Libraries can enforce only template strings, and properly escape the output. This is already possible in Javascript, and you can completely prevent injection attacks using it. > The developer forgot to interpolate not possible if you enforce only templates

> the developer chose the wrong interpolation Not possible if the library converts from template to interpolation itself

> or the interpolation itself got it wrong Sure, but that would be library code.