Mitigations for Hashjack vulnerability?

[TheGermanGeologist]

Hi all,

I was wondering if any mitigations for the hashjack vulnerability are planned.

As far as I understand it, without agentic tools this mainly works through social engineering and getting you to click on things that you shouldn't be clicking on, so immediate catastrophic consequences are unlikely, but injection of malicious information or links into the AI's response affects all AI tools that browse the web and synthesize information. So it could become a problem when clicking on a source link that Perplexica returns.

Any plans for patching this? And in the meantime, any suggestions to minimize the risk? I've added a system prompt telling the model to ignore all instructions it encounters while browsing the web, but I think that's a weak defense tbh.

Thanks

[bkutasi]

I think safety should be prioritised here, but it's not a clear cut solution since llms eat up everything. Maybe adding a safeguard model to scan the end results could help? eg: https://huggingface.co/openai/gpt-oss-safeguard-20b

[TheGermanGeologist]

Interesting suggestion.
I've got a couple of ideas how to harden Perplexica. Hopefully at some point the time to look into it as well.
Before results are fed into an LLM:

• Optionally drop all #-fragments
• scan website content for suspicious phrases like "ignore all previous instructions" etc or other common prompt injection patterns
• improve system prompts
• use online APIs to scan URLs returned in final LLM response for known malicious links (with user provided API key)

Haven't used typescript or searxng before, but I think I'll find my way around the backend. The WebUI part, I'm less hopeful.
If someone could point me towards the relevant files to intervene at the two steps before a search result is passed to the LLM and before the LLM returns the answer, that'd probably speed things up and be much appreciated.