Thanks, looks like the name property is also susceptable to issues here. We'll probably wrap this in a template, or find some other way to build it as a safe html string, escaping the things that need it.
A note on the changes we've made - we didn't use a template in this case, as there isn't a way to not draw html attributes based on the value, and html inputs interpret the readonly attribute as being active if it is set at all. As such, this is still a fairly stringy way of putting the whole thing together, but should be easier to understand and make sure it is correct than before.
The fix for this bug has been included in the public release of Sencha GXT 3.0.0. Please try your test case again with this release. Although we're confident that this issue has been resolved, please reply here (or start a new bug thread linking to this one) if you continue to notice issues.