I love this. One question: how much emphasis was put on security? Can I safely let the users of my website input any string and feed it directly to the render function?
We never do any unsafe dom manipulations, like using .innerHTML, only createElement and appendChild, so things should be fairly safe. Also, if you do server-side rendering, we escape code that users type in, so that should work well also.