First, there are possible XSS problems, if a developer forgets to use encodeHtml when coding an application that would print content to user B something written by user A. This has nothing to do with Firebug or such.
Second, there are minor issues such as my '<b>foo' example. This has nothing to do with security, since the user has just supplied the data himself. (Also see the previous post by me to jgarcia.) No problem here. But you suggest that I should fix this by setting the grid cell renderer to encodeHtml. This suggestion conflicts with what seems to be the way Ext applications are meant to be coded: plain-text data should be sent from the server html encoded already. The two possiblities here are:
1. Html encode all existing data on the server before sending it to the client (via JSON/XML/etc). The encoded data is in the Ext.data.store object. It will be rendered to the grid without further encoding. This all leads to the '<b>foo' problem.
2. Send the existing data as-is from the server (via JSON/XML/etc again). The data is stored as-is in the Ext.data.store and will be viewed in the grid with the encodeHtml renderer. When the user saves the data, it will be posted to the server as-is. No problem here. BUT: several other posts suggested that all data should be html encoded already on the server, before sending it to the client (via JSON/XML/etc again). I still cannot see why.
3. Some other way?
We'll get back to the seat belt metaphor once this subject is clear. :P