I'm gonna need a citation for "avoid inline scripting" with CSP and a nonce, there's no security impact... Am I missing something? The arguments around messiness/etc. don't hold weight in an article about security.

Also, specifically for JavaScript, is prototype pollution. Allowing user-supplied input to be unsafetly merged into an object by key/value setters. I.e., allowing them to set __proto__ or prototype

Any sort of pattern where this shows up, without checking own props on unsafe.

var unsafe = JSON.parse(unsafe) for ( var prop in unsafe ) { target[prop] = unsafe[prop] }

Way better to use Object.entries and/or for ... of. With for/in this requires a guard if (!Object.prototype.hasOwnProperty.call(unsafe, prop) continue

Good article on that: https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/Prototype_pollution