I think the example code isn't actually vulnerable. The libraries appear to automatically escape the input.