Input sanitization is a foundational defensive layer that cleanses untrusted user text by removing or encoding control characters, escape sequences, and delimiter tokens before they reach a language model. This process prevents attackers from injecting special syntax—such as markdown fences, XML tags, or JSON structures—that could override system prompt instructions or manipulate the model's output format.
Glossary
Input Sanitization

What is Input Sanitization?
Input sanitization is the process of cleaning and normalizing user-provided text to remove or neutralize potentially malicious control sequences before model processing.
Effective sanitization goes beyond simple string replacement, employing canonicalization to resolve encoding ambiguities and neutralize homoglyph attacks and zero-width character injections. By normalizing input to a safe, standard representation before it is combined with trusted instructions, this technique directly mitigates the initial delivery stage of the prompt injection kill chain and complements delimiter-based defenses.
Key Characteristics of Input Sanitization
Input sanitization is the foundational security layer that cleanses and normalizes user-provided text to neutralize malicious control sequences before they reach a language model's processing logic.
Canonicalization
The process of converting input data into a single, standard, unambiguous representation. Attackers frequently use encoding tricks like URL encoding, Unicode escapes, or double-encoding to bypass naive filters. Canonicalization decodes the input recursively until it reaches a base form, ensuring that %27 and ' are treated identically. This prevents homoglyph attacks where visually similar characters from different alphabets are used to smuggle malicious instructions past pattern-matching defenses.
Delimiter-Based Defense
A mitigation technique that uses special character sequences to create rigid boundaries between untrusted user input and trusted system instructions. By wrapping user content in markers like --- USER INPUT START --- and --- USER INPUT END ---, the model is explicitly trained or instructed to treat anything outside those delimiters as privileged. This structural separation prevents user text from being interpreted as system-level commands, a core vulnerability exploited in direct prompt injection attacks.
Zero-Width Character Stripping
A defensive procedure that removes invisible Unicode characters from input strings. Characters like zero-width space (U+200B), zero-width joiner (U+200D), and byte order marks (U+FEFF) are invisible to human reviewers but can break tokenization, confuse parsers, or bypass keyword filters. Stripping these characters is essential because attackers use them to fragment malicious strings like D-E-L-E-T-E into tokens that a model might reassemble while evading detection.
Input Truncation and Length Limiting
Enforcing strict character or token limits on user input to prevent context window exhaustion attacks. An attacker can flood a model with thousands of tokens of filler text to push system instructions out of the model's effective attention window. By truncating input to a defined maximum before it enters the prompt assembly pipeline, the system guarantees that safety instructions and guardrails remain within the model's active context, preserving their influence over the final output.
Control Character Neutralization
The removal or escaping of ASCII control characters and terminal escape sequences that could be interpreted as formatting commands. Characters like null bytes (\0), carriage returns (\r), and ANSI escape codes can cause unexpected behavior in logging systems, databases, or downstream parsers. In the context of LLMs, these characters can interfere with the model's internal representation or be used to craft adversarial prompt injections that exploit implementation quirks in the serving infrastructure.
Semantic Normalization
Beyond syntactic cleaning, semantic normalization rewrites user prompts into a safe, canonical form before they are combined with system instructions. This involves stripping imperative verbs that mimic system commands, removing phrases like 'ignore previous instructions,' and restructuring the input to be unambiguously data rather than instruction. This technique directly counters prompt leaking and instruction override attempts by ensuring user content can only be interpreted as a query, never as a directive.
Frequently Asked Questions
Clear, technical answers to the most common questions about neutralizing malicious control sequences in user-provided text before they reach a language model.
Input sanitization is the process of cleaning, normalizing, and transforming user-provided text to remove or neutralize potentially malicious control sequences before the input is processed by a language model. It works by applying a series of deterministic transformations—such as character escaping, Unicode canonicalization, and delimiter stripping—to ensure that untrusted data cannot be interpreted as executable instructions. The core mechanism involves parsing the raw input string, identifying known-dangerous patterns like ### SYSTEM overrides or Ignore previous instructions directives, and either removing them or rendering them inert through encoding. This creates a trust boundary between the user and the model's instruction context, preventing the model from confusing data with commands.
