assignment now has working feedback

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java

@@ -13,7 +13,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
-
+import java.io.IOException;
 
 import javax.tools.*;
 import java.io.IOException;
@@ -30,37 +30,38 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
     @RequestMapping(method = RequestMethod.POST)
     @ResponseBody
     public AttackResult completed(@RequestParam String editor) {
-        //https://github.com/OWASP/owasp-java-encoder
+        String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true);
-        //maybe better idea for assignment
+        try {
-        //<e:forHtml value="${param.title}" />
+            if (editor.isEmpty()) return trackProgress(failed().feedback("xss-mitigation-3-no-code").build());
+            Document doc = Jsoup.parse(unescapedString);
+            String[] lines = unescapedString.split("<html>");
 
-        Document doc = Jsoup.parse(editor);
+            String include = (lines[0]);
-        String[] lines = editor.split(System.getProperty("line.separator"));
+            String first_name_element = doc.select("body > table > tbody > tr:nth-child(1) > td:nth-child(2)").first().text();
+            String last_name_element = doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text();
 
-        String include = (lines[0]);
+            Boolean includeCorrect = false;
-        String first_name_element = doc.select("body > table > tbody > tr:nth-child(1) > td:nth-child(2)").first().text();
+            Boolean firstNameCorrect = false;
-        String last_name_element = doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text();
+            Boolean lastNameCorrect = false;
 
-        Boolean includeCorrect = false;
+            if (include.contains("<%@") && include.contains("taglib") && include.contains("uri=\"https://www.owasp.org/index.php/OWASP_Java_Encoder_Project\"") && include.contains("%>")) {
-        Boolean firstNameCorrect = false;
+                includeCorrect = true;
-        Boolean lastNameCorrect = false;
+            }
-        if(include.contains("<%@") && include.contains("taglib") && include.contains("uri=\"https://www.owasp.org/index.php/OWASP_Java_Encoder_Project\"") && include.contains("%>")){
+            if (first_name_element.equals("${e:forHtml(param.first_name)}")) {
-            includeCorrect = true;
+                firstNameCorrect = true;
-        }
+            }
-        if(first_name_element.equals("${e:forHtml(param.first_name)}")){
+            if (last_name_element.equals("${e:forHtml(param.last_name)}")) {
-            firstNameCorrect = true;
+                lastNameCorrect = true;
-        }
+            }
-        if(last_name_element.equals("${e:forHtml(param.last_name)}")){
-            lastNameCorrect = true;
-        }
 
-        if(includeCorrect && firstNameCorrect && lastNameCorrect){
+            if (includeCorrect && firstNameCorrect && lastNameCorrect) {
-            System.out.println("true");
+                System.out.println("true");
-            return trackProgress(success().feedback("xss-mitigation-3-success").build());
+                return trackProgress(success().feedback("xss-mitigation-3-success").build());
-        } else {
+            } else {
-            System.out.println("false");
+                return trackProgress(failed().feedback("xss-mitigation-3-failure").build());
-            System.out.println(first_name_element + "\n" + last_name_element);
+            }
-            return trackProgress(failed().feedback("xss-mitigation-3-failure").build());
+        }catch(Exception e) {
+            return trackProgress(failed().output(e.getMessage()).build());
         }
     }
 }

webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html

@@ -16,55 +16,26 @@
 
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8b.adoc"></div>
-	<div class="attack-container" style="height: 300px; border: none !important">
+	<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
-		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+		<form id="codesubmit" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack3" enctype="application/json;charset=UTF-8">
-		<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack3" enctype="application/json;charset=UTF-8">
 			<div>
-				<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0;" name="editor"></div>
+				<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 350px;" name="editor"></div>
 				<script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
 				<script th:src="@{/lesson_js/assignment3.js}" type="text/javascript" charset="utf-8"></script>
-				<script>
-                    var editor = ace.edit("editor");
-                    editor.setTheme("ace/theme/monokai");
-                    editor.session.setMode("ace/mode/html");
-                    editor.setValue("<html>\n" +
-                        "\n" +
-                        "<head>\n" +
-                        "    <title>Using GET and POST Method to Read Form Data</title>\n" +
-                        "</head>\n" +
-                        "\n" +
-                        "<body>\n" +
-                        "    <h1>Using POST Method to Read Form Data</h1>\n" +
-                        "    <table>\n" +
-                        "        <tbody>\n" +
-                        "            <tr>\n" +
-                        "                <td><b>First Name:</b></td>\n" +
-                        "                <td>YOUR CODE HERE</td>\n" +
-                        "            </tr>\n" +
-                        "            <tr>\n" +
-                        "                <td><b>Last Name:</b></td>\n" +
-                        "                <td>YOUR CODE HERE</td>\n" +
-                        "            </tr>\n" +
-                        "        </tbody>\n" +
-                        "    </table>\n" +
-                        "</body>\n" +
-                        "\n" +
-                        "</html>\n" +
-						"\n" +
-                    	"\n");
-				</script>
 			</div>
-			<div class="input-group" style="margin-top: 10px">
+			<input type="hidden" name="editor"/>
-				<button type="button" class="btn btn-primary" style="margin-top: 350%; margin-left: 60%;" onclick="ace_collect()">Submit</button>
+			<div class="input-group" style="position: absolute; top: 365px;">
+				<button class="btn btn-primary" type="submit">Submit</button>
 			</div>
 		</form>
-		<div class="attack-feedback"></div>
+		<br />
+		<div class="attack-feedback" style="margin-top: 50px;"></div>
 		<div class="attack-output"></div>
 	</div>
-</div>
 
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>
 </div>
+</div>
 
 </html>

webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties

@@ -36,3 +36,4 @@ xss-mitigation-3-hint3=Take a look at OWASP Java Encoder Project.
 xss-mitigation-3-hint4=Don't forget to reference the taglibs and choose "e" as prefix.
 xss-mitigation-3-success=You have completed this lesson. Congratulations!
 xss-mitigation-3-failure=This in not the correct answer. Try again!
+xss-mitigation-3-no-code=You didn't change anything.

webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment3.js

@@ -1,12 +1,50 @@
+$(document).ready( () => {
+
+    var editor = ace.edit("editor");
+    editor.setTheme("ace/theme/monokai");
+    editor.session.setMode("ace/mode/html");
+
+    editor.getSession().on("change", () => {
+        setTimeout( () => {
+            $("#codesubmit input[name='editor']").val(ace_collect());
+        }, 20);
+    });
+
+    editor.setValue("<html>\n" +
+        "<head>\n" +
+        "    <title>Using GET and POST Method to Read Form Data</title>\n" +
+        "</head>\n" +
+        "<body>\n" +
+        "    <h1>Using POST Method to Read Form Data</h1>\n" +
+        "    <table>\n" +
+        "        <tbody>\n" +
+        "            <tr>\n" +
+        "                <td><b>First Name:</b></td>\n" +
+        "                <td>YOUR CODE HERE</td>\n" +
+        "            </tr>\n" +
+        "            <tr>\n" +
+        "                <td><b>Last Name:</b></td>\n" +
+        "                <td>YOUR CODE HERE</td>\n" +
+        "            </tr>\n" +
+        "        </tbody>\n" +
+        "    </table>\n" +
+        "</body>\n" +
+        "</html>\n" +
+        "\n" +
+        "\n");
+
+});
+
+
+
 function ace_collect() {
     let code = "";
-    code = editor.getSession().getValue();
+
-    $.ajax({
+    $(".ace_xml").each(function(i, el) {
-        type: "POST",
+        var to_add = el.innerHTML;
-        url: "/WebGoat/CrossSiteScripting/attack3",
+        code += to_add;
-        dataType: "text",
-        data: {
-            editor: code
-        }
     });
+    console.log("+ "+editor.toString());
+    console.log("code:  "+code);
+    return code;
 }