Structural Role Injection in Handlebars-Templated LLM Prompts: Triple-Brace Interpolation, Delimiter Family, and the Limits of HTML Auto-Escaping

The article presents a study on the structural role injection vulnerabilities in Handlebars-templated prompts used in large language models (LLMs), particularly in Microsoft Semantic Kernel. It reveals that while double-brace expressions ({{x}}) provide HTML-escaping for safety, they inadequately protect against attacks using other delimiter families, such as colons and Markdown hashes, which remain vulnerable. The experiments conducted across multiple models, including GPT-3.5 Turbo and Claude Haiku 4.5, demonstrated significant susceptibility to task hijacking, emphasizing the need for stricter separation of instruction and data in prompt design to mitigate these security risks.