HTML's DOM offers a number of mechanisms to turn arbitrary strings into markup (.innerHTML = ...) or code (scriptEl.innerText = ..., el.onclick = ..., etc). Each of these mechanisms can serve as an XSS sink, giving an attacker the ability to feed code into a context that wasn't expecting it, leading to a class of DOM-based XSS attacks that we'd very much like to avoid. One way of addressing this i