Sanitize caption used in Grid header

Cherry pick of https://github.com/vaadin/framework/pull/11644

1 files changed, 2 insertions, 0 deletions

diff --git a/server/src/main/java/com/vaadin/ui/Grid.java b/server/src/main/java/com/vaadin/ui/Grid.java
index c8bdd98b76..cd18891209 100644
--- a/server/src/main/java/com/vaadin/ui/Grid.java
+++ b/server/src/main/java/com/vaadin/ui/Grid.java
@@ -38,6 +38,7 @@ import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import org.jsoup.Jsoup;
 import org.jsoup.nodes.Attributes;
 import org.jsoup.nodes.Element;
 import org.jsoup.select.Elements;
@@ -3424,6 +3425,7 @@ public class Grid extends AbstractFocusable implements SelectionNotifier,
             if (caption == null) {
                 caption = ""; // Render null as empty
             }
+            caption = Jsoup.parse(caption).text();
             state.headerCaption = caption;
 
             HeaderRow row = grid.getHeader().getDefaultRow();