自分のコードでHTMLインジェクションを踏んでから、AIの出力を信頼しなくなった 自分のコードでHTMLインジェクションを踏んでから、AIの出力を信頼しなくなった

Developers have spent years learning to distrust user input, sanitizing form fields, escaping query parameters, and validating uploads. Far fewer have applied the same caution to the text returned by large language models. A recent blog post in the MCP category describes how that blind spot led to a self-inflicted HTML injection bug, and it serves as a useful reminder that AI output is just another untrusted data source.

The author's setup was common enough. A feature took a user's question, passed it to an LLM, and rendered the model's answer directly into the page. Because the response came from a trusted backend service rather than a stranger on the internet, it was treated as safe and inserted into the DOM without escaping. The mistake is subtle: the model itself is not malicious, but its output is shaped by its input, and that input can include whatever a user typed. If someone asks the model to produce HTML, a script tag, or an event handler attribute, there is a reasonable chance it will, and that markup then executes in the browser of whoever views the result.

This is a variation of stored or reflected cross-site scripting, with the language model acting as an intermediary that launders attacker-controlled text into seemingly trusted content. The fix is the same fix that has always applied to dynamic content. Strings must be escaped or sanitized before they reach an HTML context, regardless of where they originated. Rendering Markdown adds another layer, since Markdown can contain raw HTML, so libraries should be configured to strip or neutralize embedded tags, and a Content Security Policy can limit the damage if something slips through. The broader lesson is to stop categorizing inputs by how much you like their origin and start categorizing them by where they end up.

The point grows sharper in the context of MCP, the Model Context Protocol, which is the post's category. MCP standardizes how AI applications connect to external tools, data sources, and services. It expands the number of channels through which untrusted text can enter a system: a model might read a document, query a database, or call a remote tool, and any of those can return content that the application later renders or, worse, treats as an instruction. Prompt injection, where hidden text in a fetched web page or file manipulates the model's behavior, is the conversational cousin of the HTML injection described here. Both stem from mixing data and instructions without a clear boundary.

Several industry efforts are converging on this problem. The OWASP Top 10 for Large Language Model Applications lists prompt injection and insecure output handling among its leading risks, and it explicitly recommends treating model responses as untrusted and applying output encoding before use. Front-end frameworks such as React, Vue, and Angular escape interpolated text by default, which is why the danger often hides in the deliberate escape hatches, like setting inner HTML directly, that developers reach for when they want rich formatting. Sanitization libraries such as DOMPurify exist precisely to clean HTML before it is inserted, and they appear to be the most practical defense for any feature that displays model-generated markup.

There is a cultural element worth naming. AI output looks fluent and authoritative, which makes it easy to assume it is well-behaved. That perception is misleading from a security standpoint. The model has no concept of trust boundaries, and it will happily reproduce or fabricate strings that break an unescaped template. Treating it like a trusted internal API encourages exactly the shortcut the author took.

The practical takeaways are modest but durable. Escape on output, not just on input, and do it at the boundary where data meets a rendering context. Restrict any rich-text rendering to an allowlist of safe tags. Add a Content Security Policy as defense in depth. Where MCP or tool calls are involved, isolate what the model retrieves from what the application executes. None of this is novel, which is rather the point. The arrival of AI features tempts teams to invent new mental models, when the safer instinct is to apply the old ones. As the author concludes, AI is not a trusted source; it is a sophisticated input, and it deserves the same skepticism as anything a user types.