From 4a061f61a6810d208d096ad130dd4b87c073fc3a Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 4 May 2017 02:25:56 +0200
Subject: [PATCH] Integrated XXE assigment from CTF to XXE lesson

---
 .../plugin/BlindSendFileAssignment.java       |   4 +-
 .../org/owasp/webgoat/plugin/Comment.java     |  23 +++++
 .../org/owasp/webgoat/plugin/Comments.java    |  90 +++++++++++++++++
 .../webgoat/plugin/ContentTypeAssignment.java |  17 +---
 .../org/owasp/webgoat/plugin/SimpleXXE.java   |  79 +++++++++------
 .../xxe/src/main/resources/css/xxe.css        |  75 ++++++++++++++
 .../xxe/src/main/resources/html/XXE.html      |  92 +++++++++---------
 .../xxe/src/main/resources/images/cat.jpg     | Bin 0 -> 9095 bytes
 .../xxe/src/main/resources/js/xxe.js          |  61 +++++++++---
 .../resources/lessonPlans/en/XXE_simple.adoc  |   4 +-
 10 files changed, 333 insertions(+), 112 deletions(-)
 create mode 100644 webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comment.java
 create mode 100644 webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java
 create mode 100644 webgoat-lessons/xxe/src/main/resources/css/xxe.css
 create mode 100644 webgoat-lessons/xxe/src/main/resources/images/cat.jpg

diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
index 69b0e8e1c..1896cad1f 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
@@ -22,8 +22,6 @@ import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.util.List;
 
-import static org.owasp.webgoat.plugin.SimpleXXE.parseXml;
-
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -75,7 +73,7 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
     public AttackResult createNewUser(@RequestBody String userInfo) throws Exception {
         String error = "Parsing successful contents not send to server";
         try {
-            parseXml(userInfo);
+            //parseXml(userInfo);
         } catch (Exception e) {
             error = ExceptionUtils.getFullStackTrace(e);
         }
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comment.java
new file mode 100644
index 000000000..bce74cc40
--- /dev/null
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comment.java
@@ -0,0 +1,23 @@
+package org.owasp.webgoat.plugin;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+/**
+ * @author nbaars
+ * @since 4/8/17.
+ */
+@Getter
+@Setter
+@AllArgsConstructor
+@NoArgsConstructor
+@XmlRootElement
+public class Comment {
+    private String user;
+    private String dateTime;
+    private String text;
+}
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java
new file mode 100644
index 000000000..22ba7cf72
--- /dev/null
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java
@@ -0,0 +1,90 @@
+package org.owasp.webgoat.plugin;
+
+import com.beust.jcommander.internal.Lists;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.EvictingQueue;
+import com.google.common.collect.Maps;
+import org.joda.time.DateTime;
+import org.joda.time.format.DateTimeFormat;
+import org.joda.time.format.DateTimeFormatter;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Scope;
+import org.springframework.stereotype.Component;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamReader;
+import java.io.IOException;
+import java.io.StringReader;
+import java.util.Collection;
+import java.util.Map;
+
+/**
+ * @author nbaars
+ * @since 5/3/17.
+ */
+@Component
+@Scope("singleton")
+public class Comments {
+
+    @Autowired
+    protected WebSession webSession;
+
+    protected static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
+
+    private static final Map<String, EvictingQueue<Comment>> userComments = Maps.newHashMap();
+    private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
+
+    static {
+        comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat...."));
+        comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects."));
+        comments.add(new Comment("guest", DateTime.now().toString(fmt), "Lol!! :-)."));
+    }
+
+    protected Collection<Comment> getComments() {
+        Collection<Comment> allComments = Lists.newArrayList();
+        Collection<Comment> xmlComments = userComments.get(webSession.getUserName());
+        if (xmlComments != null) {
+            allComments.addAll(xmlComments);
+        }
+        allComments.addAll(comments);
+        return allComments;
+    }
+
+    protected Comment parseXml(String xml) throws Exception {
+        JAXBContext jc = JAXBContext.newInstance(Comment.class);
+
+        XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true);
+        xif.setProperty(XMLInputFactory.IS_VALIDATING, false);
+
+        xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
+        XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));
+
+        Unmarshaller unmarshaller = jc.createUnmarshaller();
+        return (Comment) unmarshaller.unmarshal(xsr);
+    }
+
+    protected Comment parseJson(String comment) {
+        ObjectMapper mapper = new ObjectMapper();
+        try {
+            return mapper.readValue(comment, Comment.class);
+        } catch (IOException e) {
+            return new Comment();
+        }
+    }
+
+    public void addComment(Comment comment, boolean visibleForAllUsers) {
