Do give examples for any point you ever make when reading these types of documents. In some ways, you are giving advice, but if you give reasons with solid examples and counter examples, you make it that much stronger.
in reply to Regexp do's and don'ts
Points 1 and 2 is easy. Using /i is an efficiency thing. Show benchmarks. If the benchmarks show no difference, then the point isn't valid.
Point 7 ticked me off at a particular company, where a few people who would do just that. Show a good example, maybe with a system call or file handle that shows how this, as an exploit, would work.
It's the difference between "don't smoke" and "don't smoke, it increases your chances of cancer"
Then B.I. said, "Hov' remind yourself
nobody built like you, you designed yourself"