Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
) ### Motivation and Context <!-- Thank you for your contribution to the semantic-kernel repo! Please help reviewers and future users, providing the following information: 1. Why is this change required? 2. What problem does it solve? 3. What scenario does it contribute to? 4. If it fixes an open issue, please link to the issue here. --> #6030 ### Description ~In this implementation, the `Ġ` will be reserved in liquid template which is used to replace `:` in all input variables when unsafe content is not allowed.~ ~The encoding process for input variables when unsafe content is not allowed is~ ~- replace all `:` to `Ġ` // this is the extra step comparing with HandlerBar Template~ ~- Encode xml using `HttpUtility.HtmlEncode`~ ~The decoding process is~ ~- replace all `Ġ` to `:`~ This PR introduces a new process to mitigate potential prompt injection attacks from input variables when using liquid templates. Here's a breakdown of the steps: Before rendering, each input variable undergoes a transformation: all occurrences of `:`are replaced with `:`. This ensures that message tags like `system:`, `user:`, or `assistant:` are not present if `AllowUnsafeContent` is set to `false`. No replacement occurs if `AllowUnsafeContent` is `true`. After rendering, each message content is processed based on the `AllowUnsafeContent` setting. If it's `false`, all `:` instances are reverted back to `:`, followed by calling `html_encode` on each message content. If `AllowUnsafeContent` is `true`, only `html_encode` is called. This additional encoding step is necessary because `ChatPromptParser` always decodes XML message content, requiring the liquid template to undergo an extra encoding step to ensure the rendered content matches the original before rendering. <!-- Describe your changes, the overall approach, the underlying design. These notes will help understanding how your code works. Thanks! --> ### Contribution Checklist <!-- Before submitting this PR, please make sure: --> - [x] The code builds clean without any errors or warnings - [x] The PR follows the [SK Contribution Guidelines](https://github.com/microsoft/semantic-kernel/blob/main/CONTRIBUTING.md) and the [pre-submission formatting script](https://github.com/microsoft/semantic-kernel/blob/main/CONTRIBUTING.md#development-scripts) raises no violations - [x] All unit tests pass, and I have added new tests where possible - [x] I didn't break anyone 😄
- Loading branch information