And since when did ostensibly open-source projects have closed betas? Release it now and get more eyes on your code.
No, there's a variety of ways to accomplish this. You just have to give up the ability to smash strings together with no thought about what kinds of things they are. The fact that smashing strings blindly together, then desperately running along behind it and trying to clean up the resulting mess, is basically industry "best practice", is the biggest failure of the programming community since buffers that overflowed into executable space.
It shouldn't "smell fishy"; a framework that makes it easier to write XSS than to write correct code ought to be what "smells fishy", but here we are.
I'll detail the mechanism in some other blog post, but it's actually very simple. In the meantime, let me suggest something: go and connect to the chat and attempt to XSS us :)
You have my word that the online chat is exactly the same one as the source code that we have made available. And you can check that there is not one single line of code for XSS.