The Blessing of the Strings

&gt; You can think of TrustedHTML as an interface indicating that a string has been somehow specially &quot;blessed&quot; as safe... Sanitized.<p>Unfortunate naming. &quot;Trusted&quot; is one of those words which has taken on its own opposite as a meaning. Like &quot;redundant&quot; or &quot;cope&quot;.<p>This feature would be Checked&#x2F;Validated&#x2F;Trustworthy&#x2F;Safe. Values would end up in this state if you did not trust them and needed to check them.

I&#x27;m not quite sure I follow the theat model here?<p>&gt; But wait... can&#x27;t someone come along then and just create a more lenient policy called default? No! That will throw an exception!<p>Who is &quot;someone&quot; in this situation? And why are they able to execute arbitrary JavaScript code in the user&#x27;s browser, yet the user is somehow protected by a string sanitization policy?

TL;DR: Perl&#x27;s taint mode is coming to JavaScript.