so how do you design a "safe" h-bridge such that no matter what the inputs are, there isn't a direct short?
The trick is not to have inputs that you can put in that way, so on a simple level this means having only one input and taking the inverse of it to drive the other half of the bridge. Look at a chip like the UC2714, the data sheet has a block diagram of the sort of thing you need.