Currently we can get invalid UTF8 and UTF16 from various external sources. It is a bug to pass this incorrect UTF-encoded data to conversion functions such as ConvertUTF8toUTF16. I'd like to consider using typedefs and static analysis to annotate and separate string data which we know is UTF-correct from data which needs to be validated: typedef nsACString nsAUTF8String; typedef nsCString nsUTF8String; Then enforce that assignments from CString->UTF8String are only performed through safe functions or through a cast function.