Output Sanitization

This technique converts potentially dangerous characters into their safe, encoded equivalents to prevent Cross-Site Scripting (XSS) and injection attacks when outputs are rendered in web contexts.

• Core Function: Replaces characters like <, >, &, ", and ' with their corresponding HTML entities (<, >, &, ", ').
• Prevents: The accidental interpretation of model-generated text as executable HTML or XML markup.
• Example: The string <script>alert('xss')</script> is encoded to <script>alert('xss')</script>, rendering it inert text.
• Libraries: Standard in web frameworks (e.g., Python's html.escape(), JavaScript's text content assignment).

This process checks a model's raw text output for valid JSON syntax and attempts to fix common errors like unclosed quotes or brackets before parsing.

• Core Function: Uses a validator (e.g., json.loads() in Python) to detect syntax errors, then applies heuristic repair logic for minor fixes.
• Prevents: Application crashes due to JSONDecodeError and data pipeline failures.
• Common Fixes:
  • Balancing unmatched {, }, [, ].
  • Escaping unescaped quotes within strings.
  • Removing trailing commas in objects/arrays.
• Caution: Complex repairs can change semantics; validation should always precede repair. For guaranteed JSON, use JSON Mode or Grammar-Based Decoding at generation time.

This technique neutralizes model-generated text intended for database queries by parameterizing queries or rigorously escaping input, preventing unauthorized database access or modification.

• Core Principle: Never concatenate raw model output directly into an SQL query string.
• Primary Method: Use parameterized queries (prepared statements) where user/model input is passed as data parameters, not SQL code.
• Secondary Method: If dynamic SQL is unavoidable, apply strict allow-listing of expected characters and use database-specific escaping functions (e.g., psycopg2.extensions.quote_ident() for PostgreSQL).
• Prevents: Attacks that could lead to data theft (SELECT * FROM users), deletion (DROP TABLE), or corruption.

This method sanitizes strings that will be passed to a system shell (e.g., bash, zsh) to prevent command injection, where an attacker could execute arbitrary commands on the host machine.

• Core Function: Properly escapes or quotes shell metacharacters like ;, &, |, >, <, backticks, and $.
• Best Practice: Avoid passing model output directly to a shell. Use high-level APIs or libraries that handle arguments as lists.
• Example (Unsafe): os.system(f"echo {model_output}") where model_output is hello; rm -rf /.
• Example (Safe): Use subprocess.run(['echo', model_output]), which treats model_output as a single argument.
• Libraries: Use shlex.quote() in Python to correctly escape a string for a POSIX shell.

This proactive technique defines a strict set of permitted characters, patterns, or values, rejecting any model output that contains elements outside this allow-list.

• Core Function: Enforces a positive security model ("only this is allowed") versus a block-list ("this is forbidden").
• Use Cases:
  • Ensuring output contains only alphanumeric characters and specific punctuation for a slug.
  • Validating that a generated classification label matches one from a predefined set.
  • Ensuring a phone number string matches a specific regex pattern.
• Advantage: More robust than block-listing, as it is impossible to anticipate all malicious inputs. It defines the exact, safe boundary for data.

This technique converts varied, semantically equivalent model outputs into a single, standardized (canonical) format, ensuring consistency for downstream processing and storage.

• Core Function: Applies deterministic rules to transform data into a normal form.
• Common Examples:
  • Dates: Convert "Jan 5, 2024", "05/01/24", "2024-01-05" into the canonical ISO 8601 format: "2024-01-05".
  • Phone Numbers: Strip formatting, country codes, and store as E.164 format (e.g., +14155552671).
  • Text: Convert to a standard case (lowercase), normalize Unicode (NFKC), and trim extraneous whitespace.
• Benefit: Eliminates ambiguity, simplifies validation, and enables reliable comparison and indexing of data.

Model outputs may inadvertently contain executable code snippets, such as JavaScript, SQL, or shell commands, especially when processing user-generated content. Sanitization involves:

• Escaping special characters (e.g., < to <, > to >).
• Stripping or neutralizing <script>, <?php, and SELECT * tags/patterns.
• Using dedicated libraries like DOMPurify for HTML contexts to prevent Cross-Site Scripting (XSS) attacks. Failure to sanitize can lead to code injection vulnerabilities in web applications or databases.

