This page documents recurring attack classes that DOMPurify and other DOM-based HTML sanitizers have had to withstand: HTML parser mutation, namespace confusion, rawtext breakouts, depth-limit ...
Treat an LLM as the step function of a Turing machine. Everything else falls out: state lives on disk, the program is markdown, runs are resumable and observable, and "agents" are just user-authored ...