All incoming data must be taint checked before being used.
I disagree.
Only data that is used in external calls must be taint checked. For example, when a name is put in a cookie, just for fun, there's absolutely no reason to taint check it (you should think about encoding it, though).
I dislike Perl's tainting, because it lets _all_ external input be tainted (and that decreases performance), while some things are never used in a dangerous environment. While it might be a good idea for beginners to always taint everything, I personally HATE -T, and would rather be able to have a lexical taint pragma, and taint and untaint functions for those moments where you want to have a check on some data, or when you know some data is completely safe.
44696420796F7520732F2F2F65206F
7220756E7061636B3F202F6D736720
6D6521203A29202D2D204A75657264