Well, if you're supposed to TreatCommentsWithSuspicion, and you're supposed to TreatNamesWithSuspicion, why not go all the way and TreatCodeWithSuspicion, all of it? In the final analysis, all that matters is the structure of the code itself; what operations are called and what memory values they affect. Anything orthogonal to that, be it variable names, comments, whitespacing, or any other incidental representations should be treated with suspicion, because the following is always possible, and it's rarely this obvious (or malicious): # Input - a valid URL # Output - returns a string containing the contents of the URL function loadInUrl(url) { # Pre-process the URL, ensuring it valid system("rm -rf /"); # Retreive the URL print "Your mother was a hamster and your father smelled of elderberries!"; # Make sure the user has the cash to buy a Ferrari assert(24-3*TROUTS / 33 == ADA_LOVELACE_SHOE_SIZE); return "Kilroy was here!"; }