29 May 2013 12:43 AM #28
- The value is not serialized into html but assigned via the DOM API, so there is no risk for XSS if you assign a value in this way. There is a danger in components that use a template for rendering (combobox, dataview, grid, ...), but this is only for the output of the selected value's label / data.
- In my personal opinion if you do this at the model level then you are embedding knowledge about how the view layer operates into your model (because of context-aware encoding). This is not a proper way to separate MVC concerns.
- Grids and trees use htmlEncode just like anything else. You have to remember to put renderer: Ext.util.Format.htmlEncode on every column.
You are right in pointing out that htmlpurifier is only good for html text (rich text). For input sanitization of non-html data on the server we have developed a DTO-based solution in PHP which uses static annotations to validate all data in the server-side web service layer automatically. I gave a tech talk about it recently, and there's an example implementation of it that I've put up on github.