Sanitized The Secrets, Not The Sink

A function applies escape/quote/sanitize logic to user-controlled fields the developer perceives as security-sensitive (credentials, passwords, tokens) and omits it on a field that actually flows into the dangerous interpreter (shell, SQL, format string, eval). The mitigation logic in the same function is proof the developer understood the threat; the unsanitized field is proof they sorted by perceived field sensitivity rather than by destination.