Lab - DOM-based cross-site scripting: Java Source produces XSS alert #38

webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java

@@ -30,9 +30,7 @@
  */
 package org.owasp.webgoat.service;
 
-import javax.servlet.http.HttpSession;
+import org.apache.commons.lang3.StringEscapeUtils;
-import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
-import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
@@ -40,6 +38,11 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpSession;
+
+import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
+import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
+
 /**
  *
  * @author rlawson
@@ -61,10 +64,7 @@ public class SourceService extends BaseService {
         if (source == null) {
             source = "No source listing found";
         }
-        return source;
+        return StringEscapeUtils.escapeHtml4(source);
-        //SourceListing sl = new SourceListing();
-        //sl.setSource(source);
-        //return sl;
     }
 
     /**