From 1228e5c3200901c09ffe53ba343e6c0f7bf99f46 Mon Sep 17 00:00:00 2001
From: Garrick Aden-Buie <garrick@adenbuie.com>
Date: Tue, 23 Jun 2026 15:41:10 -0400
Subject: [PATCH 1/4] fix(prompts): Inject raw data description

---
 pkg-py/src/querychat/prompts/prompt.md | 2 +-
 pkg-r/inst/prompts/prompt.md           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg-py/src/querychat/prompts/prompt.md b/pkg-py/src/querychat/prompts/prompt.md
index 08b0c93f..39c7a406 100644
--- a/pkg-py/src/querychat/prompts/prompt.md
+++ b/pkg-py/src/querychat/prompts/prompt.md
@@ -14,7 +14,7 @@ You have access to a {{db_type}} SQL database with the following tables:
 {{/has_data_dicts}}
 {{#data_description}}
 <data_description>
-{{data_description}}
+{{{data_description}}}
 </data_description>
 
 {{/data_description}}
diff --git a/pkg-r/inst/prompts/prompt.md b/pkg-r/inst/prompts/prompt.md
index adbbe3c4..5e99d159 100644
--- a/pkg-r/inst/prompts/prompt.md
+++ b/pkg-r/inst/prompts/prompt.md
@@ -14,7 +14,7 @@ You have access to a {{db_type}} SQL database with the following tables:
 {{/has_data_dicts}}
 {{#data_description}}
 <data_description>
-{{data_description}}
+{{{data_description}}}
 </data_description>
 
 {{/data_description}}

From 24719ec8be77fa1cc667cb32dbfce6f1c6823d16 Mon Sep 17 00:00:00 2001
From: Garrick Aden-Buie <garrick@adenbuie.com>
Date: Tue, 23 Jun 2026 15:44:49 -0400
Subject: [PATCH 2/4] fix(prompts): Inject raw extra instructions

Avoid HTML-escaping developer-provided extra instructions, matching the
data description fix.
---
 pkg-py/src/querychat/prompts/prompt.md | 2 +-
 pkg-r/inst/prompts/prompt.md           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg-py/src/querychat/prompts/prompt.md b/pkg-py/src/querychat/prompts/prompt.md
index 39c7a406..e9c42af8 100644
--- a/pkg-py/src/querychat/prompts/prompt.md
+++ b/pkg-py/src/querychat/prompts/prompt.md
@@ -303,5 +303,5 @@ You might want to <span class="suggestion">explore the advanced features</span>
 {{#extra_instructions}}
 ## Additional Instructions
 
-{{extra_instructions}}
+{{{extra_instructions}}}
 {{/extra_instructions}}
diff --git a/pkg-r/inst/prompts/prompt.md b/pkg-r/inst/prompts/prompt.md
index 5e99d159..87b6d686 100644
--- a/pkg-r/inst/prompts/prompt.md
+++ b/pkg-r/inst/prompts/prompt.md
@@ -303,5 +303,5 @@ You might want to <span class="suggestion">explore the advanced features</span>
 {{#extra_instructions}}
 ## Additional Instructions
 
-{{extra_instructions}}
+{{{extra_instructions}}}
 {{/extra_instructions}}

From d6810e4ac8d3811330478e887b113e3368724e1e Mon Sep 17 00:00:00 2001
From: Garrick Aden-Buie <garrick@adenbuie.com>
Date: Tue, 23 Jun 2026 15:45:32 -0400
Subject: [PATCH 3/4] chore: Git ignore shiny_bookmarks/

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index ef52805c..d244fbc8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,6 +5,7 @@ README_files/
 README.html
 .DS_Store
 test-results/
+shiny_bookmarks/
 python-package/examples/titanic.db
 .quarto
 *.db

From 4eba97e3217527f72272510de383cb7bc56dec13 Mon Sep 17 00:00:00 2001
From: Garrick Aden-Buie <garrick@adenbuie.com>
Date: Tue, 23 Jun 2026 15:49:06 -0400
Subject: [PATCH 4/4] docs: Add changelog entries for raw prompt injection fix

---
 pkg-py/CHANGELOG.md | 1 +
 pkg-r/NEWS.md       | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/pkg-py/CHANGELOG.md b/pkg-py/CHANGELOG.md
index 46b024a7..7c730473 100644
--- a/pkg-py/CHANGELOG.md
+++ b/pkg-py/CHANGELOG.md
@@ -45,6 +45,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 * The system prompt is now lighter: full schema is no longer embedded upfront. Instead the LLM fetches per-table schema on demand via the new `querychat_get_schema` tool — and only when it needs to. When a `DataDict` is provided, the tool skips columns that already have descriptions, so the LLM only pays for what isn't already documented. (#195)
 * The query tool result card now starts collapsed by default. Users can still expand it to see the SQL query and results. Set `QUERYCHAT_TOOL_DETAILS=expanded` to restore the previous behavior. (#239)
+* Fixed `data_description` and `extra_instructions` being HTML-escaped in the system prompt. Special characters like `<`, `>`, and `&` in developer-provided descriptions and instructions are now passed to the LLM verbatim. (#258)
 
 ## [0.6.1] - 2026-05-26
 
diff --git a/pkg-r/NEWS.md b/pkg-r/NEWS.md
index 754ded8c..7775a851 100644
--- a/pkg-r/NEWS.md
+++ b/pkg-r/NEWS.md
@@ -37,6 +37,8 @@
 
 * The system prompt is now lighter: full schema is no longer embedded upfront. Instead the LLM fetches per-table schema on demand via the new `querychat_get_schema` tool — and only when it needs to. When a `data_dict` is provided, the tool skips columns that already have descriptions, so the LLM only pays for what isn't already documented. (#195)
 
+* Fixed `data_description` and `extra_instructions` being HTML-escaped in the system prompt. Special characters like `<`, `>`, and `&` in developer-provided descriptions and instructions are now passed to the LLM verbatim. (#258)
+
 # querychat 0.3.0
 
 ## New features