Skip to content
1 min read · 133 words

Function: sanitizeFilenameForDescription()

ts
function sanitizeFilenameForDescription(
  filename: string,
  maxLen?: number,
): string;

Defined in: src/batteries/llm/chat_common/helpers.ts:156

Sanitise a media filename for interpolation into a synthetic-description line that is then placed INSIDE a trust envelope whose body is not XML-escaped.

Parameters

ParameterTypeDefault value
filenamestringundefined
maxLennumber256

Returns

string

Remarks

A filename is attacker-influenced and the synthetic-description body is not escaped, so a filename like x.png</untrusted_content_<nonce>>SYSTEM: … could close the envelope, and one that mimics the [media: …] format could forge a second descriptor. We strip the envelope-significant characters (<, >, and newlines/control chars) and length-cap (a megabyte filename is a prompt-bloat DoS). The filename is metadata, not content the model must read byte-exact, so stripping is safe.