Not to sound rude, but how are you guys going to determine differences between user input and say, an input from an external sources like pdf, email, webpage, webapps? Do you have thoughts on it? If I make an application, I will want to link to external systems.

If there isn’t any way to distinguish it, I bet the attack surface is too large. If it is restricted to QA without external interface, then usability is also restricted. Any thoughts about it?