[by caustic]

By the way, here is a simple demonstration of the vulnerability.

Open Editor Grid Example in your browser. Please prefer Firefox for now. Try editing any of the grid cells, paste the following...

[by caustic]

I'm sorry to disappoint you, but this approach will make the problem even worse. It only pretends to fix it, giving you false hope for security.

By the way, you simply can't do this kind of...

[by caustic]

No, we do not acknowledge that silly decision. Consider the following example: It is ok for the same server to serve both desktop and web applications at the same time. In this scenario it is the...

[by caustic]

This case is very uncommon, so this is why by default ExtJS should encode every piece of user supplied data prior to displaying it, but have options to configure it to behave in insecure way just for...

[by caustic]

There is a problem with drag and drop functionality in Internet Explorer.

When I begin drag operation and drop onto any element besides drop zone (anywhere in the body of document), JavaScript...

[by caustic]

Several people have already suggested this behavior for ExtJS, and I'm for it too.

[by caustic]

Take for example this forum. Or any Drupal installation. By the way, read Handle text in a secure fashion from its documentation.

[by caustic]

But this is completely different problem! You can avoid SQL injections by, for example (I really mean _example_), not using a relational database at all. That is, you can store all your data in...

[by caustic]

+1

Could not find such option in ExtJS 2.2, missing it greatly.

[by caustic]

Omg, this is completely wrong. It irritates me how people don't understand such simple, trivial things. You should always save raw, unescaped data, as entered by a user to the database. It is only...