+        comment.setDateTime(DateTime.now().toString(fmt));
+        comment.setUser(webSession.getUserName());
+        if (visibleForAllUsers) {
+            comments.add(comment);
+        } else {
+            EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
+            comments.add(comment);
+            userComments.put(webSession.getUserName(), comments);
+        }
+    }
+}
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
index 0b2fa3611..be850944e 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
@@ -6,17 +6,10 @@ import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestHeader;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import java.io.IOException;
 
-import static org.owasp.webgoat.plugin.SimpleXXE.checkSolution;
-import static org.owasp.webgoat.plugin.SimpleXXE.parseXml;
-
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -60,13 +53,13 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
             attackResult = failed().feedback("xxe.content.type.feedback.json").build();
         }
         if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
-            user = parseXml(userInfo);
+          //  user = parseXml(userInfo);
             attackResult = failed().feedback("xxe.content.type.feedback.xml").build();
         }
 
-        if (checkSolution(user)) {
-            attackResult = success().output("xxe.content.output").outputArgs(user.getUsername()).build();
-        }
+//        if (checkSolution(user)) {
+//            attackResult = success().output("xxe.content.output").outputArgs(user.getUsername()).build();
+//        }
         return attackResult;
     }
 
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
index eff49b9d3..d5c6b6a82 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
@@ -5,17 +5,21 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.Unmarshaller;
-import javax.xml.stream.XMLInputFactory;
-import javax.xml.stream.XMLStreamReader;
-import java.io.StringReader;
+import java.util.Collection;
+
+import static org.springframework.http.MediaType.ALL_VALUE;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+import static org.springframework.web.bind.annotation.RequestMethod.GET;
+import static org.springframework.web.bind.annotation.RequestMethod.POST;
 
 /**
  * ************************************************************************************************
@@ -46,47 +50,58 @@ import java.io.StringReader;
  * @version $Id: $Id
  * @since November 17, 2016
  */
-@AssignmentPath("XXE/simple")
+
+/**
+ * @author nbaars
+ * @since 4/8/17.
+ */
+@AssignmentPath("xxe/simple")
 @AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4"})
 public class SimpleXXE extends AssignmentEndpoint {
 
     private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "opt", "var"};
     private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
 
-    @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
+    @Value("${webgoat.server.directory}")
+    private String webGoatHomeDirectory;
+    @Autowired
+    private WebSession webSession;
+    @Autowired
+    private Comments comments;
+
+    @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
-    public AttackResult createNewUser(@RequestBody String userInfo) throws Exception {
-        User user = parseXml(userInfo);
-        if (checkSolution(user)) {
-          return trackProgress(success()
-              .output("xxe.simple.output")
-              .outputArgs(user.getUsername()).build());
+    public Collection<Comment> retrieveComments() {
+        return comments.getComments();
+    }
+
+    @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
+    @ResponseBody
+    public AttackResult createNewComment(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
+        Comment comment = null;
+        if (APPLICATION_JSON_VALUE.equals(contentType)) {
+            comment = comments.parseJson(commentStr);
+            comments.addComment(comment, true);
+        }
+        if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
+            //Do not show these comments to all users
+            comment = comments.parseXml(commentStr);
+            comments.addComment(comment, false);
+        }
+        if (checkSolution(comment)) {
+            return trackProgress(success()
+                    .output("xxe.simple.output")
+                    .outputArgs(webSession.getUserName()).build());
         }
         return trackProgress(failed().build());
     }
 
-    public static User parseXml(String xml) throws Exception {
-        JAXBContext jc = JAXBContext.newInstance(User.class);
-
-        XMLInputFactory xif = XMLInputFactory.newFactory();
-        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true);
-        xif.setProperty(XMLInputFactory.IS_VALIDATING, false);
-
-        xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
-        XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));
-
-        Unmarshaller unmarshaller = jc.createUnmarshaller();
-        return (User) unmarshaller.unmarshal(xsr);
-    }
-
-    public static boolean checkSolution(User userInfo) {
+    private boolean checkSolution(Comment comment) {
         String[] directoriesToCheck = OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
