Ensure type names are properly encoded in the results grid. Fixes #4401

docs/en_US/release_notes_4_12.rst

@@ -21,6 +21,7 @@ Bug fixes
 *********
 
 | `Issue #4179 <https://redmine.postgresql.org/issues/4179>`_ -  Fix generation of reverse engineered SQL for tables with Greenplum 5.x.
+| `Issue #4401 <https://redmine.postgresql.org/issues/4401>`_ -  Ensure type names are properly encoded in the results grid.
 | `Issue #4490 <https://redmine.postgresql.org/issues/4490>`_ -  Fix accessibility issue for checkbox in IE11.
 | `Issue #4496 <https://redmine.postgresql.org/issues/4496>`_ -  Ensure columns can be created when they are IDENTITY fields with the CYCLE option enabled.
 | `Issue #4497 <https://redmine.postgresql.org/issues/4497>`_ -  Ensure purely numeric comments can be saved on new columns.

web/pgadmin/feature_tests/xss_checks_panels_and_query_tool_test.py

@@ -33,11 +33,18 @@ class CheckForXssFeatureTest(BaseFeatureTest):
         ("Test XSS check for panels and query tool", dict())
     ]
     test_table_name = "<h1>X"
+    test_type_name = '"<script>alert(1)</script>"'
 
     def before(self):
+        test_utils.create_type(
+            self.server, self.test_db, self.test_type_name,
+            ['"<script>alert(1)</script>" "char"',
+             '"1<script>alert(1)</script>" "char"']
+        )
         test_utils.create_table(
             self.server, self.test_db, self.test_table_name,
-            ['"<script>alert(1)</script>" char']
+            ['"<script>alert(1)</script>" char',
+             'typcol '+self.test_type_name]
         )
         # This is needed to test dependents tab (eg: BackGrid)
         test_utils.create_constraint(

web/pgadmin/tools/sqleditor/static/js/sqleditor.js

@@ -752,12 +752,15 @@ define('tools.querytool', [
       column_size[table_name] = column_size[table_name] || {};
 
       _.each(columns, function(c) {
+        c.display_name = _.escape(c.display_name);
+        c.column_type = _.escape(c.column_type);
+
         var options = {
           id: c.name,
           pos: c.pos,
           field: c.name,
           name: c.label,
-          display_name: _.escape(c.display_name),
+          display_name: c.display_name,
           column_type: c.column_type,
           column_type_internal: c.column_type_internal,
           not_null: c.not_null,

web/regression/python_test_utils/test_utils.py

@@ -255,6 +255,44 @@ def create_constraint(server,
         traceback.print_exc(file=sys.stderr)
 
 
+def create_type(server, db_name, type_name, type_fields=[]):
+    """
+    This function create the type in given database name
+    :param server: server details
+    :type server: dict
+    :param db_name: database name
+    :type db_name: str
+    :param type_name: type name
+    :type type_name: str
+    :param type_fields: type fields
+    :type type_fields: list
+    :return: None
+    """
+    try:
+        connection = get_db_connection(
+            db_name,
+            server['username'],
+            server['db_password'],
+            server['host'],
+            server['port'],
+            server['sslmode']
+        )
+        old_isolation_level = connection.isolation_level
+        connection.set_isolation_level(0)
+
+        type_fields_sql = ", ".join(type_fields)
+
+        pg_cursor = connection.cursor()
+        pg_cursor.execute(
+            '''CREATE TYPE %s AS (%s)''' % (type_name, type_fields_sql))
+
+        connection.set_isolation_level(old_isolation_level)
+        connection.commit()
+
+    except Exception:
+        traceback.print_exc(file=sys.stderr)
+
+
 def create_debug_function(server, db_name, function_name="test_func"):
     try:
         connection = get_db_connection(