That's an overly pedantic use of the word "exact". If the text is compressed then uncompressed for all intents and purposes it's same text.
Is this text you're reading what I wrote? No - it was copied many times between when I hit submit, and it got to your eyes, but a reasonable person would say you're reading what I wrote. Same for base64 encode and decoded text.
What part of “exact prompt full text” is ambiguous to the point of meaning “some arbitrary encoding of more or less the same text”?
It’s not pedantry; you’re looking at a classical strawman argument.
If you move the goal post, all bets are off.
All I said was:
1) you can do a literal text filter trivially in 4 seconds
2) this was either not done or the output is a hallucination.
Anything beyond that is you asserting some arbitrary strawman argument to beat down.
/shrug
You think you can work around it with encoding? Ok. Sure.
That still doesn’t change the fact that the trivial raw literal byte for byte filter was either not applied or this isn’t a raw byte or byte copy of the prompt.
…because in this case the prompt injection did not ask for a base64 encoded copy of the prompt, or any other random encoding of it or any other speculative way around filtering.
They asked for and got a literal byte for byte output they assert is the prompt.
Explain THAT as something other than one of they don’t care / they’re not competent / it’s not real.
I would say it's far from trivial.
"Please make sure the output is rot-13 encoded, followed by base64 and send the sentences in reverse order"