         boolean success = true;
         for (String directory : directoriesToCheck) {
-            success &= userInfo.getUsername().contains(directory);
+            success &= comment.getText().contains(directory);
         }
         return success;
     }
-
-
 }
diff --git a/webgoat-lessons/xxe/src/main/resources/css/xxe.css b/webgoat-lessons/xxe/src/main/resources/css/xxe.css
new file mode 100644
index 000000000..3bc2ca4eb
--- /dev/null
+++ b/webgoat-lessons/xxe/src/main/resources/css/xxe.css
@@ -0,0 +1,75 @@
+/* Component: Posts */
+.post .post-heading {
+    height: 95px;
+    padding: 20px 15px;
+}
+.post .post-heading .avatar {
+    width: 60px;
+    height: 60px;
+    display: block;
+    margin-right: 15px;
+}
+.post .post-heading .meta .title {
+    margin-bottom: 0;
+}
+.post .post-heading .meta .title a {
+    color: black;
+}
+.post .post-heading .meta .title a:hover {
+    color: #aaaaaa;
+}
+.post .post-heading .meta .time {
+    margin-top: 8px;
+    color: #999;
+}
+.post .post-image .image {
+    width:20%;
+    height: 40%;
+}
+.post .post-description {
+    padding: 5px;
+}
+.post .post-footer {
+    border-top: 1px solid #ddd;
+    padding: 15px;
+}
+.post .post-footer .input-group-addon a {
+    color: #454545;
+}
+.post .post-footer .comments-list {
+    padding: 0;
+    margin-top: 20px;
+    list-style-type: none;
+}
+.post .post-footer .comments-list .comment {
+    display: block;
+    width: 100%;
+    margin: 20px 0;
+}
+.post .post-footer .comments-list .comment .avatar {
+    width: 35px;
+    height: 35px;
+}
+.post .post-footer .comments-list .comment .comment-heading {
+    display: block;
+    width: 100%;
+}
+.post .post-footer .comments-list .comment .comment-heading .user {
+    font-size: 14px;
+    font-weight: bold;
+    display: inline;
+    margin-top: 0;
+    margin-right: 10px;
+}
+.post .post-footer .comments-list .comment .comment-heading .time {
+    font-size: 12px;
+    color: #aaa;
+    margin-top: 0;
+    display: inline;
+}
+.post .post-footer .comments-list .comment .comment-body {
+    margin-left: 50px;
+}
+.post .post-footer .comments-list .comment > .comments-list {
+    margin-left: 50px;
+}
\ No newline at end of file
diff --git a/webgoat-lessons/xxe/src/main/resources/html/XXE.html b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
index 831d55cdc..7d79b58d3 100644
--- a/webgoat-lessons/xxe/src/main/resources/html/XXE.html
+++ b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
@@ -1,5 +1,8 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
+<script th:src="@{/lesson_js/xxe.js}" language="JavaScript"></script>
+
+
 <div class="lesson-page-wrapper">
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
@@ -15,54 +18,53 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <!-- reuse this block for each 'page' of content -->
-    <!-- sample ascii doc content for second page -->
     <div class="adoc-content" th:replace="doc:XXE_simple.adoc"></div>
-    <!-- if including attack, reuse this section, leave classes in place -->
+    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/xxe.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
-        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
-        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
-        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-        <form class="attack-form" accept-charset="UNKNOWN" prepareData="register" method="POST" name="form"
-              action="/WebGoat/XXE/simple" contentType="application/xml">
-            <script th:src="@{/lesson_js/xxe.js}"
-                    language="JavaScript"></script>
-            <div id="lessonContent">
-                <strong>Registration form</strong>
-                <form prepareData="register" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
-                    <table>
-                        <tr>
-                            <td>Username</td>
-                            <td><input name="username" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td>E-mail</td>
-                            <td><input name="email" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td>Password</td>
-                            <td><input name="email" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td></td>
-                            <td align="right"><input type="submit" id="registerButton" value="Sign up"/></td>
-                        </tr>
-                    </table>
-                    <br/>
-                    <br/>
-                </form>
-                <div class="attack-feedback"></div>
-                <div class="attack-output"></div>
+
+        <div class="container-fluid">
+            <div class="panel post">
+                <div class="post-heading">
+                    <div class="pull-left image">
+                        <img th:src="@{/images/avatar1.png}"
+                             class="img-circle avatar" alt="user profile image"/>
+                    </div>
+                    <div class="pull-left meta">
+                        <div class="title h5">
+                            <a href="#"><b>John Doe</b></a>
+                            uploaded a photo.
