Structural Role Injection in Handlebars-Templated LLM Prompts: Triple-Brace Interpolation, Delimiter Family, and the Limits of HTML Auto-Escaping

2026-06-16 · Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Software Development & Engineering · Depth: Advanced, quick

Summary

A study reveals that the choice between Handlebars' double-brace {{x}} (HTML-escaped) and triple-brace {{{x}}} (raw) interpolation in LLM prompts directly impacts an application's vulnerability to structural role injection. This attack allows attacker-controlled data to forge higher-privilege chat turns. A model-free analysis shows Handlebars escaping neutralizes ChatML, Llama-3, and XML role delimiters by rewriting angle brackets, resulting in a 0.00 survival rate. However, it fails to protect against Llama-2 [INST], legacy Human:/Assistant:, and Markdown ### delimiters, which have a 1.00 survival rate because square brackets, colons, and hashes are not escaped. Experiments involving 5760 trials across seven delimiter families and four models (GPT-3.5 Turbo, GPT-4o mini, GPT-4.1 mini, Claude Haiku 4.5) confirmed these findings at a cost of 1.63 USD. GPT-3.5 Turbo exhibited high vulnerability, with 97% task-hijack in raw and 91% in escaped trials, while Claude Haiku 4.5 resisted almost entirely. The research concludes that default escaping offers limited protection and cannot replace structural separation of instruction and data.

Key takeaway

For AI Engineers building LLM applications with Handlebars templates, relying solely on {{x}} HTML escaping for prompt security is insufficient. Your applications remain vulnerable to structural role injection if using delimiters like [INST], Human:/Assistant:, or ###. You must implement robust input validation and prioritize structural separation of instruction and data to prevent attackers from forging higher-privilege turns. Consider models like Claude Haiku 4.5, which demonstrated strong inherent resistance.

Key insights

Handlebars' default HTML escaping offers limited protection against structural role injection in LLM prompts.

Principles

• Escaping only protects specific delimiter characters.
• Structural separation is crucial for prompt security.
• Some LLMs inherently resist role injection better.

Method

The study conducted 5760 trials across seven delimiter families, two attack objectives, and four LLMs to analyze structural role injection vulnerabilities in Handlebars-templated prompts.

In practice

• Test LLM prompts with various delimiter types.
• Implement strict input validation for user data.
• Prioritize structural separation over escaping.

Topics

• LLM Prompt Engineering
• Handlebars Templating
• Structural Role Injection
• Prompt Security
• HTML Escaping
• Large Language Models

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, AI Engineer, AI Scientist

Related on AIssential

• Prompt Injection: The #1 AI Security Threat Every Developer Must Understand — Prompt injection is the top AI security threat, exploiting LLMs by overriding system instructions with malicious user input.
• Scaffold, Not Vocabulary? A Controlled, Two-Tier, Pre-Registered Study of a Popperian Code-Generation Skill — Prompt scaffold structure, not specific Popperian content, drives code generation correctness, while LLM judges exhibit significant bias.
• I fine-tuned DeBERTa-v3 into a prompt injection pre-filter — 184M, runs on CPU, catches compound attacks by splitting input into fragments — A fine-tuned DeBERTa-v3 model, SPID, pre-filters prompt injections locally using fragment splitting to catch compound attacks, reducing LLM API costs.
• SkillVetBench: LLM-as-Judge for Multi-Dimensional Security Risk Evaluation in Open-Source LLM Agent Skills — LLM-as-Judge effectively vets open-source LLM agent skills for multi-dimensional security risks, surpassing traditional code-layer scanners.
• The Self-Correction Illusion: LLMs Correct Others but Not Themselves — LLMs' self-correction failure is a chat-template artifact, not a cognitive deficit, showing role-label dependence.
• When the Loop Closes: Architectural Limits of In-Context Isolation, Metacognitive Co-option, and the Two-Target Design Problem in Human-LLM Systems — Prompt-level isolation is architecturally insufficient for multi-modal LLM systems due to context contamination within the attention window.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.