Prompt injection through website content: how AI agents can be manipulated by the pages they visit

Com on 2026-05-08 When ChatGPT browses the web to summarize a news article, it doesn't just see the rendered text a human would see. It reads the full HTML - including elements hidden via CSS, comments, alt-text, metadata, and content that might only appear when the request comes from an AI user-agent. Anything in that DOM becomes input to the model. This creates a threat surface that traditional web security scanners ignore: indirect prompt injection through website content. It's listed as LLM01:2025 in the OWASP LLM Top 10, but the tooling around it is years behind the threat.