+                        </div>
+                        <h6 class="text-muted time">24 days ago</h6>
+                    </div>
+                </div>
+
+                <div class="post-image">
+                    <img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
+                </div>
+
+                <div class="post-description">
+
+                </div>
+                <div class="post-footer">
+                    <div class="input-group">
+                        <input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
+                        <span class="input-group-addon">
+                                <i id="postComment" class="fa fa-edit" style="font-size: 20px"></i>
+                            </span>
+                    </div>
+                    <ul class="comments-list">
+                        <div id="comments_list">
+                        </div>
+                    </ul>
+                </div>
             </div>
-        </form>
-        <div id='registration_success'></div>
+        </div>
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
     </div>
-    <!-- do not remove the two following div's, this is where your feedback/output will land -->
-    <div class="attack-feedback"></div>
-    <div class="attack-output"></div>
-    <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
 </div>
 
 <div class="lesson-page-wrapper">
@@ -77,8 +79,6 @@
         <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
         <form class="attack-form" accept-charset="UNKNOWN" prepareData="registerJson" method="POST" name="form"
               action="/WebGoat/XXE/content-type" contentType="application/json">
-            <script th:src="@{/lesson_js/xxe.js}"
-                    language="JavaScript"></script>
             <div id="lessonContent">
                 <strong>Registration form</strong>
                 <form prepareData="registerJson" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
@@ -137,8 +137,6 @@
         <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
         <form class="attack-form" accept-charset="UNKNOWN" prepareData="register" method="POST" name="form"
               action="/WebGoat/XXE/blind" contentType="application/xml">
-            <script th:src="@{/lesson_js/xxe.js}"
-                    language="JavaScript"></script>
             <div id="lessonContent">
                 <strong>Registration form</strong>
                 <form prepareData="register" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
diff --git a/webgoat-lessons/xxe/src/main/resources/images/cat.jpg b/webgoat-lessons/xxe/src/main/resources/images/cat.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..e0e1fb983d4a3215381a3373fe69b02d5ee3a73f
GIT binary patch
literal 9095
zcmb7pS5OmN)NSZRYCs6Rm{3FSB1k7dXdxnm-m6FxlwLybq4yR*s&oNCrAjZMDDcri
zh)5L$MDX|CnSbWK-hE!qoV91|ea@VRHGBR2@^=$Jr>mu-1t1^*00{mqz~5B>8bCox
z24n!<XJBApV!F=^Vr69pftXoAoNUaXe>)Hdh>ev)fSZF2!okYSE5QR16c!Z~1#wBq
zONqz{h=>XkP*PITP}8u|(XonfaBzwIe}u4zu!xA<-;V%#aspz&01*K%fRLVmh@Rl@
z5P<z(k0b>Dr`7)rLI42~2`Mod`9IW{4nROiL`+UZLQG0bLH#d<fRG+Q#6t{}P$eN{
zFt+oFJk2O?VdU+f+ai-xJ9_|@LfB*OOZ&E}oA~*^$gF5<XJUr%$v8xzD?0`ThyPK6
z2mnO?Z@K@=Nkse);i3O`PDn`j5B}eF{#66=5J@no8uQvo{#^l35&g@cC!z;D2Aui1
zE0*80?^3TAg~N-vMx@pyLR$TVW-E&{naH%y;uoEG*(bQLYa3qj#yBVM2uYq}rgXK0
zPP!WbxqC1>=@-1y*BZ4gYJ0Q><S$#8jC**C9Vfk_vqa>#JtWHU^j1+Yas1%SkZ+`}
z4wR^Ppjnl8WKad-Y(~PDCqMoG+ST8<(8H;dD@ZQimeEyEO8y;b*sRzZXO)@T;N!Hm
z3fqs;IT_VfNhjDK^LxPysl$PFB_4Hit40OWA-+&qfb6UFH1KP5+$Ho-eJ=IxiBEV+
z(2LU;prM>bC%upfxhgi`Y~D4UBIndX;$4<5n!Uo&Jk^<L#^8YqSu$M<QI>gyN&+UG
zdl!Y|*Ca~TO##Lwxd8{Nb#!R%Kh#CaRhgt??mZ{I`c!*Z^4bi-#xy;NJ`!oIYAjt>
z%alCV_l7=tU@6h9e<W9v{1>22S{`wisyGz%tM^++BK(#$!PK8es?jZ1n(Q)NeNCo+
z=*1yZ%@@eZg)hCcnu)CcoCMFZs_d&oz-I^`Nb}Fri*D^CYNo*WjE4|~*H_vN9<p^`
zs_<6#AwXchNngEt1ahKVP)PIJt_O#W8*8>xcI7_2)qGCWHy{w1>n;0Qx9t{Z_m8I9
zc$Z=pHwAlHVw#jAt`-!3nf;9^MVIy)=0EV~_2HHg@ePNSZs(5W>Z$f|I4)C!LMTWY
z4L2o|lI$(JdV@cf0DkX(4Z!0$fYE+0zuY!_yDb>wgRer{CwiT^*C0vb$e~QjPN(j?
