Well, the script is pumping out what the user inputs; it's just that the web browser ignores the additional spaces...
As a test, 1 spaced:
Gizmo Is Cool
As a test, 10 spaces:
Gizmo Is Cool
Now, do a quick quote, it will show that I did indeed put 10 spaces, and Threads did indeed store 10 spaces. Thus, a browser issue and not really a threads "security" risk at all... Though I'm not sure how a check would work too well as items are not stored in the db without spaces; I suppose you could remove the space and md5 the value and store that md5 hash in the db and compare against that...