“Follow secure coding practices, such as OWASP ASVS (Application Security Verification Standard), with a focus on input validation and sanitization.” OWASP LLM05 treats every downstream path for LLM output as a potential injection vector that must be defended.

CVE-2023-29374 (LangChain) shows exactly what happens when developers trust LLM output: the LLMMathChain passed model output directly to exec(), reasoning that the model would only produce valid math. Attackers immediately disproved this. The CVSS 9.8 rating reflects how completely the trust assumption failed.

→ Every path that delivers LLM output to a downstream system needs a validation gate
→ Map each output path in your architecture (browser render, DB query, shell exec, API call)
→ Apply the appropriate sanitization for each path type — there is no one-size-fits-all
→ Code review: search for every place LLM responses are used and verify each is guarded

Send a response containing <script>alert(1)</script> through your application. If an alert box appears, or if a test query runs, zero-trust output is not implemented.