"There are a lot of bold claims here, but 'automated XSS protection' smells the fishiest to me."
No, there's a variety of ways to accomplish this. You just have to give up the ability to smash strings together with no thought about what kinds of things they are. The fact that smashing strings blindly together, then desperately running along behind it and trying to clean up the resulting mess, is basically industry "best practice", is the biggest failure of the programming community since buffers that overflowed into executable space.
It shouldn't "smell fishy"; a framework that makes it easier to write XSS than to write correct code ought to be what "smells fishy", but here we are.