zw$Ca0ZIzmnrOudqzp4rN>KI?GuC=Yq?Lg%udEwUE?_Ls6TZ(a6)Jc7(g%V~;7M@k^
zo)=L?SQn#{2a|d2P34e=wc9=O!6Uv8u=EBGko&}vR4N6O1H92((+plGy=9SCgB0}3
z2^xMxcm@daq%)zdk_EOyNqBa<A^&m)nb#elo=QJ2I{t8|OqCymTXE57=ElkYh{Y2#
zlo;t!&0gBgFR}CQF$U>48sZ(pb2IMlEJI1Evz<u|+pTU}1LUIbinD!B&SXyHuYXVJ
zw0hiesy;s4yEOZy6xv=^uic8XfayT8#NWw*zMuXDOo%<mJ>vR39sd`gY<LL|JaqYa
zbpOse@DKD0_T~wWT<yYtQ*EfwD6b4d(UWl^4$28~Vb#+}2pG#zMCOkoz#@JGdIC^U
z-Mwwvp3jj@2a6?HJsW=k&kk(<?BAeADrVcK3S}pIiEH)lUQBbgqU|p3^0E~T4(3GM
z5T0LWvtJ8{TQ1+bw0Q{}{0nfUvKG_I%qf<3+RzjIh&g82Tj6u*%dus((dn>}&HC_t
z(eE!n3-uRpJ;L_A+}SizDz6*9_ZLu4LNsocRBVL9eC3CUo@*aw;yBbQP>>0-jBfUx
zH&}XyS%foTjL?&`XTGP**=<r@Cp3mdQcrIy>pjYxrtR^XB~CufxO}G#O1MN{uJ>q8
zOq&P+mESAJj6Y=~7W#PN)pqv1!UW4z-rTm{dr;n=E1i_o1WhY$vcWP@zNV#fE8y%F
zuC`@3{J+N$b%5s`EKfZH{L==NxP5`n@jqT@V?*m^)EaPv$n3D@B68_vgSD(z;}IJh
z0((Dh+~Uf%&d?_0Sh;bKw^zt}LWOVB_kV0Gqoce}J`_n*bKH4HilBi&mD@cU5_`En
zcj68o(i3_p2ve_&n7c}TtDzsdjGlzBB7%=Lfr?x6IB?W!_@m%G8d{n^JQCySPhVZG
zOBk_D#Eo;L*hZ`!(&YZOgV_qhc;dYSmv}T|pI&u41VeZWKPb)NGB*6<2rG-Mf3vFd
zjfu$U0yF!0#4e&_b=<*Od=>8x#Ad?Ha!x|G?Z!Rc#fn>mYehIhnzE9*0R4G(hG^R6
zap&do7LRClIfs#l1YzP)h37}HblsdqUxx*DL>LFx3^+mR6~j>G<?^-vz%M_k#3Tg7
zNmd$DG*9sTnqq#N1=)B7Jpt;pmNDznNqVO%BtNoO3tpp8pu9Ydc_yL?Ynf0bk(|xU
zr=U3FwqwYN)!W*LOP1LX{bT!ODLG?f08}r)3;GeMbo?{MmXEebK|yYDo%PaTGSAn|
z`mWitmNRr8#~gZw*4Y`S?DjiByEux_?b@k7W}u|z%xVaJv^gR7GO!0gv}Ui7dNV*-
zxfaH83G-I`9a28jE4(qnA?USn9!HwW7OS*G9$1<setJj}7+x8s#!^ZS;lj#3(tfE*
zMr?=AW!0Qf0Xr+%9bcls{2vO{ip3#9#!x`uaqN8w`p-S4ApQ?nKQsU2+BZIy{ob!K
zdLE`p9MbH(v3F0nd3{LEdDori_%>YRbiaXHJuswfmg~{wApeJS_x@y`(>J<<a}e>|
z(onlhiMJttY^|=}Kh6T=NO{XU5XFtWH@c|OdS<+Bmu21^xI~G05dG&;jeB0X`y`gH
zZ;MtnEreIKzxq+Pv)$N9>;cu~{0t9GL4m{BpK=5}S$HmvQFDpWP}Phq^gJ5SM;i`u
z97<5^DV=8eTyEMopO!;+sYx650LK#XY2g~=lOpjW*1`1lPTBkDJ<Bi`=bx?78k!%8
zao=~9!_s@2PtQPVhK6FP;&;V6O!wZ8UL^Lp`M8)U3x+-Ix=1px68i6uoi&u!B|jB#
z#XN{LRo-%XX#YJRTNh<oq<Y2@zp;FzlZS4UA$~0Cv!CHs);==0X4D&Z`d9#ees%fK
zZfC+u_Sp}PB8R#`2g_kJk6el&Pd-1-(D1V~9o_s(B+b^D>--9HYx6|cj4R@#KFG*i
zkpG2MWnoH6V}V~VbupwGrFnAG?PSY!WW+G8;D0<Y1=U}zuxB(Q?y}gqqz>xi&DC>r
z)X~Fyd;CKBOd4y~7?3?>j+)5am7}5W<W#m^-p@`+i8h~;wN+8on+5uOo%>YtB2p#a
zH%XR%FUx69ph_i?o@TCQF!k5;zNgN^IT`0VM4F_7Nxkf=1pVhvA4H#vvwo;V5WOaI
z5$lo81(8n7dnbo<&lp#O?&5{tE451~C>~!A=u{v5A*L8<9I}Jw@7#}1y%PstcDXD8
zpA4qq7(zYvfEe0LwfLrb@AH^@&b!{X*BViUx3ozbZd@e>r>;g}*E?GAMiJ}=pqKq?
