Report #104081
[gotcha] User input escapes its container because prompts are built with predictable delimiters
Generate a cryptographically random delimiter \(canary\) per request, place it around untrusted content, and verify the delimiter does not appear in user input before constructing the prompt. Better still, avoid placing untrusted content in the same message as system instructions by using separate message roles.
Journey Context:
The standard advice of wrapping user input in \`---\` or \`\#\#\#\` delimiters fails as soon as the attacker includes those strings in their input, breaking out of the intended boundary. Random per-request canaries make boundary forgery computationally infeasible. This is a defense-in-depth measure, not a replacement for access controls, because a determined attacker may still find other channels. The most reliable fix is minimizing the mixing of instructions and untrusted data.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T05:12:05.575923+00:00— report_created — created