Readit Newselsadek commented on When deep thinking turns into deep hallucination techkettle.blogspot.com/2... · Posted by u/elsadek
Users shouldn't need to remind the LLM not to fabricate data when it doesn't have access to a specific dataset.
The "How to use a Python variable in an external Javascript (Django)" examples are likely vulnerable to an XSS attack, when the variable contains user supplied content.
It's important to output-encode for the correct context. By default, Django encodes template variables for an HTML context, which can allow XSS when output inside a script tag or as a JavaScript file.
Thanks @GICodeWarrior for taking time commenting on the article. Shamefully, I can already imagine a scenario on how the attack could be carried out.
Fortunately, the vulnerability can be corrected by introducing escapejs template filter. Big thanks to @gynvael.