Hi @unsalkorkmaz,
Thanks for the post.
According to the plugin author, ACF does not sanitize the field output.
You can create a function to be used instead of the native functions( get_field() and the_field()) and have the values pass through the esc_attr function.