Structural Role Injection in Handlebars-Templated LLM Prompts: Triple-Brace Interpolation, Delimiter Family, and the Limits of HTML Auto-Escaping
- lab CatalyzeX
- lab DagsHub
- lab GotitPub
- lab Hugging Face
- lab Microsoft
- lab Microsoft Semantic Kernel
- lab arXiv
- lab arXivLabs
The Handlebars templating engine, the default prompt-template format in Microsoft Semantic Kernel, can silently expose applications to structural role injection attacks depending on whether developers use its double-brace or triple-brace interpolation syntax, according to new research [1]. The study, posted to arXiv on 16 June 2026 by Mohammadreza Rashidi, examines how Handlebars' escaping behavior governs an application's vulnerability to attacks where attacker-controlled data carries chat role delimiters that forge a higher-privilege turn [1]. The double-brace expression HTML-escapes the interpolated value and is documented as the safe default, while the triple-brace expression inserts the value raw [2]. A model-free analysis established the mechanism: Handlebars escaping rewrites angle brackets but not square brackets, colons, or Markdown hashes [2]. This means it neutralizes ChatML, Llama-3, and XML role delimiters, which showed a survival rate of 0.00, while leaving Llama-2 [INST], legacy Human:/Assistant:, and Markdown ### delimiters intact, with the last two achieving a survival rate of 1.00 [2]. The researchers then ran 5760 trials across seven delimiter families, two attack objectives, and four models — GPT-3.5 Turbo, GPT-4o mini, GPT-4.1 mini, and Claude Haiku 4.5 — at a combined API cost of 1.63 USD [2]. GPT-3.5 Turbo followed the task-hijack instruction in 97% of raw trials and 91% of escaped trials, with the escaping protection concentrated in the angle-bracket families and absent for the colon- and Markdown-based families [2]. The harder secret-exfiltration objective, which did not saturate, exposed the same family interaction more cleanly [2]. Claude Haiku 4.5 resisted both objectives almost entirely [2]. The findings underscore that the escaped default protects only the delimiter schemes whose characters HTML escaping happens to cover, gives no protection for the rest, and cannot substitute for a structural separation of instruction and data [2].
model-releaseresearch-paperproduct-launchcommentary
Background sources we checked (6)
- arxiv.org ↗ Large language model applications build prompts from templates, and Handlebars is a widely used templating engine and the default prompt-template format in Microsoft Semantic Kernel. Its double-brace {x} expression HTML-escapes the interpolated value and is documented as the safe…
- arxiv.org ↗ CatalyzeX Code Finder for Papers (What is CatalyzeX?) ... DagsHub Toggle ... DagsHub (What is DagsHub?)…
- arxiv.org ↗ With the creation of new datasets, the question arises of whether the data in them is complementary to other datasets for training ML models (see recent reviews for a perspective of catalysts informatics22, 23, 24). This is especially important when consolidating data with a vari…
- arxiv.org ↗ CatalyzeX Code Finder for Papers (What is CatalyzeX?) ... DagsHub Toggle ... DagsHub (What is DagsHub?)…
- en.wikipedia.org ↗ Sustainable Development Goals (abbr. SDGs) were adopted in 2015 by all United Nations (UN) members for the 2030 Agenda for Sustainable Development. The aim of the 17 global goals is "peace and prosperity for people and the planet", tackling climate change, and working to preserv…
- en.wikipedia.org ↗ In molecular biology, a transcription factor (TF) (or sequence-specific DNA-binding factor) is a protein that controls the rate of transcription of genetic information from DNA to messenger RNA, by binding to DNA sequences. Specificity can be due to sequence motifs, or epigenetic…