If a value bound to a grid cell contains is contained in <>, the contents between the angles will not be displayed unless there is an explicit GridCellRenderer which properly escapes the angles as &lt; and &gt;.

The issue in at line 955 in GridView.java where val.toString() is returned without proper escaping.

I assume (but can't confirm at the moment) that this would be visible if some stock data were changed in TestData to be enclosed in <>. Surprised that this hadn't been reported before, but I did search.

The workaround is to provide a custom GridCellRenderer that properly escapes its output. Without escaping, it is possible that some malicious user could perform the HTML equivalent of SQL injection.