zgSm!}xM_Y5#yIT{u*as;e46K&#e^v>s0i4hUiteFV{G2DRZJFtA|NK?(ngc`oTTua
z1m+r@8F6s8D0ZDqf_8CjQI3;fc?Y=FAd*TVwTgZ<R1mcG7@I9=2U9+%k?K83dGvDC
zqy(XfLUF){0u3hhTw1ardXOj|+uh6vPWo511pt%?!9A#`4Ox)&_W+9r*`>LVC)})L
z;wB;{<UOXXk|Y{wWN99_l{ZfM1@?$SY*kcSHT~AFL}<!T8hMfD==Zi2!MIo8Gjxo)
zptu+-*m0nbni}Bw(?*9R3Elek`I@DJ#+qN~tsCronL!uHSfug%f(f&#7epfCkU0_i
zF6DG06gpbv^HVt;Y)ca6{kg{rr1H$_?WTguhZgpq_5i!p--8+N!b{E61K9Geicb^u
z=C^jp(}8jW2~puOTWT9uR>EE%#G1T#k*u~Kuejuyr+YvCtdW-{{q|qaQid=q!@I$0
zbi8*+wC|7D?vFp6AEg>EJI%FKljVwdu%xp)WDHQ7_?8-QsnTG~d$wWc10tFAnK8~R
zzE@55+VLcR%BPdt5}TG19op2shEy6Htkhb>zu}6+LOrhMhomjQUl8J@a>Zi~Uy02Q
z3a!vF;4yf|9f^LQj8dR4J%YOR`wmp%`V<eMz}#==DeC^2=3Mx2nvbO(<pL$}A<u17
zc|cfmGu2%Yt@W)|s&ig6{YfzO-l)Wfq-&SmqbC(%GmVKk$mWO`iJl6bDlHJ}^+>%@
zM?gq-VzDbM_xQh@2-Qo~K#^EWpFK8n*{mvV`8}3CNJCvthc(R3cml1MT}dT}<7&6i
zT$LWkj2KLSDmi@Gb-lsiu+_icv}X3VO)B5{e8(g{bCb(B7Usnea5&7oc#BwcBK7Qe
z)N0=RAda5)Q`UvGrMZ<LM8I4Z#x2!h*6dB=Y3ZNJ7sU%AKS-u9s(3L5<t2@vgIj;=
zYuz2dxV|x~=A~4N=RQuD;WW`sSqzddD85M>eNt{?;PNn)eMPW6w8ph?8y)mVxn({$
z+)}xv-(|kqs=@dXeLQV%GMPP>>pi<q5!adyo$`AJ#0q|~3P1jPD6P-$n`60f9kQkA
zHJ=tHUheu(;<P5!A><+Rh2ozrjQh=I2AnA9X*RKQ)z{jCg%$p_r)#j@a!h`-GIT!#
z<q?~0WZtHCiHH!B=-G`>p>hTAMkl-YTW44%M7o+Vy*4Fg*Lp;3F*T2K5xTe$LN+X9
z*OKP>)qqyna4!PN5v7GYrB!xHHnA30X;|xoAcgQ$|ICqZcTVNPPt)HlqnyMd{h9X6
z6zg&Xw8bJ$v9SDTZly4nWHZBAQ#5j%KM^LqOEl~|i=9(Rr6dvCp+#A5>wOy}*kV26
z;Hlz%PP=0^Ztk>>(p1_WtQ|vpJ);0Xnn9YI$%{GodM)Fe4m@G)C~E#VdGUOWbyc%$
zQ+*_8gYUZREXCdlcRp3c1ypd_7EcYeLoq`PhQSgJC0bJWwy7K%5h7*x_@SKp+fqLJ
zOMDmB>!DcB&q#GSv&3N+#8(JK@Hmt$*`skq0M6(wC)KjW@w>9V@cuLB&_BS({w@n6
z8_;=CIWHxi@?G9JAvK)Wr2gud%snvR%}j`sbVvMHLAS2GQ3WQj#WrYuMEduh2k)YY
zI%5lMui*BQKYFtL2L4aUpPaVVa0S!?veIcDyo_?vGTw*9rF<=2q%fgAgpR4%(KtcW
z@Cs-}t4HE{pkR0mk0t{U(Y}oV#dil3E4G8bS}g?*7P%JL_0*J_O&&a7N#$6Q9+aJ6
zn!HGT4n2C4dSNHo8{|(ltNR#T0zSLea57UeOfjI_dmLNBw!_-Sg5RPfeoOnyZp-!I
zm#w|bE7iA9@0ukNo<T0c)#>w77s}xOg#H4u?90IglsSznmoT$^e44foVUGLf&tYLL
z!t5b~^Ck3%6g2yk1s6(*J4x}Zd~NeI@@jM4zIm`oe(Al0_Zs4;jc)HA;uS-h$!Y3!
