Ah, the fun part of this is "interpreted as code". Which language? html, xml, js, css, json? Get that part wrong or slightly off, and what you sanitized for one isn't for the other. And sometimes there can be nested contexts.

While the idea of "taint" is useful, it is only half the battle. The other half is accounting for the context.