This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Product Version: NetBeans IDE Dev (Build 201202050600) Java: 1.7.0_02; Java HotSpot(TM) Client VM 22.0-b10 System: Linux version 2.6.38-13-generic running on i386; UTF-8; en_US (nb) Steps: execute some query in OQL console which results in some HTML result - like: select toHtml(x)+" "+x.toString() from java.lang.String x where x.count>10 && x.toString().substring(0,5)=="<html" or select "<html><b><i>this is hown in bold italics, but should be in plain text and showing the tags</></b></html>" -> resulting html will be interpreted...
Unfortunately, this is a side-effect of enabling arbitrary javascript expressions in our (jhat, in fact) OQL implementation. The "x.toString()" is a direct call to "toString()" method of the "x" instance. The OQL engine doesn't intercept it in any way and as such it can not perform automatic escaping of potential HTML values. Also, it is not possible to escape the whole result as it may contain HTML marks intended for formatting the result. The valid workaround is to use toHtml(x.toString()) which will escape the HTML marks properly.