Treat LLM output exactly as you treat user input: untrusted until proven safe for its context.
If you HTML-encode user-submitted text before rendering it, HTML-encode LLM output too. If you use parameterized queries for user-supplied database values, do the same for LLM-generated ones. If you don’t let users run arbitrary shell commands, don’t let the LLM do it either.
There’s no single sanitization that covers every case. The right fix depends on where the output goes:
→ HTML context: encode <, >, &, "
→ SQL context: parameterized queries, never string concatenation
→ Shell context: avoid passing LLM text to exec(); use sandboxes
→ URL context: validate scheme; block javascript: and internal IPs
→ File path context: allowlist directories; reject traversal patterns
Part 2 walks through four real-world attack patterns — each anchored to a confirmed CVE or incident. You’ll see exactly what breaks and what the attacker achieves.