I'll likely regret rekindling this, but I gave some thought to the dilemna, as it were, and from Ext's standpoint, flexibility on the entry side solves one-half of the problem.
VTypes seemed like a logical focal point, so I'll offer this one. It's designed for optional rigidity, and undoubtedly could be improved.
The focus here is a step towards disallowing 'dangerous markup' in the first place.
Code:
(function(){
// Protect these from Firebuggers
/* Basic: standard markup tags as: <br>
*/
//var safeAlphanumRe = /<\/?[^>]+>/;
/* Rigid: standard markup tags AND those structured as: <br /> OR <br>
*/
var safeAlphanumRe = /(<|\<\;)\/?[^>]+(>|\>\;)/;
Ext.apply(Ext.form.VTypes,{
safeAlphanum: function(value, field){
return !safeAlphanumRe.test(String(value));
},
safeAlphanumMask : /[a-z0-9_]/i,
safeAlphanumText : 'This field should only contain letters, numbers, _, and NO markup'
});
})();
The safeAlphanumMask could be further hardened to disallow < > ; etc, but I was after a more passive approach without hindering CMS and the like.
On the rendering side: Ext.util.Format.stripTags does an OK job cleaning things up before display (but does not consider HTML-encoded strings).
Feel free to use it where you think it's appropriate. And by all means, tweak it match your servers' appetite.