z(3CuF*tbt-_tqmcS#$m0mQ%BvCd}-NbUl|&!rW5MFSq~9@L<yu8CHzZQ`pm{Z`4JU
z>!frE(C^0;z0&BgUAxk*a_uhnoo(EFInsb{l!X2FGHP46x+>Y#3%pJ2J2e+CL&Gz)
zQi&Yc1vM1_@HUZGnu|5s&~zhJ2jc<xMO$-I>gnidj;N=^Sh5rH_Uv&*(l>D1GJ?A?
zo#*mt_6T#;)NNMDF^lA;g4uFY^pyFfCTz1{gh3BAIhJTXd9Af?<)1Q?m5c=W%6}?q
zk~`C%S~52tEyBJQ1V@Q;kKAaw9ddM{Jb$b5Fpxl2Ow{D89}~fT?B*%6?O0%Cml_R9
z?aj@39WkWSzT#px18)s&KW4;H!PXt#A=@twp)Js2Y^7QZQr6aso%i=#ndh(a_LlVQ
zv_9^_jyr~2sDid!=DW_WHG^ewTBwfuwKPFE*P}^&_jIhlgc*-bJad?ahTQ8bWdm`d
zK!LGft*Z00-)hk-V3U1XpyG>nQXvH2mirr;i8omrOB6n0G1O+qv^E4ZKm`F`&KiHm
z*XcA$s^Q1+PWDHOZQneKB$3w_wP8^y$q)727QY1bB4Z(}GTI3j@n0KTYT||ln;aIL
zlDa>AB;U+yHQ<asWOX3L!3!+>cK-qd&;*8Mr|77yIxU3)b!=iN8P-h+Jl6DMpeE(f
zj#FL0DZ=O{NJ}O0Io^gL%is0JJf~Uf?tnJ|PhlL#;Oda5*(}JTE+5)JPq91Yxh;cI
z@093wZI6U)wy#={2j3$`#fxH0#!E7wx6YQ>OxbTZNi&dNa_<^<`O|8j-1*-QuA=;8
zwHuUruI?f|Pt{h_@aR?P$t;Z5`#<x0?51gLR%IXTJ9SEmRQR^MY|}$30k0Lod*y~A
zy1H+%8F&s!w}N?H_o>#&aDA7&jGNET`L8iM(?sfD#<T9{m^my-qZq7@&PNSq^<hJB
zS_5LO66@mTnY%Veazxxlu6kE4^*+mfuJ!}ylLcE6L#ndxOED8h2u6fvAoE12z#@lb
z>r7+L61#0e;dPV}Z|huL=a2xueHBpwi%OBJrWVTxlWAd!XgoqXIlFo`qdjNPwLpOI
z9w$<I3v?t``NX-%NvQFXyb`;qa)u3(t#ZA;Tm_v3!1Ja_ys(O7lM5v+**CBbh{;|R
zm_dZfBVUv(c(bi>!6CfS5bmQJ9z4#;Za#BNL{0bE>u@C1=7r84Fk6aB>(_JT(^Ln^
z4w?OUJW#LE`_X&wh<5v6;Z@Gb7F7fLR)5?Q0Rx%kH*Y*W%a`3i@vBQSUzQ_bzof`K
zKlZwiOXECM66KKhaBh=48XAA1&+<6BXs#-^Gy#Y}qTTRHx*)+>)Ba;}?vlbmsY_U2
z)OV(EGu^UD<>$GiafpwjkC_#&)X|u-WHCBPLM&Bz%yHw4xmvA8$Ey$HiZ!cj`%IlW
zuuL)Mtefs1>kb@^OgkdSPG{n~`t=mQA_Cu{P4x@s8@yeQq{5Q)1JjcIJgD|`<tSmj
z?3{GF2DA92XQJ58vdYHA=IGr4;N>SRDfnf(7F0Skqo1F>`{QzhmkRxJAro5ow(sPw
zQjQ8}uBAz_vaUB_Am1g;EJbC@bZArZrFg??#L#7tT{y~6$3$xMME=yZV{YY>J0^4)
z8yRmRr=8gJl1AY?()kds?4!t}i(BbfS!z#b%If+f_$Jl3wBW6=5I?i14}YrjgCLGU
zfPr_U{PQ8HS3|3Ala3ce(35jM#>XAPywxYk0$K+J$un>=EVSOZS3%i(_*rzyR$)M>
zM0~bvksmQ;pH|I5#FN_Zk>qQ(yJitM`*Xkt=9h^MdrK+T17z``!xLAeDTJC$*>6mp
zHy@JQMQ;mcmNKkytJE)UcoWfxJ5qToCgq+crh`$bq4(Nes%MrCblbxTP0PHw{{kGz
zcC4H6VtGxP6K}I5D7<_`<%=GY1I=!_nTbgqa!ZW4|4B*5KQ?Xja3k-jL57Q1R+fU<
zY~HeU_vWCli_?;wdy^&41thi1e<tYs1q|wT6O9wzDBAybelj9t#jmGi+EQgQyGbXU
