[NETBEANS-720] HTML injection in search result tab titles and MRU dropdown list - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 8.2, 9.0, Next
Fix Version/s: None
Component/s: utilities - Search
Labels:
None

Description

When searching for something like <html><b>HTML</b> <i>injection</i> search tab titles and the MRU dropdown list in the search dialog show the HTML formatted text, not the raw input. This also means searching for <html> produces a tab with an empty title.

Found in NetBeans 8.2, reproduced with the latest build incubator-netbeans-release-272-on-20180418.

(I’d attach a screenshot but JIRA complains about a missing token.)

HTML can be disabled with something like

public static void disableHtml(final JComponent component) {
component.putClientProperty("html.disable", Boolean.TRUE);
}
(see http://www.oracle.com/technetwork/java/seccodeguide-139067.html#3-7)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Screen Shot 2018-04-23 at 16.27.24.png
23/Apr/18 14:27
13 kB
Rami Swailem

Activity

People

Assignee:: Unassigned

Reporter:: dennis lucero

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 23/Apr/18 14:11

Updated:: 23/Apr/18 14:27