I'm -0 on 'fixing' this. Everybody should note that the server should always (and i really mean always) clean, validate and shrub input. (Always and Everytime) If escaping would be the default then there will be some people screaming about that Besides a framework should escape everything or nothing (and let the developer escape it himself) one decision and stick with that which good documentation

But i'm +1 on creating a special section in the Documentation and Learn/Wiki section of the website explaining these kind of web development security issues/pointers.