From 13e3bb87c43a9935438ccdd4b476ee42a2359977 Mon Sep 17 00:00:00 2001
From: Jason White <jsnsotheracct@gmail.com>
Date: Fri, 19 Sep 2014 15:37:45 -0600
Subject: [PATCH] Update for WEB-69. Fix for JSONInjection lesson. Stub in
 javascript for CSRF lesson update/fix

---
 src/main/java/org/owasp/webgoat/lessons/JSONInjection.java | 6 +++---
 src/main/webapp/WEB-INF/pages/main_new.jsp                 | 4 ++--
 src/main/webapp/js/goatControllers.js                      | 4 +++-
 src/main/webapp/js/goatUtil.js                             | 3 +++
 4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/owasp/webgoat/lessons/JSONInjection.java b/src/main/java/org/owasp/webgoat/lessons/JSONInjection.java
index 4eeee5fe8..267c2a335 100644
--- a/src/main/java/org/owasp/webgoat/lessons/JSONInjection.java
+++ b/src/main/java/org/owasp/webgoat/lessons/JSONInjection.java
@@ -106,7 +106,7 @@ public class JSONInjection extends LessonAdapter
     protected Element createContent(WebSession s)
     {
         ElementContainer ec = new ElementContainer();
-        String lineSep = System.getProperty("line.separator");
+        String lineSep = System.getProperty("line.separator"); 
         String script = "<script>"
                 + lineSep
                 + "function getFlights() {"
@@ -192,11 +192,11 @@ public class JSONInjection extends LessonAdapter
 
                 "function check(){"
                 + lineSep
-                + " if ( document.getElementById('radio0').checked  )"
+                + " if ( document.getElementById('radio0') && document.getElementById('radio0').checked  )"
                 + lineSep
                 + " { document.getElementById('price2Submit').value = document.getElementById('priceID0').innerHTML; return true;}"
                 + lineSep
-                + " else if ( document.getElementById('radio1').checked  )"
+                + " else if ( document.getElementById('radio1') && document.getElementById('radio1').checked  )"
                 + lineSep
                 + " { document.getElementById('price2Submit').value = document.getElementById('priceID1').innerHTML; return true;}"
                 + lineSep + " else " + lineSep + " { alert('Please choose one flight'); return false;}" + lineSep + "}"
diff --git a/src/main/webapp/WEB-INF/pages/main_new.jsp b/src/main/webapp/WEB-INF/pages/main_new.jsp
index a6efc5aa6..5b2c3e2c8 100644
--- a/src/main/webapp/WEB-INF/pages/main_new.jsp
+++ b/src/main/webapp/WEB-INF/pages/main_new.jsp
@@ -148,8 +148,8 @@
                                             <span class="glyphicon-class glyphicon glyphicon-circle-arrow-left" id="showPrevHintBtn" ng-click="viewPrevHint()"></span>
                                             <span class="glyphicon-class glyphicon glyphicon-circle-arrow-right" id="showNextHintBtn" ng-click="viewNextHint()"></span>
                                             <br/>
-                                            
-                                            <span id="curHintContainer"></span><!--{{curHint}}-->
+                                            <span bind-html-unsafe="curHint"></span>
+                                            <!--<span id="curHintContainer"></span>-->
                                         </div>                                    
                                     </div>
                                 </div>
diff --git a/src/main/webapp/js/goatControllers.js b/src/main/webapp/js/goatControllers.js
index 2cb5ea69f..4d1f89336 100644
--- a/src/main/webapp/js/goatControllers.js
+++ b/src/main/webapp/js/goatControllers.js
@@ -82,10 +82,12 @@ var goatMenu = function($scope, $http, $modal, $log, $templateCache) {
 			    $("#lessonTitle").text(reply.data);
 		    }
 		);
+		//TODO encode html or get angular js portion working
 		$("#lesson_content").html(reply.data);
 		//hook forms
 		goat.utils.makeFormsAjax();
 		$('#leftside-navigation').height($('#main-content').height()+15)//TODO: get ride of fixed value (15)here
+		//notifies goatLesson Controller of the less change
 		$scope.$emit('lessonUpdate',{params:curScope.parameters});
 	    }
 	)
@@ -207,7 +209,7 @@ var goatLesson = function($scope,$http,$log) {
         $scope.curHint = $scope.hints[$scope.hintIndex].hint;
 	//$scope.curHint = $sce.trustAsHtml($scope.hints[$scope.hintIndex].hint);
 	//TODO get html binding workin in the UI ... in the meantime ...
-	$scope.renderCurHint();
+	//$scope.renderCurHint();
         $scope.manageHintButtons();
     };
 
diff --git a/src/main/webapp/js/goatUtil.js b/src/main/webapp/js/goatUtil.js
index e8a551fb6..cfba7c35a 100644
--- a/src/main/webapp/js/goatUtil.js
+++ b/src/main/webapp/js/goatUtil.js
@@ -90,6 +90,9 @@ goat.utils = {
     },
     makeId: function (lessonName) {
         return lessonName.replace(/\s|\(|\)|\!|\:|\;|\@|\#|\$|\%|\^|\&|\*/g,'');//TODO move the replace routine into util function
+    },
+    ajaxifyAttackHREF: function () {
+        // stub for dealing with CSRF lesson link issues and other similar issues
     }
 };