Dev.to
6/15/2026

I shipped 35 bugs in my AI chatbot. The scariest one was on the output side.
Short summary
A developer discovered that output-side vulnerabilities (HTML injection, SSRF, indirect prompt injection) are as critical as input-side prompt injection in AI products. The core defense: treat model output like untrusted user input, escaping for its sink (HTML, URLs, databases) and using allowlists for Markdown and URL schemes. Includes pseudocode, a risk matrix, and a design stance that prevents damage when indirect injection lands.
- •Treat model output as untrusted input (like user input or network responses)
- •Validate and escape output per sink (HTML, URLs, databases)
- •Use allowlists for Markdown tags and URL schemes; block internal IP ranges
- •AI-generated code skips security boilerplate—always hand-review input, output, and permissions
Generated with AI, which can make mistakes.
Is this a good recommendation for you?



