This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 208100 - Results of OQL query in OQL console interpret HTML
Summary: Results of OQL query in OQL console interpret HTML
Status: RESOLVED WONTFIX
Alias: None
Product: profiler
Classification: Unclassified
Component: Ide (show other bugs)
Version: 7.2
Hardware: PC All
: P3 normal (vote)
Assignee: issues@profiler
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-06 15:52 UTC by Petr Cyhelsky
Modified: 2012-03-22 10:31 UTC (History)
0 users

See Also:
Issue Type: DEFECT
Exception Reporter:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Cyhelsky 2012-02-06 15:52:39 UTC 
Product Version: NetBeans IDE Dev (Build 201202050600)
Java: 1.7.0_02; Java HotSpot(TM) Client VM 22.0-b10
System: Linux version 2.6.38-13-generic running on i386; UTF-8; en_US (nb)

Steps: execute some query in OQL console which results in some HTML result - like:
select toHtml(x)+" "+x.toString() from java.lang.String x where x.count>10 && x.toString().substring(0,5)=="<html"
or
select "<html><b><i>this is hown in bold italics, but should be in plain text and showing the tags</></b></html>"
 -> resulting html will be interpreted...
Comment 1 J Bachorik 2012-03-22 10:31:04 UTC 
Unfortunately, this is a side-effect of enabling arbitrary javascript expressions in our (jhat, in fact) OQL implementation. The "x.toString()" is a direct call to "toString()" method of the "x" instance. The OQL engine doesn't intercept it in any way and as such it can not perform automatic escaping of potential HTML values. Also, it is not possible to escape the whole result as it may contain HTML marks intended for formatting the result.

The valid workaround is to use toHtml(x.toString()) which will escape the HTML marks properly.