Taint checking / analysis for Javascript might be coming to Flow: https://www.youtube.com/watch?v=VEaDsKyDxkY&t=24m45s
It'd be great to extend that to the browser and backend for QA and security.
The wikipedia page links to http://docstore.mik.ua/orelly/web/jscript/ch20_04.html which says Netscape Navigator 3 and 4 used taint-tracking to prevent exfiltrating private data too.
Actually per https://queue.acm.org/detail.cfm?id=2663760 just escape output for the appropriate context or contexts (i.e. what we already know), but Flow could be helpful there too for finding unescaped output/sinks.