Users assigned roles without the unfiltered_html capability are able to save html markup in ACF fields. This opens up a site to XSS vulnerabilities by allowing any user to paste in potentially malicious code, rather than requiring users with the expressed capability only.
Steps to Reproduce:
1. Create an ACF text/textarea/wysiwyg field on a page.
2. Create a new user with role Author. Authors by default do not have the unfiltered_html capability.
3. Create a new page as the new user, with <script>alert('This should not happen!');</script> as the ACF field content.
4. View the page, the script runs.
Expected Behavior: For users without the unfiltered_html capability, script tags should be stripped out and the field content should display as alert('This should not happen!').
Proposed resolution: ACF fields should check if the user has the unfiltered_html capability on save, and if not, run field content through wp_filter_post_kses().