fix(security): sanitize page title to prevent prompt injection in Web Surfer#7466
Closed
xr843 wants to merge 1 commit intomicrosoft:mainfrom
Closed
fix(security): sanitize page title to prevent prompt injection in Web Surfer#7466xr843 wants to merge 1 commit intomicrosoft:mainfrom
xr843 wants to merge 1 commit intomicrosoft:mainfrom
Conversation
…on in Web Surfer
Adds input sanitization for page titles before they are incorporated
into agent prompts, preventing indirect prompt injection attacks
where malicious page titles could override agent instructions.
Changes:
- Add _sanitize_page_metadata() to strip control chars, collapse
whitespace, remove markdown link syntax, and truncate long values
- Apply sanitization at all 4 injection points in the web surfer agent
- Replace markdown link syntax [{title}]({url}) with XML-style
delimiters <page_title>/<page_url> to separate untrusted content
- Add comprehensive tests for injection attack patterns
Fixes microsoft#7457
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Author
|
@microsoft-github-policy-service agree |
Author
|
Hi team, just a gentle ping on this PR. CLA has been signed and all CI checks are passing. Happy to make any adjustments if needed. Thanks for your time! |
Author
|
Closing this as part of a cleanup — I want to focus my contributions on fewer projects rather than spreading thin. The fix is still valid if maintainers want to pick it up. Happy to reopen if there's interest! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #7457 — Web Surfer agent vulnerable to indirect prompt injection via page title.
_sanitize_page_metadata()function that strips control characters, collapses whitespace, removes markdown link syntax, and truncates values to a safe length (200 chars for titles, 500 for URLs)_multimodal_web_surfer.py: tool prompt construction (MM and text), state description output, and page summarization[{title}]({url})in prompt templates with XML-style delimiters<page_title>/<page_url>to clearly separate untrusted web content from system instructionsWhy this approach
This is a defense-in-depth strategy. Prompt injection cannot be fully solved at the application layer alone, but these mitigations significantly raise the bar:
Affected files
python/packages/autogen-ext/src/autogen_ext/agents/web_surfer/_prompts.py— sanitization function + updated templatespython/packages/autogen-ext/src/autogen_ext/agents/web_surfer/_multimodal_web_surfer.py— apply sanitization at all injection pointspython/packages/autogen-ext/tests/test_web_surfer_sanitization.py— new test suiteTest plan
pytest python/packages/autogen-ext/tests/test_web_surfer_sanitization.py— 14 unit tests covering sanitization logic and prompt integration<title>tag and confirm the sanitized title appears in agent prompts🤖 Generated with Claude Code