This is a good argument for treating ai agent products like you’d treat a browser or PDF reader, assume untrusted input all the way through and sandbox ruthlessly, instead of sprinkling a couple of string checks and calling it a day

Joernchen found it. I reproduced it and checked if Cursor and Continue.dev have the same startsWith parsing issue. They do.