From cd7e411b3e29e1ebfdd7e899d62d8c5b051f97bb Mon Sep 17 00:00:00 2001
From: Hugh Brown <hughdbrown@yahoo.com>
Date: Tue, 3 Mar 2026 16:55:55 -0700
Subject: [PATCH] Update backend/app/api/skills_marketplace.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 backend/app/api/skills_marketplace.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/backend/app/api/skills_marketplace.py b/backend/app/api/skills_marketplace.py
index 0a8c0537..3cd0040b 100644
--- a/backend/app/api/skills_marketplace.py
+++ b/backend/app/api/skills_marketplace.py
@@ -687,7 +687,12 @@ def _sanitize_field(value: str) -> str:
     Prevents prompt injection via skill name or URL fields that could
     break out of the structured data section into the instruction section.
     """
-    return value.replace("\n", " ").replace("\r", " ").strip()
+    sanitized = "".join(
+        ch if ch.isprintable() and ch not in {"\n", "\r"} else " " for ch in value
+    )
+    # Normalize any runs of whitespace (including tabs) down to single spaces.
+    sanitized = re.sub(r"\s+", " ", sanitized)
+    return sanitized.strip()
 
 
 def _install_instruction(*, skill: MarketplaceSkill, gateway: Gateway) -> str: