When an AI generates clickable hyperlinks in its response and no guardrail prohibits invented citations, users will click fabricated URLs — routing them to domains that may be squatted, adversarial, or simply nonexistent. For research or knowledge applications, invented paper citations and statistics erode user trust and can cause real-world harm if acted on (medical guidance, legal information, financial claims). OWASP LLM09 explicitly identifies misinformation propagation as an LLM risk. The combination of markdown link rendering and no anti-fabrication instruction in the system prompt is the highest-risk configuration in this category.
Critical because the combination of no citation prohibition and markdown link rendering means users will follow AI-invented URLs, with no indication that the destinations are fabricated.
Add an explicit anti-fabrication instruction to your system prompt and disable or validate AI-generated links in the renderer:
const systemPrompt = `
Do not cite, link to, or reference any external source, URL, paper, or statistic
unless it was explicitly provided to you in the conversation context.
If asked for sources you do not have, say: "I don't have a specific source — please verify independently."
`
If you render AI output with react-markdown, pass a custom a component that either strips href values on AI-generated links or routes them through a domain-validation step before rendering.
ID: ai-response-quality.source-attribution.no-fabricated-references
Severity: critical
What to look for: Enumerate all relevant files and Check the system prompt for instructions that explicitly prohibit the AI from inventing citations, paper titles, URLs, statistics, or named sources. Look for anti-hallucination instructions such as "Do not cite papers or articles unless they were provided to you in context", "Never invent URLs or references", "If you do not have a source, say so". Check whether the application uses RAG — if so, whether retrieved source metadata is passed to the model and referenced correctly. Also check whether the UI renders AI-generated URLs as clickable links (high risk if AI invents them).
Pass criteria: No more than 0 violations are acceptable. The system prompt contains explicit instructions prohibiting invented citations. If the application renders AI output as markdown with link support, anchor tags from AI-generated links are either disabled, sandboxed, or only rendered when sourced from a verified retrieval step.
Fail criteria: No prohibition on invented citations exists in the system prompt, AND the application renders AI output as markdown with clickable hyperlinks — meaning users may click AI-invented URLs.
Skip (N/A) when: Application is a code assistant with no factual/research domain, where citation generation is not part of the use case (detectable by system prompt scoped exclusively to code generation).
Detail on fail: "No anti-hallucination citation instruction in system prompt and markdown renderer enables clickable links — users may follow fabricated URLs" (max 500 chars)
Remediation: Add explicit citation guardrails to your system prompt:
const systemPrompt = `
IMPORTANT: Do not cite, reference, or link to any external source, paper, article,
statistic, or URL unless it was explicitly provided to you in the conversation context.
If you are asked for sources and none were provided, say: "I don't have a specific
source for this — please verify with an authoritative reference."
`
If you render AI output with a markdown library, disable link rendering for AI-generated content or route links through a validation step. For deeper coverage of output safety, the AI Prompt Injection Audit examines how adversarial inputs can manipulate AI responses.