Sample code is documentation. For a lot of users, the sample code is the only documentation they're going to read when they're starting out. If you consider that, doing it the right way in your sample code is critical.

Further, it feels a lot like false advertising. If input validation is awkward in your framework, and I don't discover that until later on down the road, I'm probably going to feel deceived. If the "demo code" is a screenful of code, and doing the same activity but doing it in a secure way (i.e. no XSS, etc) results in 10 screenfuls of code, I'm going to feel that either: a) the author of the framework doesn't know what they're doing, or b) they were trying to make the framework look super minimal, when it actually requires the same amount of boilerplate junk that everyone else requires. Either way, I'm not going to be super pleased. Just show it the right way upfront!