Back to feed
Dev.to
Dev.to
6/15/2026
I shipped 35 bugs in my AI chatbot. The scariest one was on the output side.

I shipped 35 bugs in my AI chatbot. The scariest one was on the output side.

Short summary

A developer discovered that output-side vulnerabilities (HTML injection, SSRF, indirect prompt injection) are as critical as input-side prompt injection in AI products. The core defense: treat model output like untrusted user input, escaping for its sink (HTML, URLs, databases) and using allowlists for Markdown and URL schemes. Includes pseudocode, a risk matrix, and a design stance that prevents damage when indirect injection lands.

  • Treat model output as untrusted input (like user input or network responses)
  • Validate and escape output per sink (HTML, URLs, databases)
  • Use allowlists for Markdown tags and URL schemes; block internal IP ranges
  • AI-generated code skips security boilerplate—always hand-review input, output, and permissions

Generated with AI, which can make mistakes.

Is this a good recommendation for you?

Explore more