Putting my money where my mouth is, here is what I think would be an ideal solution:

  1. Create a property similar to .NET's Literal.Mode property which defines the behavior of a Literal's rendering engine. If it's set to "PassThrough" it simply dumps the string as provided directly to the browser. If however it is set to "Encode" it HTMLEncode's the string before doing so.
  2. Add this property to every Ext component that is responsible for writing strings, such as Grid Columns, Message Boxes, Panels, etc.
  3. Allow the developer to specify this value on a component-by-component basis, but default it's value to a new global variable..
  4. Create the global variable EXT_TRUST_MODE which ships with the value related to "Encode".

What this does is allow us to say that by default as Ext ships, all data is considered untrusted and thus encoded, however if we need a specific control to pass raw data through (because we trust the source of the data) then we can simply {trustMode: 'passthrough'} or whatnot.

Additionally, to handle the situation of breaking backwards compatibility of old implementations of Ext, we can simply inform those people that they may change the default value of EXT_TRUST_MODE to 'passthrough' defaulting all controls to do so (albeit with the warning of the security problems this may cause.)

I sincerely hope that this discussion and the ideas I have proposed are helpful. I truly believe that this is a big problem, but one that Ext can fix, making Ext an even better platform for serious developers.