Actually the execution path is also "tainted" whenever an addon is called or a tainted variable is read. That in turn taints every variable written to. So on, and so on, and so on...
As you stated, It only becomes an issue when a "protected" function is called. The execution path is then tested, and if found tainted, will fail with the normal error.
|