Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8139228

JFileChooser renders file names as HTML document

XMLWordPrintable

    • b25
    • x86
    • linux

      FULL PRODUCT VERSION :


      A DESCRIPTION OF THE PROBLEM :
      Every file name that starts with "<html>" [1] triggers HTML renderer
      which may confuse users and cause security and stability issues.

      This can be reproduced probably in all JDK versions.

      [1] http://www.oracle.com/technetwork/java/seccodeguide-139067.html#3-7

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. Open javax.swing.JFileChooser (e.g. the one in jdk-demos/demo/jfc/FileChooserDemo)
      2. Click "New Folder"
      3. Enter new name that starts with <html>:

      <html><h1 color=#ff00ff><font face="Comic Sans MS">SWING ROCKS!!!111
      (huge pink banner)

      <html><object classid=javax.swing.JTree>
      (instantiate and display a JTree object via creepy ObjectView's [1] syntax)

      Note that on Windows platform it may be
      impossible to create such name by default.

      [1] http://docs.oracle.com/javase/8/docs/api/javax/swing/text/html/ObjectView.html


      REPRODUCIBILITY :
      This bug can be reproduced always.

        1. Capture.PNG
          Capture.PNG
          19 kB
        2. Capture1.PNG
          Capture1.PNG
          19 kB
        3. Filechooser.java
          0.6 kB

            tr Tejesh R
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: