(wrong branch) updated assignment (OWASP Java Encoder) and hints (still not shown)

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java

@@ -1,6 +1,10 @@
 package org.owasp.webgoat.plugin.mitigation;
 
 
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.jsoup.nodes.Element;
+import org.jsoup.select.Elements;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
@@ -30,32 +34,32 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
         //maybe better idea for assignment
         //<e:forHtml value="${param.title}" />
 
-        String line1 ="";
+        Document doc = Jsoup.parse(editor);
-        String line2 ="";
-
         String[] lines = editor.split(System.getProperty("line.separator"));
-        for (int i = 0; i < lines.length; i++) {
+
-            if(lines[i].contains("First Name")){
+        String include = (lines[0]);
-                line1 = lines[i+1].replace("                <td>","").replace("</td>","");
+        String first_name_element = doc.select("body > table > tbody > tr:nth-child(1) > td:nth-child(2)").first().text();
-            } else if (lines[i].contains("Last Name")){
+        String last_name_element = doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text();
-                line2 = lines[i+1].replace("                <td>", "").replace("</td>", "");
+
+        Boolean includeCorrect = false;
+        Boolean firstNameCorrect = false;
+        Boolean lastNameCorrect = false;
+        if(include.contains("<%@") && include.contains("taglib") && include.contains("uri=\"https://www.owasp.org/index.php/OWASP_Java_Encoder_Project\"") && include.contains("%>")){
+            includeCorrect = true;
         }
+        if(first_name_element.equals("${e:forHtml(param.first_name)}")){
+            firstNameCorrect = true;
+        }
+        if(last_name_element.equals("${e:forHtml(param.last_name)}")){
+            lastNameCorrect = true;
         }
 
-        //<c:out value="${first_name/last_name}" escapeXml="true"/>
+        if(includeCorrect && firstNameCorrect && lastNameCorrect){
-        //or
-        //${fn:escapeXml("param.first_name/last_name")}
-
-        if((line1.equals("<c:out value=\"${first_name}\" escapeXml=\"true\"/>") || line1.equals("<c:out escapeXml=\"true\" value=\"${first_name}\"/>"))
-                && (line2.equals("<c:out value=\"${last_name}\" escapeXml=\"true\"/>")) || line2.equals("<c:out escapeXml=\"true\" value=\"${last_name}\" />")){
-            System.out.println("true");
-            return trackProgress(success().feedback("xss-mitigation-3-success").build());
-        } else if(line1.equals("${fn:escapeXml(\"param.first_name\")}") && line2.equals("${fn:escapeXml(\"param.last_name\")}")){
             System.out.println("true");
             return trackProgress(success().feedback("xss-mitigation-3-success").build());
         } else {
             System.out.println("false");
-            System.out.println(line1 + "\n" + line2);
+            System.out.println(first_name_element + "\n" + last_name_element);
             return trackProgress(failed().feedback("xss-mitigation-3-failure").build());
         }
     }

webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html

@@ -49,7 +49,9 @@
                         "    </table>\n" +
                         "</body>\n" +
                         "\n" +
-                        "</html>\n");
+                        "</html>\n" +
+						"\n" +
+                    	"\n");
 				</script>
 			</div>
 			<div class="input-group" style="margin-top: 10px">

webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties

@@ -30,9 +30,9 @@ xss-stored-comment-success=It appears your payload should invoke the function. T
 xss-stored-comment-failure=We can't see the payload in your submission, but XSS can be tricky. Look for the call back fired after the comments reload. If you see that and can put the correct value there and put it in, maybe you did succeed.
 xss-stored-callback-success=Yes, that is the correct value (note, it will be a different value each time the phoneHome endpoint is called).
 xss-stored-callback-failure=No, that is not the correct value (note, it will be a different value each time the phoneHome endpoint is called).
-xss-mitigation-3-hint1=You don't store the user input in this example. Try to html entity escape the user input right before you it into the HTML element.
+xss-mitigation-3-hint1=You don't store the user input in this example. Try to encode the user's input right before you place it into the HTML document.
-xss-mitigation-3-hint2=Use JavaServer Pages Standard Tag Library (JSTL) tags or Unified Expression Language
+xss-mitigation-3-hint2=Make use of JavaServer Pages Standard Tag Library (JSTL) and JSP Expression Language.
-xss-mitigation-3-hint3=You don't have to import the libs. (<%@ taglib uri = "http://java.sun.com/jsp/jstl/core" prefix = "c" %> and <%@ taglib uri = "http://java.sun.com/jsp/jstl/functions" prefix = "fn" %> already included in this example)
+xss-mitigation-3-hint3=Take a look at OWASP Java Encoder Project.
-xss-mitigation-3-hint4=Have you ever heard of escapeXml? Ask the web.
+xss-mitigation-3-hint4=Don't forget to reference the taglibs and choose "e" as prefix.
 xss-mitigation-3-success=You have completed this lesson. Congratulations!
 xss-mitigation-3-failure=This in not the correct answer. Try again!

webgoat-lessons/pom.xml

@@ -97,6 +97,12 @@
             <artifactId>xstream</artifactId>
             <version>1.4.7</version>
         </dependency>
+        <dependency>
+            <!-- jsoup HTML parser library @ https://jsoup.org/ -->
+            <groupId>org.jsoup</groupId>
+            <artifactId>jsoup</artifactId>
+            <version>1.11.3</version>
+        </dependency>
     </dependencies>
     <dependencyManagement>
         <dependencies>