From c71417b51ed311adc2353fb88c75bb72c7293a54 Mon Sep 17 00:00:00 2001
From: Zhe Sun <31067185+ZheSun88@users.noreply.github.com>
Date: Mon, 1 Jul 2019 14:56:48 +0300
Subject: [PATCH] Sanitize caption used in Grid header (#11644)

* Sanitize input used in Grid header
---
 server/src/main/java/com/vaadin/ui/Grid.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/src/main/java/com/vaadin/ui/Grid.java b/server/src/main/java/com/vaadin/ui/Grid.java
index d463832119..fa6237a83a 100644
--- a/server/src/main/java/com/vaadin/ui/Grid.java
+++ b/server/src/main/java/com/vaadin/ui/Grid.java
@@ -38,6 +38,7 @@ import java.util.function.Function;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+import org.jsoup.Jsoup;
 import org.jsoup.nodes.Attributes;
 import org.jsoup.nodes.Element;
 import org.jsoup.select.Elements;
@@ -1340,6 +1341,7 @@ public class Grid<T> extends AbstractListing<T> implements HasComponents,
          */
         public Column<T, V> setCaption(String caption) {
             Objects.requireNonNull(caption, "Header caption can't be null");
+            caption = Jsoup.parse(caption).text();
             if (caption.equals(getState(false).caption)) {
                 return this;
             }
-- 
2.39.5