From 37e9359c9e138a107de2dcd869d2fed2c28fde68 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Fri, 23 Oct 2020 09:47:36 +0200
Subject: [PATCH] #841: Clarify the lesson based on the comments - Output
 messages more clear - Replace success to failure (otherwise lesson is marked
 complete immediately) - Fix the layout of the lesson (remove whitespace
 update buttons)

---
 .../webgoat/xss/CrossSiteScriptingLesson5a.java |  4 ++--
 .../main/resources/html/CrossSiteScripting.html | 17 ++++-------------
 .../resources/i18n/WebGoatLabels.properties     |  6 +++---
 .../en/CrossSiteScripting_content5a.adoc        |  8 ++++----
 4 files changed, 13 insertions(+), 22 deletions(-)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
index 5984207fc..33a949f9e 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
@@ -63,7 +63,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
             userSessionData.setValue("xss-reflected1-complete", (Object) "false");
         }
 
-        if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
+        if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\);?|alert\\(.*\\));?<\\/script>")) {
             //return )
             userSessionData.setValue("xss-reflected-5a-complete", "true");
             if (field1.toLowerCase().contains("console.log")) {
@@ -73,7 +73,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
             }
         } else {
             userSessionData.setValue("xss-reflected1-complete", "false");
-            return success(this)
+            return failed(this)
                     .feedback("xss-reflected-5a-failure")
                     .output(cart.toString())
                     .build();
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
index e1f51bffc..f4a037966 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
@@ -48,9 +48,8 @@
 			<form class="attack-form" accept-charset="UNKNOWN"
 				  method="GET" name="xss-5a"
 				  action="/WebGoat/CrossSiteScripting/attack5a">
-				<hr width="90%" />
 				<center>
-					<h1>Shopping Cart</h1>
+					<h4>Shopping Cart</h4>
 				</center>
 				<table width="90%" cellspacing="0" cellpadding="2" border="1"
 					   align="center">
@@ -92,18 +91,9 @@
 					</tr>
 					</tbody>
 				</table>
-				<br />
-				<table width="90%" cellspacing="0" cellpadding="2" border="0"
+				<table width="90%" cellspacing="0" cellpadding="2"
 					   align="center">
 					<tbody>
-					<tr>
-						<td>The total charged to your credit card:</td>
-						<td>$0.00</td>
-						<td><input name="SUBMIT" value="UpdateCart" type="SUBMIT" /></td>
-					</tr>
-					<tr>
-						<td colspan="2">&nbsp;</td>
-					</tr>
 					<tr>
 						<td>Enter your credit card number:</td>
 						<td><input name="field1" value="4128 3214 0002 1999"
@@ -113,8 +103,9 @@
 						<td>Enter your three digit access code:</td>
 						<td><input name="field2" value="111" type="TEXT" /></td>
 					</tr>
+					<br/>
 					<tr>
-						<td colspan="2" align="center"><input name="SUBMIT"
+						<td colspan="3" align="center"><input name="SUBMIT" class="btn btn-primary"
 															  value="Purchase" type="SUBMIT" /></td>
 					</tr>
 					</tbody>
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
index d746965dd..91d3fff5b 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@@ -2,10 +2,10 @@
 xss.title=Cross Site Scripting
 xss-stored.title=Cross Site Scripting (stored)
 xss-mitigation.title=Cross Site Scripting (mitigation)
-xss-reflected-5a-success-alert=Well done, but alerts are not very impressive are they? Please continue.
-xss-reflected-5a-success-console=Well done, but console logs are not very impressive are they? Please continue.
+xss-reflected-5a-success-alert=Congratulations, but alerts are not very impressive are they? Let's continue to the next assignment.
+xss-reflected-5a-success-console=Congratulations, but console logs are not very impressive are they? Let's continue to the next assignment.
 xss-reflected-5a-failed-wrong-field=Seems like you tried to compromise our shop with an reflected XSS attack.<br/> We do our... "best"... to prevent such attacks. Try again!
-xss-reflected-5a-failure=Try again. We do want to see this specific JavaScript (in case you are trying to do something more fancy).
+xss-reflected-5a-failure=Try again. We do want to see a specific JavaScript mentioned in the goal of the assignment (in case you are trying to do something fancier).
 xss-reflected-5a-hint-1=Think about how the inputs are presumably processed by the application.
 xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values. Not the best option for inputting text right?
 xss-reflected-5a-hint-3=What information send to the application gets reflected back after being submitted?
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
index 275864255..aaa14f5ca 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
@@ -1,8 +1,8 @@
-== Try It!   Reflected XSS
+== Try It! Reflected XSS
 
-Identify which field is susceptible to XSS
+The goal of the assignment is to identify which field is susceptible to XSS.
 
-It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response.
+It is always a good practice to validate all input on the server-side. XSS can occur when unvalidated user input gets used in an HTTP response.
 In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
 
-An easy way to find out if a field is vulnerable to an XSS attack is to use the _alert()_ or _console.log()_ methods. Use one of them to find out which field is vulnerable.
\ No newline at end of file
+An easy way to find out if a field is vulnerable to an XSS attack is to use the `alert()` or `console.log()` methods. Use one of them to find out which field is vulnerable.
\ No newline at end of file