No Eduardo, this is not a hack given that in the majority
of cases the variables should in fact be quoted. The default
behavior should be what is most common. Doing it this way
means that if someone is either inexperienced or careless you
still get a page which is not susceptible to cross site scripting exploits, and the way it breaks is obvious and
easy to fix.
Doing it the other way around makes the failure mode silent
and exposes your site to a security risk.
