What happened?

Description

When creating a new table field, or modifying an existing one, there is a preview of what the field will ultimately look like to editors. That includes updating ‒ in real time ‒ the Column Headings. However, if you use an HTML element, this is not escaped in the string and therefore applies in the preview of the component.

(NOTE: The effect is not visible in actual usage of the Table field. So if you wrap part of the Column Heading in <em> tags, in the Field Editor the text appears italicised, but when you then use that field on an Entry, the text is correctly stringified.)

Steps to reproduce

1. Create a Table field;
2. In the Column Heading, enter any text;
3. Add a visual HTML element e.g. <strong> anywhere within that text;
4. You will see the Default Values live preview update with bold text following the <strong> element.

Expected behavior

Column headers should be strings, and therefore should render contained HTML or other code as string content.

Actual behavior

Code is executed in the live preview of the Table field.

Craft CMS version

5.3.4

PHP version

8.2.22

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions