Why put role tags into the text stream where an attacker can imitate them in the first place? You could apply the tags post-tokenization and just use reserved token codes the tokenizer never uses. If for some reason you can’t do that, you could at least mark them with unicode reserved characters and filter those out of all input streams.
Why put role tags into the text stream where an attacker can imitate them in the first place? You could apply the tags post-tokenization and just use reserved token codes the tokenizer never uses. If for some reason you can’t do that, you could at least mark them with unicode reserved characters and filter those out of all input streams.