Skip to main content

render_blocks

Function render_blocks 

Source
pub fn render_blocks(blocks: &[CoreMemoryBlock]) -> String
Expand description

Shared rendering logic used by CoreMemory::render’s default implementation and available to custom implementations that want the same format.

§Header-injection protection

value may contain LLM-controlled or tool-result content (per the module docs, blocks can be edited by the agent itself between turns). A naive format!("## {label}\n{value}") is therefore forgeable: if value contains a line starting with ## , the rendered output is indistinguishable from a legitimate block boundary, letting stored data masquerade as a new block header (e.g. a fake ## persona section with attacker-chosen instructions) in the next turn’s system prompt.

To close this off, any line within value that starts with one or more # characters has that leading run of # escaped with a backslash (## foo -> \## foo) before the block is emitted. This is applied line-by-line so it works regardless of where in value the fake header appears, and it round-trips safely for any Markdown renderer that recognizes the standard \ escape. The real block boundaries — the ## {label} lines this function itself emits — are never escaped, so splitting the rendered string on "\n## " still yields exactly the real blocks.

label is nominally a short single-line identifier, but CoreMemoryBlock::label is a plain, unvalidated String reachable through the same tool-editable CoreMemory::put_block/CoreMemory::append_block path as value — nothing stops a caller from putting \n (and a forged ## header) into it. Running label through the same escape_headers treatment as value closes that off without assuming label is single-line: any embedded newline in label just becomes another escaped line in the rendered output instead of a fake block boundary.