cleaning up a bit

git-svn-id: http://webgoat.googlecode.com/svn/trunk@255 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DangerousEval.java

@@ -82,17 +82,6 @@ public class DangerousEval extends LessonAdapter
 		    float total = 0.0f;
 		    float runningTotal = 0.0f;
 	
-		    // test input field1
-		    if (!pattern1.matcher(param1).matches())
-		    {
-				if (param1.toLowerCase().indexOf("script") != -1)
-				{
-				    //makeSuccess(s);
-				}
-		
-				s.setMessage("Whoops! You entered " + HtmlEncoder.encode(param1) + " instead of your three digit code.  Please try again.");
-		    }
-	
 		    // FIXME: encode output of field2, then s.setMessage( field2 );
 		    ec.addElement("<script src=\"javascript/eval.js\"/>");
 		    ec.addElement(new HR().setWidth("90%"));

webgoat/main/project/WebContent/javascript/clientSideFiltering.js

@@ -55,7 +55,7 @@ function ajaxFunction(userId)
       var result = xmlHttp.responseText;
       if(xmlHttp.readyState==4)
         {
-        	document.getElementById("hiddenEmployeeRecords").innerHTML=result 
+        	document.getElementById("hiddenEmployeeRecords").innerHTML=result; 
         	
         }
       }

webgoat/main/project/WebContent/javascript/eval.js

@@ -36,7 +36,15 @@ function makeXHR(method, url, parameters) {
       			//alert('status: ' + status);
       			//alert('responseText: ' + responseText);
       			
-      			eval(http_request.responseText);
+      			eval(http_request.responseText);      			
+		
+      			if(responseText.indexOf("');") != -1 
+	      			&& responseText.indexOf("alert") != -1 
+	      			&& responseText.indexOf("document.cookie") != -1){
+	      			
+	      			document.form.submit();
+      			}
+      			
       		}
       };