Unclear to me whether "better languages" is the issue or just better type systems. We should be able to express "untrusted input" in any sufficiently extensible type system (e.g., Rust would probably let you express this). Typescript may let you express this; I don't know because I've never worked with it.
At a high level, I agree - our tools should do this for us, we shouldn't need people to be experts in untrusted input handling to work effectively with it.
Google internalized this and built their own modular library that they use for all UI development that just makes this completely opaque to the developers. So they don't have most frontend input handling bugs, or if they do they get fixed for everyone at once in the framework layer.
This is not even a new idea. Perl has had 'Taint' mode for a very long time, and the mode does exactly this, labels externally supplied data as "tainted" until you "cleanse" it within your code. Naturally the level of security is dependent upon how well you write your "cleanse" routines, but the mode does prevent accidental use of untrusted input.
At a high level, I agree - our tools should do this for us, we shouldn't need people to be experts in untrusted input handling to work effectively with it.
Google internalized this and built their own modular library that they use for all UI development that just makes this completely opaque to the developers. So they don't have most frontend input handling bugs, or if they do they get fixed for everyone at once in the framework layer.