but it isn't just "filter those few bad strings", that's the entire problem, there is no way to make prompt injection impossible because there is infinite field of them.