Input Sanitization vs. Related Defenses
Comparing the mechanism, scope, and limitations of input sanitization against other core prompt injection mitigation techniques.
| Feature | Input Sanitization | System Prompt Hardening | Guard Model |
|---|---|---|---|
Primary Mechanism | Removes or neutralizes malicious control sequences from user text before processing | Designs robust system-level instructions resistant to override attempts | Deploys a secondary classifier to screen inputs and outputs for policy violations |
Stage of Intervention | Pre-processing | Prompt construction | Pre-processing and post-processing |
Defense Against Obfuscation | |||
Defense Against Direct Override | |||
Defense Against Indirect Injection | |||
Risk of Over-Normalization | High | Low | Medium |
Computational Overhead | Low | None | Medium to High |
Requires Model Retraining |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Input sanitization is a foundational defense, but it operates within a broader ecosystem of prompt injection defenses. These related concepts form the layered security architecture required to protect LLM applications.
Canonicalization
The process of converting input data into a single, standard, unambiguous representation before any security checks are applied. Attackers frequently use encoding tricks like double URL-encoding (%2527) or Unicode normalization exploits to bypass sanitization filters. Canonicalization ensures that %27, ', and ' are all reduced to a single apostrophe character before analysis.
- Prevents homoglyph attacks using visually identical characters from different alphabets
- Defeats nested encoding where malicious payloads are encoded multiple times
- Must occur before any allow-list or block-list validation
Delimiter-Based Defense
A mitigation technique that uses special character sequences to clearly separate untrusted user input from trusted system instructions. By wrapping user input in XML tags like <user_query> or using markdown fences, the model learns to treat that content as data rather than instructions. This creates a strong context boundary that resists injection.
- Example:
### USER INPUT START ###...### USER INPUT END ### - Works by exploiting the model's attention mechanism to segregate instruction from data
- Most effective when combined with system prompt hardening
Adversarial Prompt Detection
The use of classifiers, heuristics, or perplexity analysis to identify user inputs that are likely crafted to manipulate a model. Unlike simple pattern matching, these detectors analyze the linguistic structure and statistical properties of prompts. A high-perplexity input—one the model finds surprising or unnatural—may indicate an obfuscated injection attempt.
- Perplexity scoring: Measures how 'surprising' token sequences are to the model
- Heuristic rules: Detect known injection patterns like 'ignore previous instructions'
- Often deployed as a pre-filter before sanitization or as a guard model
Prompt Injection WAF
A Web Application Firewall-like layer that inspects and blocks malicious prompts at the API gateway before they reach the language model. This operates at the infrastructure level, applying rulesets, rate limiting, and signature-based detection to inbound requests. Unlike content-filter guard models, a Prompt Injection WAF can block attacks before they consume any model inference compute.
- Operates at Layer 7 of the network stack
- Can integrate with existing SIEM and threat intelligence feeds
- Provides centralized logging and alerting for injection attempts across all model endpoints
Zero-Width Character Injection
An attack that inserts invisible Unicode characters into text to break tokenization or keyword filtering without being visible to the user. Characters like U+200B (Zero-Width Space) or U+FEFF (BOM) can split keywords so that 'delete' becomes 'delete', evading block-lists while rendering identically to a human reviewer.
- Sanitization must explicitly strip Unicode control characters
- Can also break rate limiting by making identical requests appear unique
- Often combined with homoglyph attacks for multi-layered evasion
Instructional Hierarchy
A safety framework that prioritizes system-level instructions over user-level or tool-level instructions to prevent lower-privilege inputs from overriding core directives. In this model, the system prompt is treated as the highest authority, user input as subordinate, and tool outputs as the lowest priority. This creates a formal privilege model that sanitization alone cannot enforce.
- System > User > Tool is the standard privilege ordering
- Requires the model to be trained to recognize and respect this hierarchy
- Complements input sanitization by providing a defense-in-depth architectural guarantee

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us