While I've not examined Lists yet, Grid is highly susceptible to XSS attacks. Due to it's lack of escaping of data rendered into the page. String.format(), which 'on the face of it looks like it might solve it' does nothing to reduce this problem.

Here a proof of concept.
-> there is a user comment form on a website. which comments can be posted:
-> data is assumed to be just raw text, and is stored in the database 'As is'.
-> Back end application uses ExtJs to render list of new comments using JSON to just send the data (escaped correctly for JSON) to the Grid.

Grid renders the data WITHOUT escaping it. - This should not be the default behaviour.
eg. posted data contains:
<img src="about:blank" width=10 height=10

This application layout is correct, as ExtJS is the presentation layer and all the the other steps should not be munging the data.

Suggested Changes:
String.format=  function(format) {
    var args = Array.prototype.slice.call(arguments, 1);
    return format.replace(/\{(\d+)\}/g, function(m, i){
        var e = document.createTextNode( args[i]  );
        var ew = document.createElement('a');
        return ew.innerHTML;

Ext.grid.ColumnModel.defaultRenderer = function(value){
	if(typeof value == "string" && value.length < 1){
	    return " ";
    return String.format('{0}',value);