An easy gimmick that helps is to allow fetching URLs explicitly mentioned in user input, not trusting ones crafted by the LLM.