On the Security settings section of the admin page you can set setting servoy.clientTrustDataAsHtml. This is a global setting for the Servoy Application Server to enable or disable sanitizing of data from a dataProvider when shown in elements.
When set to false (default) Servoy will protect against XSS attacks by sanitizing data before shown.
When set to true, all data is trusted and no sanitizing will be done.
Setting this to true is highly discouraged, your system may be vulnerable to XSS attacks.
Sanitizing of data can be turned off and on at solution or element level as well, see Security: Cross-site Scripting (XSS).