Quote Originally Posted by Foggy View Post
And what about if you will show html in any case? In my opinion you have to know wich html tags are valid. For example <b>, <i>, <a> and so on. You have to eliminate <script> Tags on the backend for preventing XSS...
Another reason, if you do this in frontend (in case of ExtJS it is meaning by JavaScript) i can annul this mechanism by my XSS attack. Thats another reason for doing this on backend, wich is almost saver than frontend...
This case is very uncommon, so this is why by default ExtJS should encode every piece of user supplied data prior to displaying it, but have options to configure it to behave in insecure way just for some widgets when developer decides to.

We want ExtJS be secure by default. We don't want to reconfigure every single widget with the appropriate formatter by hand. Don't you get it?