Even with JSON Mode or schema enforcement, models can produce outputs with:

• Unescaped quotes within strings (e.g., {"text": "He said "hello""}).
• Trailing commas in objects or arrays.
• Invalid control characters or line breaks within strings. Sanitization uses validating parsers (like json.loads() in Python) with robust error handling. Invalid JSON is either rejected or repaired by escaping characters and removing syntactic errors to ensure downstream parsers do not crash.

A malicious user's input, designed to hijack the model's instruction, may persist in the raw output. Sanitization aims to detect and neutralize these adversarial artifacts, such as:

• Instruction overrides (e.g., "Ignore previous instructions...").
• Jailbreak patterns or delimiter-based attacks.
• Encoded payloads (base64, hex) intended for secondary execution. Techniques include pattern matching, output length limits, and contextual filtering to remove any text that resembles an attempt to subvert the original system prompt.

Models may generate or regurgitate sensitive data from their training set or context. Sanitization involves redacting or anonymizing:

• Names, email addresses, and phone numbers.
• Social Security Numbers, credit card numbers, and passport IDs.
• Physical addresses and specific geolocation coordinates. This is achieved using regular expressions, named entity recognition (NER) models, or dedicated PII detection services to comply with regulations like GDPR and HIPAA before logging or exposing the output.

A model may output values that are syntactically correct but semantically invalid for the application. Sanitization enforces business logic constraints:

• Numerical ranges: Ensuring a percentage field is between 0 and 100.
• String enums: Checking a status field matches only "open", "closed", or "pending".
• Referential integrity: Verifying that an id field references an existing entity in a database. This step often involves a validation layer that checks the structured data against a domain-specific schema beyond basic JSON Schema type checks.

When a model is instructed to produce plain text, it may still include residual formatting. Sanitization strips or converts:

• Markdown syntax like **bold**, # headers, and [links](url).
• Raw HTML tags such as <b>, <i>, or <a href="...">.
• LaTeX or code fence delimiters (e.g., ```python). This ensures the final output is pure, unformatted text suitable for text-only displays, SMS, or systems where rendering markup could be a security or display issue.

A constrained decoding technique that restricts a model's token-by-token generation to follow a formal grammar. This ensures syntactically valid output in formats like JSON, SQL, or XML. The grammar, often defined in EBNF (Extended Backus–Naur Form), acts as a rule set the decoder must obey, making invalid outputs impossible. It is more flexible than simple JSON mode, allowing for complex, domain-specific languages.

The automated process of checking a model's raw response against a schema or set of rules after generation but before downstream use. This is a safety net that works in tandem with prompt engineering and constrained decoding. Validation checks for:

• Syntactic correctness (valid JSON/XML)
• Semantic validity (fields match expected types, values are within ranges)
• Business logic compliance (e.g., end date is after start date) Failed validations typically trigger a retry or a structured error.

The core task of using an LLM to identify and pull specific entities and relationships from unstructured text (e.g., emails, documents) and output them in a structured schema. Output Sanitization is a crucial final step in this pipeline. The process involves:

1. Instruction Prompting to define the target schema.
2. Model Inference to generate a raw structured output.
3. Sanitization & Validation to clean and verify the extracted data. This is fundamental for turning text into actionable database records or API calls.

A single, standardized representation to which all model outputs for a given task are coerced. This simplifies parsing, storage, and comparison. For example, all dates might be normalized to ISO 8601, numbers formatted without commas, and strings trimmed. Output Sanitization often includes steps to transform the model's raw text into this canonical form, ensuring consistency for downstream systems that expect a precise data shape.

The use of prompt engineering, few-shot examples, and post-processing to mold a model's free-form output into a desired structured or stylistic form. While Constrained Decoding forces format at the token level, and Sanitization cleans the result, Response Shaping is the broader design strategy that instructs the model on how to format its answer. This includes using XML tags in the prompt, providing output templates, and specifying delimiters for key-value pairs.