diff --git a/webgoat-lessons/cia/src/main/resources/js/questions_cia.json b/webgoat-lessons/cia/src/main/resources/js/questions_cia.json
index 59272ee59..4c43fae60 100644
--- a/webgoat-lessons/cia/src/main/resources/js/questions_cia.json
+++ b/webgoat-lessons/cia/src/main/resources/js/questions_cia.json
@@ -29,7 +29,7 @@
       "1": "A system can be considered safe until all the goals are harmed. Harming one goal has no effect on the systems security.",
       "2": "The systems security is compromised even if only one goal is harmed.",
       "3": "It's not that bad when an attacker reads or changes data, at least some data is still available, hence only when the goal of availability is harmed the security of the system is compromised.",
-      "4": "It shouldn't be possible for an attacker to change data or make it unavailable, but reading sensitive data is not tolerable. Theres only a problem when confidentiality is harmed."
+      "4": "It shouldn't be a problem if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. Theres only a problem when confidentiality is harmed."
     }
   }]
 }
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
index e88a26f0f..18946e22c 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
@@ -58,9 +58,13 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 	public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
 												@RequestParam Integer QTY2, @RequestParam Integer QTY3,
 												@RequestParam Integer QTY4, @RequestParam String field1,
-												@RequestParam Integer field2, HttpServletRequest request)
+												@RequestParam String field2, HttpServletRequest request)
 			throws IOException {
 
+		if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
+			return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
+		}
+
 		double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
 
 		userSessionData.setValue("xss-reflected1-complete",(Object)"false");
@@ -75,13 +79,14 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 			userSessionData.setValue("xss-reflected1-complete",(Object)"false");
 		}
 
-		if (field1.toLowerCase().contains("<script>alert('my javascript here')</script>")) {
+		if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
 			//return trackProgress()
 			userSessionData.setValue("xss-reflected-5a-complete","true");
-			return trackProgress(success()
-					.feedback("xss-reflected-5a-success")
-					.output(cart.toString())
-					.build());
+			if(field1.toLowerCase().contains("console.log")) {
+				return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
+			} else {
+				return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
+			}
 		} else {
 			userSessionData.setValue("xss-reflected1-complete","false");
 			return trackProgress(success()
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
index b22d09d37..07ae1ad20 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
@@ -55,7 +55,7 @@ public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
     public @ResponseBody
     AttackResult completed(@RequestParam String DOMTestRoute)  throws IOException {
 
-        if (DOMTestRoute.equals("start.mvc#test/")) {
+        if (DOMTestRoute.matches("start\\.mvc#test(\\/|)")) {
             //return trackProgress()
             return trackProgress(success().feedback("xss-reflected-6a-success").build());
         } else {
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
index 6c4d87ff7..0e2f2c676 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
@@ -99,28 +99,28 @@
 							Cherry</td>
 						<td align="right">69.99</td>
 						<td align="right"><input size="6" value="1" name="QTY1"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					<tr>
 						<td>Dynex - Traditional Notebook Case</td>
 						<td align="right">27.99</td>
 						<td align="right"><input size="6" value="1" name="QTY2"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					<tr>
 						<td>Hewlett-Packard - Pavilion Notebook with Intel Centrino</td>
 						<td align="right">1599.99</td>
 						<td align="right"><input size="6" value="1" name="QTY3"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					<tr>
 						<td>3 - Year Performance Service Plan $1000 and Over</td>
 						<td align="right">299.99</td>
 						<td align="right"><input size="6" value="1" name="QTY4"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					</tbody>
@@ -152,7 +152,6 @@
 					</tr>
 					</tbody>
 				</table>
-				<br />
 				<hr width="90%"/>
 			</form>
 		</div>
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
index 940c79523..288952150 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@@ -2,7 +2,9 @@
 xss.title=Cross Site Scripting
 xss-stored.title=Cross Site Scripting (stored)
 xss-mitigation.title=Cross Site Scripting (mitigation)
-xss-reflected-5a-success=Well done, but alerts aren't very impressive are they? Please continue.
+xss-reflected-5a-success-alert=Well done, but alerts aren't very impressive are they? Please continue.
+xss-reflected-5a-success-console=Well done, but console logs aren't very impressive are they? Please continue.
+xss-reflected-5a-failed-wrong-field=Seems like you tried to compromise our shop with an reflected XSS attack.<br/> We do our... "best"... to prevent such attacks. Try again!
 xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy).
 xss-reflected-5a-hint-1=Think about how the inputs are presumably processed by the application.
 xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values. Not the best option for inputting text right?
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
index 795e3e450..275864255 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
@@ -5,4 +5,4 @@ Identify which field is susceptible to XSS
 It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response.
 In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
 
-Make sure to include in your attack payload "<script>alert('my javascript here')</script>".
\ No newline at end of file
+An easy way to find out if a field is vulnerable to an XSS attack is to use the _alert()_ or _console.log()_ methods. Use one of them to find out which field is vulnerable.
\ No newline at end of file