An unescaped payload in exceljs <v1.6 allows a possible XSS via cell value when worksheet is displayed in browser.