Thank you for reporting this bug. We will make it our priority to review this report.
[CLOSED] com.extjs...widget.grid.GridView.getRenderedValue does not escape <
If a value bound to a grid cell contains is contained in <>, the contents between the angles will not be displayed unless there is an explicit GridCellRenderer which properly escapes the angles as < and >.
The issue in at line 955 in GridView.java where val.toString() is returned without proper escaping.
I assume (but can't confirm at the moment) that this would be visible if some stock data were changed in TestData to be enclosed in <>. Surprised that this hadn't been reported before, but I did search.
The workaround is to provide a custom GridCellRenderer that properly escapes its output. Without escaping, it is possible that some malicious user could perform the HTML equivalent of SQL injection.