From 208aa42fdb9d12904c24e6cdaa04438b953fc1fd Mon Sep 17 00:00:00 2001
From: August Detlefsen <augustd@codemagi.com>
Date: Thu, 20 Feb 2020 11:00:07 -0800
Subject: [PATCH] relax detection regex (#757)

Allow for content before and after the script; Allow optional semicolon
---
 .../java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
index a3a0e9780..5984207fc 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
@@ -45,7 +45,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
                                   @RequestParam Integer QTY4, @RequestParam String field1,
                                   @RequestParam String field2) {
 
-        if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
+        if (field2.toLowerCase().matches(".*<script>.*(console\\.log\\(.*\\)|alert\\(.*\\));?<\\/script>.*")) {
             return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build();
         }