Concepts Components Blog Roadmap
Get Started
On this page

Is it Safe? Why A2UI is Secure by Design

An in-depth look at how A2UI prevents XSS and Prompt Injection by using a declarative, firewall-like architecture.

The Fear: Giving an AI control over your UI sounds terrifying. What if it deletes a database? What if it renders a fake login form to steal passwords?

In this article, we explain why A2UI is the safest way to integrate GenUI into enterprise applications.

The “Vending Machine” Analogy

Think of your application like a Vending Machine.

  • HTML/JS Approach: You give the AI a screwdriver and let it rewire the machine. It might dispense a soda, or it might cut the power cord. 💥
  • A2UI Approach: You give the AI a set of buttons to press. It can ask for “Soda A1” or “Chips B2”, but it can never touch the wiring.

Measurements:

  • Agent: Can only request data ({ "product": "soda" }).
  • Host (You): Decides how to deliver it (renders the <SodaCan /> component).

Threat Model: What We Solved

1. The XSS Nightmare (HTML Injection)

If you blindly render HTML from an LLM (<div dangerouslySetInnerHTML=... />), you are inviting disaster.

  • Risk: The AI (or a malicious prompt injection) outputs <script>stealCookie()</script>.
  • A2UI Fix: Impossible. The protocol does not support sending code. It only transfers JSON data. If an agent tries to send code, the parser simply rejects it as invalid schema.

2. The “Fake UI” Phishing Attack

  • Risk: A compromised agent renders a perfect replica of your “Login” modal to steal user credentials.
  • A2UI Fix: The Component Registry acts as a Firewall. The Agent can only render components you have explicitly registered. If you haven’t registered a LoginForm component, the Agent cannot make one appear, no matter how hard it tries.

3. UI Hallucinations

  • Risk: The AI invents a button that doesn’t exist (<SuperButton variant="flying" />), breaking your app layout.
  • A2UI Fix: Strict Schema Validation. Your application validates every JSON packet against your TypeScript definitions. If the agent hallucinates a non-existent prop, the A2UI runtime catches it instantly and can trigger a retry or fallback.

Enterprise-Grade Security

For CTOs and Security Architects, A2UI offers a clear chain of trust:

  1. Auditability: You can list exactly every single UI element the AI allows access to in your registry.ts.
  2. Sandboxing: Third-party agents runs in a “Logic Sandbox” (the cloud), while the UI runs in a “Visual Sandbox” (A2UI), with zero overlap.
  3. Consistency: Malicious agents cannot inject CSS to break your brand guidelines.

Community Perspectives

“Moving to a strict JSON schema is smart… it eliminates the XSS risks of executable code while ensuring the UI actually respects the host app’s native design system. A huge step up from the ‘web view’ approach.”

Mikael Mörlund (Security Engineer)

Conclusion

A2UI treats UI as Data, not Code. This simple architectural shift turns Generative UI from a “Security Risk” into a “Managed Feature”.

TopicLink
Deep Dive Blog PostSecurity Deep Dive: Why JSON > HTML
Implementation GuideGetting Started with A2UI
Custom Component SecurityCustom Components Guide
Full Architecture OverviewA2UI Concepts