Red herring. Serious bugs have been found in lots of respect worthy software and service efforts. It just needs to be fixed. You are holding a toddler up to the standards of a pre-teen (which is the highest I'd put Google).
The question here is whether this is a respect worthy effort at privacy protection.
EDIT: Flaws or holes have been found in Tor. Does that mean we reject the Tor effort outright? If anything, the holes found in Tor are more serious and fundamental, because they raise doubts about Tor's approach and whether their goal can ever be achieved. An HTML injection hole in Hulbee is simply an issue of incomplete execution of their vision, which may or may not be forgivable depending on the technical and non-technical circumstances (which none of us here know yet).
I would argue the Tor example is not a valid comparison. Tor is a very complex system. It has a vast attack surface for holes, especially if you ignore boundaries like assuming there is a globally omniscient adversary.
Contrastingly, websites sanitizing inputs has been done for quite some time; it is hardly new, difficult, or complex. It's fundamental. I would guess most people's answer is that this is not a sufficient effort to protect privacy or security.
The question here is whether this is a respect worthy effort at privacy protection.
EDIT: Flaws or holes have been found in Tor. Does that mean we reject the Tor effort outright? If anything, the holes found in Tor are more serious and fundamental, because they raise doubts about Tor's approach and whether their goal can ever be achieved. An HTML injection hole in Hulbee is simply an issue of incomplete execution of their vision, which may or may not be forgivable depending on the technical and non-technical circumstances (which none of us here know yet).