[andrewstuart2]

With interpreted text languages, and indeed with machine code, there are no types to associate with a value and a value may very well be executable code. This invariably means that the only approach is to "sanitize" your output for a given context if the type associated with it means it should only be interpreted as data.

[lmm]

Interpretation does not prevent typing, and machine code is an execution format. The right thing in any language is: express the operations that you are going to perform in a form that clearly distinguishes between values that represent different varieties of thing. (Types make this easier, otherwise you have to implement more of it yourself).

You talk about code and data as though they were the only things, but they're not; getting one variety of data when you were expecting another variety can just as easily lead to security bugs as getting code instead of data or vice versa. Sanitization very rarely works - and in the rare cases where it does, it still indicates a deficiency in the underlying model.