No, this is as designed.
You can disable it globally by updating your rsobj.php file. You can disable it on the recordset level, or you can disable it in individual getColumnVal() references. The example I gave you disables it in the getColumnVal() method by appending the "false" parameter at the end.
I think it is best to have the Cross Site Scripting enabled by default, so people will have to get used to making the change in the code in one of the three locations in order to get around it when necessary.