonclickwhen outputting variables,|escapejsuse a filter to prevent JavaScript injection.
Summary
The AnQiCMS provides a solid foundation for the safe output of website content through its intelligent template engine and flexible filters.As website operators, our core responsibility is to understand these tools and adopt the most appropriate escaping strategy based on the source and nature of the content.Always remember, unless it is absolutely necessary and the content source is absolutely reliable, otherwise, try to let the default automatic escaping take effect.Safety is no small matter, the more alert you are, the more protection the website has.
Frequently Asked Questions (FAQ)
When do I have to use
|safeFilter?Answer: When you are sure that the content you are going to output is itself a piece of HTML code that needs to be parsed by the browser (such as the main text of an article edited through a backend rich text editor), and you completely trust the source of the content, believing that it does not contain any malicious scripts, then you should use it.|safeFilter. In most other cases, it should allow the default automatic escaping of the template engine to take effect.Ask: If I am unsure whether a variable contains malicious HTML code, what should I do?Answer: If you are unsure about the safety of the content, the safest practice is tonot use
|safeFilterLet AnQiCMS's template engine perform default automatic escaping.Such, any potential malicious HTML code will be escaped to display as plain text, and will not be executed in the user's browser, thereby avoiding XSS attacks.If the content needs to be presented in HTML form, it should be strictly disinfected by the server before being stored in the database.Question:
|safeand|escapejsWhat are the main differences of the filter?Answer: The main differences lie in the application scenarios and the purposes of escaping.|safeThe filter is used when outputting content in the HTML context,disableThe default HTML escaping, which allows HTML code to be parsed normally by the browser.|escapejsThe filter is used to output content in the JavaScript context, escaping special characters in itJavaScript-specific escapingTo prevent破坏JavaScript syntax or injection of malicious code. In short,|safeIt is to remove HTML escaping,|escapejsIt is to escape JavaScript.