Papers
Topics
Authors
Recent
Search
2000 character limit reached

Structural Role Injection in Handlebars-Templated LLM Prompts: Triple-Brace Interpolation, Delimiter Family, and the Limits of HTML Auto-Escaping

Published 16 Jun 2026 in cs.CR, cs.AI, cs.CL, and cs.LG | (2606.18120v1)

Abstract: LLM applications build prompts from templates, and Handlebars is a widely used templating engine and the default prompt-template format in Microsoft Semantic Kernel. Its double-brace {x} expression HTML-escapes the interpolated value and is documented as the safe default; its triple-brace {x} expression inserts the value raw. We show that this choice silently governs an application's exposure to structural role injection, where attacker-controlled data carries chat role delimiters that forge a higher-privilege turn. A model-free analysis establishes the mechanism: Handlebars escaping rewrites angle brackets but not square brackets, colons, or Markdown hashes, so it neutralises ChatML, Llama-3, and XML role delimiters (survival rate 0.00) while leaving Llama-2 [INST], legacy Human:/Assistant:, and Markdown ### delimiters intact (survival rate 1.00 for the last two). We then run 5760 trials across seven delimiter families, two attack objectives, and four models (GPT-3.5 Turbo, GPT-4o mini, GPT-4.1 mini, Claude Haiku 4.5) at a combined API cost of 1.63 USD. GPT-3.5 Turbo follows the task-hijack instruction in 97% of raw and 91% of escaped trials, with the escaping protection concentrated in the angle-bracket families and absent for the colon- and Markdown-based families; the harder secret-exfiltration objective, which does not saturate, exposes the same family interaction more cleanly. Claude Haiku 4.5 resists both objectives almost entirely. The escaped default protects only the delimiter schemes whose characters HTML escaping happens to cover, gives no protection for the rest, and cannot substitute for a structural separation of instruction and data.

Authors (1)

Summary

  • The paper finds that default Handlebars HTML escaping mitigates injection for angle-bracket delimiters but fails for colon, square-bracket, and Markdown schemes.
  • Empirical evaluation shows model susceptibility varies, with GPT models exhibiting high attack success rates and models like Claude Haiku 4.5 offering strong resistance.
  • The study advises that relying on input escaping alone is insufficient, recommending robust prompt engineering with clear separation of instructions and enhanced model-side defenses.

Structural Role Injection in Handlebars-Templated LLM Prompts

Introduction and Motivation

The security of LLM-powered applications relies heavily on prompt construction paradigms, especially given the widespread use of templating engines such as Handlebars. Handlebars’ distinction between double-brace ({{x}}), which applies HTML escaping, and triple-brace ({{{x}}}), which injects raw data, fundamentally governs the exposure surface for structural role injection attacks. This paper analyzes whether the default Handlebars HTML escaping offers any substantive mitigation against role-injection attacks in LLM prompts, by evaluating the survival rate of various role delimiter schemes through the escaping process and correlating this with empirical attack success rates across multiple models and scenarios (2606.18120).

Static Analysis of Delimiter Survival

The study provides a comprehensive static, model-agnostic analysis of how HTML escaping in Handlebars interacts with various delimiter families used in LLM prompt formats, including ChatML, Llama-3 and Llama-2-specific tokens, XML-style tags, colon-delimited schemes (as in legacy Anthropic prompts), and Markdown headings.

  • Angle-bracket delimiters (ChatML, Llama-3, XML) are fully neutralized by HTML escaping because < and > are rewritten. Their structural tokens exhibit a survival rate of zero through double-brace escaping.
  • Square-bracket, colon, and Markdown-based delimiters (Llama-2, Anthropic, Markdown headings) are unaffected by escaping, as the corresponding characters are not rewritten by the Handlebars escapeExpression function. Thus, these delimiter tokens survive at a rate of 1.00, and escaping provides no protection.
  • Llama-2 is a hybrid case due to its system and instruction tags using both angle-bracket and square-bracket tokens; only the angle-bracketed subset is neutralized.

