diff --git a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/StoredXssCommentsTest.java b/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/StoredXssCommentsTest.java
index cc59e9ce5..bae54a182 100644
--- a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/StoredXssCommentsTest.java
+++ b/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/StoredXssCommentsTest.java
@@ -74,15 +74,25 @@ public class StoredXssCommentsTest extends AssignmentEndpointTest {
results.andExpect(jsonPath("$.lessonCompleted",CoreMatchers.is(false)));
}
+ /* For the next two tests there is a comment seeded ...
+ comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "Comment for Unit Testing"));
+ ... the isEncoded method will remain commented out as it will fail (because WebGoat isn't supposed to be secure)
+ */
+
+ //Ensures it is vulnerable
@Test
- public void isNotEncoded() {
- assert true;
- //TODO: get around to this
+ public void isNotEncoded() throws Exception {
+ //do get to get comments after posting xss payload
+ ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss"));
+ taintedResults.andExpect(jsonPath("$[0].text",CoreMatchers.is(CoreMatchers.containsString(""))));
}
- @Test
- public void isEncoded() {
- assert true;
- //TODO: get around to this
- }
+
+ //Could be used to test an encoding solution ... commented out so build will pass. Uncommenting will fail build, but leaving in as positive Security Unit Test
+// @Test
+// public void isEncoded() throws Exception {
+// //do get to get comments after posting xss payload
+// ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss"));
+// taintedResults.andExpect(jsonPath("$[0].text",CoreMatchers.is(CoreMatchers.containsString("<scriptgt;"))));
+// }
}
\ No newline at end of file