Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: P3
Fix Version/s: 25
Affects Version/s: 8, 9, 11, 15, 16
Component/s: client-libs
Labels:
- cssn25_09_01
- jdk17u-fix-request
- jdk17u-fix-yes
- jdk21u-fix-request
- jdk21u-fix-yes
- reproducer-yes
- sn_187
- sn_188
- sn_189
- sn_190
- sn_193
- sn_195
- sust-bp-triaged
- webbug

Subcomponent:
javax.swing
Resolved In Build:
b25
CPU:

x86
OS:

linux

Issue	Fix Version	Assignee	Priority	Status	Resolution	Resolved In Build
JDK-8368133	21.0.10-oracle	Alexey Ivanov	P3	Resolved	Fixed	master
JDK-8368377	21.0.10	Goetz Lindenmaier	P3	Resolved	Fixed	master
JDK-8368134	17.0.18-oracle	Alexey Ivanov	P3	Resolved	Fixed	master
JDK-8368442	17.0.18	Goetz Lindenmaier	P3	Resolved	Fixed	master
JDK-8368323	11.0.30-oracle	Alexey Ivanov	P3	Resolved	Fixed	master
JDK-8368990	8u481	Alexey Ivanov	P3	Resolved	Fixed	master

FULL PRODUCT VERSION :

A DESCRIPTION OF THE PROBLEM :
Every file name that starts with "<html>" [1] triggers HTML renderer
which may confuse users and cause security and stability issues.

This can be reproduced probably in all JDK versions.

[1] http://www.oracle.com/technetwork/java/seccodeguide-139067.html#3-7

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Open javax.swing.JFileChooser (e.g. the one in jdk-demos/demo/jfc/FileChooserDemo)
2. Click "New Folder"
3. Enter new name that starts with <html>:

<html><h1 color=#ff00ff><font face="Comic Sans MS">SWING ROCKS!!!111
(huge pink banner)

<html><object classid=javax.swing.JTree>
(instantiate and display a JTree object via creepy ObjectView's [1] syntax)

Note that on Windows platform it may be
impossible to create such name by default.

[1] http://docs.oracle.com/javase/8/docs/api/javax/swing/text/html/ObjectView.html

REPRODUCIBILITY :
This bug can be reproduced always.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

Capture.PNG
19 kB
2021-03-09 08:29
Capture1.PNG
19 kB
2021-03-09 08:42
Filechooser.java
0.6 kB
2021-03-09 08:27

backported by

JDK-8368133 JFileChooser renders file names as HTML document

Resolved

JDK-8368134 JFileChooser renders file names as HTML document

Resolved

JDK-8368323 JFileChooser renders file names as HTML document

Resolved

JDK-8368377 JFileChooser renders file names as HTML document

Resolved

JDK-8368442 JFileChooser renders file names as HTML document

Resolved

JDK-8368990 JFileChooser renders file names as HTML document

Resolved

causes

JDK-8358532 JFileChooser in GTK L&F still displays HTML filename

Resolved

relates to

JDK-8357799 Improve instructions for JFileChooser/HTMLFileName.java

Resolved

JDK-8357457 Automate JFileChooser/HTMLFileName.java test

Open

JDK-8357456 Ensure JFileChooser doesn't render file names as HTML in all L&Fs support

Open

links to

Commit(master) openjdk/jdk17u-dev/d39ca878

Commit(master) openjdk/jdk21u-dev/129eb4e3

Commit(master) openjdk/jdk/917c1546

Review(master) openjdk/jdk17u-dev/3978

Review(master) openjdk/jdk21u-dev/2254

Review(master) openjdk/jdk/24439

(1 backported by, 1 causes, 3 relates to, 6 links to)

Assignee:: Tejesh R

Reporter:: Webbug Group

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2015-07-10 09:20

Updated:: 1 week ago 02:57

Resolved:: 2025-05-23 10:04

Details

Backports

Description

Attachments

Attachments

Issue Links

Activity

People

Dates