This reveals a critical disconnect: the set of characters deemed security-relevant for HTML output does not align with those required for robust role separation within LLM prompt formats. Thus, documented safety guidance for Handlebars leads to incomplete mitigation in the context of structural role injection.

Empirical Evaluation and Model Comparisons

A total of 5760 trials were conducted spanning 16 application scenarios, seven delimiter families, and four LLMs (GPT-3.5 Turbo, GPT-4o mini, GPT-4.1 mini, Claude Haiku 4.5), evaluating both task-hijack (output marker token) and secret-exfiltration (reveal a planted canary) attack objectives. The experiments toggled only the Handlebars slot escaping mode.

  • Task-hijack success rates demonstrate that angle-bracket-based delimiter families exhibit substantial drops in attack success when Handlebars escaping is applied—precisely as predicted by the static analysis. For instance, GPT-4o mini's ASR for the Llama-3 delimiter dropped from 56% to 12% when switching from raw to escaped interpolation.
  • In contrast, colon and Markdown-based delimiters show no reduction in attack success rate: GPT-4o mini's ASR for the anthropic family remains at 100% irrespective of escaping. Thus, escaping is a no-op for these schemes.
  • Model susceptibility varies independently of recency: GPT-3.5 Turbo and GPT-4.1 mini are both highly susceptible (over 90% ASR on hijack), while Claude Haiku 4.5 consistently resists both attack objectives, yielding near-zero ASR across all scenarios.

Secret-exfiltration (canary leakage) provides sharper granularity, as attack rates do not saturate the models. Here, the escaping effect becomes more apparent for neutralized (angle-bracket) families and vanishes for the unaffected delimiter types.

Discussion and Implications

Security Mechanism Mismatch

The empirical findings and static analysis conclusively demonstrate that Handlebars escaping provides contingent, rather than general, protection against structural role injection in LLM prompts. The defense is accidental and a byproduct of targeting HTML-specific risk. For delimiter families whose control tokens do not overlap with the HTML escape alphabet, nominal safety measures are entirely circumvented.

Model and Stack Sensitivity

The level of protection afforded by escaping is secondary to the model’s inherent susceptibility. If the model will follow unstructured injected instructions (as evidenced by the high success rate of the “plain” control), escaping is ineffectual regardless of delimiter scheme. Conversely, advanced models like Claude Haiku 4.5 appear resistant across both objectives, suggesting that model-side role adherence and alignment are more determinative than input-side sanitation.

Further, the experiments used a deployment model where role delimiters are passed as regular user message text. In deployments that tokenize or natively parse delimiter tokens (e.g., [INST]/ChatML parsed as control tokens in local serving stacks), the risks associated with surviving delimiters may be amplified.

Guidance for Prompt Engineering and Future Defenses

  • The use of double-brace Handlebars escaping in prompt templating should be retained, but not relied upon as a primary security control. It does not generalize to all delimiter families, particularly for widely used schemes based on colons, square brackets, or Markdown headings.
  • To genuinely mitigate structural role injection, practitioners should separate instruction and data at the structural level (distinct fields/messages), select models with robust instruction hierarchies, or use signal marking/encoding of untrusted spans, as advanced in recent countermeasures such as StruQ (Chen et al., 2024) and Spotlighting (Hines et al., 2024).
  • The security evaluation of alternative templating engines (Jinja2, etc.) remains an open and necessary area of future work, as their escaping alphabets differ and may offer variable protection.

Conclusion

The study rigorously establishes that Handlebars HTML escaping only prevents structural role injection for role delimiters constructed from angle brackets, leaving those based on square brackets, colons, or Markdown hashes entirely unprotected. The effectiveness of escaping is both delimiter- and model-dependent and cannot substitute for robust prompt boundary enforcement or model-side instruction adherence. Developers and security architects must pair escaping with structural and model-level defenses, and should not infer prompt safety from HTML-oriented escaping semantics alone. This research calls for precise, context-aware prompt engineering and further work on templating engine analysis and stack-level defense primitives.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.