Agent Output Escaping & Encoding

Engineering · updated Thu Feb 26

Ensure agent-generated content is safe for the downstream UI or system execution by preventing script execution.

Steps

  1. HTML-escape all agent output before rendering in a web browser (Prevent XSS).
  2. Validate and JSON-encode data intended for downstream API consumption.
  3. Sanitize Markdown syntax to prevent unauthorized image or link hijacking.
  4. Enforce UTF-8 character encoding consistency across all output channels.
  5. Mask PII or sensitive secrets in logs while preserving the user-facing output.
  6. Verify output length and structure against the 'Definition of Done' contract.

view raw JSON →