Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.