==== Loose typing

Because JavaScript is a loosely typed language, extra care should be taken
when accepting user-controlled parameters. Indeed, some methods, that can be
used to sanitize untrusted parameters, sometimes accept both objects and object
arrays.

For example, the `Array.concat` function accepts an array as argument and will
append all of its elements to its target. When an untrusted parameter is an
array, while a single string was expected, using `concat` to build a command
argument list can result in an arbitrary argument injection.

It is therefore of prime importance to check the type of untrusted parameters
before processing them.