pub fn render_blocks(blocks: &[CoreMemoryBlock]) -> StringExpand description
Shared rendering logic used by CoreMemory::render’s default
implementation and available to custom implementations that want the
same format.
§Header-injection protection
value may contain LLM-controlled or tool-result content (per the
module docs, blocks can be edited by the agent itself between turns). A
naive format!("## {label}\n{value}") is therefore forgeable: if
value contains a line starting with ## , the rendered output is
indistinguishable from a legitimate block boundary, letting stored data
masquerade as a new block header (e.g. a fake ## persona section with
attacker-chosen instructions) in the next turn’s system prompt.
To close this off, any line within value that starts with one or more
# characters has that leading run of # escaped with a backslash
(## foo -> \## foo) before the block is emitted. This is applied
line-by-line so it works regardless of where in value the fake header
appears, and it round-trips safely for any Markdown renderer that
recognizes the standard \ escape. The real block boundaries — the
## {label} lines this function itself emits — are never escaped, so
splitting the rendered string on "\n## " still yields exactly the real
blocks.
label is nominally a short single-line identifier, but
CoreMemoryBlock::label is a plain, unvalidated String reachable
through the same tool-editable CoreMemory::put_block/CoreMemory::append_block
path as value — nothing stops a caller from putting \n (and a forged
## header) into it. Running label through the same escape_headers
treatment as value closes that off without assuming label is
single-line: any embedded newline in label just becomes another escaped
line in the rendered output instead of a fake block boundary.