I don't really get this criticism. This is a client-only app. Scrubbing input on the client is a bad way to avoid XSS because an attacker can modify the client. So teaching developers to sanitize strings in their frontend JS is not helpful. Why do we care what she does on her single page side project?