Everything depends on your use case, but what I do is - escape all HTML code on server side, so that there are no 'forgotten' places by mistake. That of course creates problems, when these data need to be loaded in form fields, because they are escaped. The easiest solution is to override setValue for all form fields and use Extjs htmlDecode function, which will revert these values back to normal.
Ext.override(Ext.form.field.Base, {
setValue: function(val) {
val = Ext.util.Format.htmlDecode(val);
return this.callParent([val]);
}
});