This is not a security issue at all. I think this discussion has been side-tracked to long by framing it as if it has anything to do with security or XSS.
The point is this:
- When using a web service to fetch data, it is simply bad design to format the data for rendering on the server-side, because your web service should be usable across front-ends (html encoding data on the server makes no sense when your web service is also accessed by a Delphi win32 application)
- Having to explicitly html-encode data for rendering on the client is clumsy and needless typing. The default situation will be that you want to encode, not that you won't want to encode, so the toolkit should reflect this.
In conclusion, in my opinion: ext should encode to html by default when rendering data to the screen.