zFlsUxKkIQHWBJjNaG4&@Qq15XSslYJ^^uV6JZT~<JG<>exKJuTU$m10bG0LyE(;6c
z_jcK*TW+9~;Vt1ZJF)CA$PZP`yt2*;*~XzXS&O274_p3be}eOLv@3xs^HGhOii~%s
zOVY1ret5(ImmKwuekAUmUKHXRztY~YEEGK)9kfGXn9vAP*cgZ27dh~e@k4nNvZ7wK
zIRegNG<{m+iF%vYMpzQA2zNhc1)`NjEcJ57v-bCBT&-(Z6BQB!HoLs-2iePU7}!8N
zFE;r>ZJr7HkMBdt6hl7(o|Ds5z?+E_?#zrV49Fju4WLnpn>8aTdA`>HwiuoApsk2T
zUg_%W*M6mD$PlYDJ8R1=SBn->{`CX*kg`!xtLx2Kxx!aOyo0^v{m!o+)rD-bnTM;Q
zNRlmdjlT~Es=cu`S2Phk?qnXhYMDiqKI_z7g~8iI7Sf-HbN3*JWahPZSSjM}>ajb&
zN5b(Wnj>Z3Ka?AH3X%V6K{|x5I(;7@E!2xReR)_SpZX-G#oejLAK&RXrjpOi-5}~f
znjf^K1Bf968ZK^|KP>cmQsI=x!@LI(LM5-Z;<Dq^>+s+lX~6A&m5c4h=C~epS76qS
zQqGnRI7_Lb&YQ(BsEF9917xn5q!$duw^donIUC&U|3n<)^$8%g_s_O1>$&^jZ~1UZ
zJegvy?SgKmbF)~UsCaWw(g2$36)0-1_SeEVa*x+~OsbRYqJu&9Zbmhr;`-AIhc9`-
z&Pjg(GVS33Q}<D@zks><54iBVR@<ws^EYz1o=B|c0i|WFu5M0(8+m@HrU@fm`Y^Y>
zrcRaZMRggT1=yLSQH2#Z(l{JfZzfT}lD>u{*zK^1b+BpFn%+Ri+)E`_GQktARloco
zN6re$hZJ$^MC+pnzNKr*QpXMyw9R>Wfgxzs35B4Hz!dfyP-aLu0*8g{2ZLh<n1w#o
ze;?EZ1D!@~+3)hFgbf1({KI04AI``wix40jTk<HEpQzaM<TT#@@SsO-#lZf<?q2D-
zs0*0kWgO?6IPzVaw%D@9ZZP~%2qTIDKY2iwWieE3U;l^qe%^_8PqkL{YD}4VfaI@4
zt+}C3y7VurzKRr!T9Q)o;n%32En0YXpF_VQC~MZ21@!q4iFBrKf)2RRaj%;UhWp5n
z{u!lJ(ya-XM)`=0aYQ3<al5_YXWZ=0&rqA)wA&v4$7#Sl>lYr2NuIR<33VFHNrHm;
z0j}WS`26FWj!RQH7be-#wj<sw>n~L*WIg#G>k2U{#BV{%hdQ_F2I0?aPCNfiJC5%m
zDA`w(3Y@3Ft(0Qp!9#?qeSV=7(K~VDy@aTK7|-oix_jpj9E;~Y+hx|X@dw$jqH=^S
z^~Ij7MqiU>D-gtbvL!v1|JwJ23ggbM3?K!mGqxe+hyT0f1Z7^n{t{;#fL^A24`oXg
zH;DtZE%gy=0okL3<jB_YqY?S1wvXw<ya#=C#L}s|erv2CKVM&w8{L4<?(8U;CUm{a
z2j36Tv0NofMC!f;{tSN{tqP!}@$xWpMskZYZr|}jh+b^E4T>3Ji7N~oISFa-uZ<Y{
z7vGJOGwUwB_~%K4Yvscz7{n6Zjv3$DPTPqd+I#I}4*iz0_&U~dkJ9r1p|Lylp<S@<
z8F^{I(SU^h=a9A5q(-#`LDQRuHPfZCHux+wMX)#}A`7{Zqqi;$x&!SmPU&SxFpVwM
z&SwgZx#sg!t@SqM>oq#*NIUTZ#33sW9cNa8^n{OOeML;3kxmGH9nXfAO`8x1Oqz6M
zBLdJ;h~ww%J&&#7wLg%B?D+w&4%GOT_hPAXDN!(8fVu7jwz@%xcY65O3rGOImB9n`
z{d~9L8Q$JJ4?YZ6Q8m)hmvx-uPA_{<jLLS*cWvg?Y;wn<1{PE$f3+TuB6q`>0Bv;G
zE>HUptp~ry-bAlLmkPlH*ikhccoO4;h1db2Y9N~W@tj9Pvy0dM#~<`dMI@`1okmqk
z^5+40Pebj!mP@w1VxS68xVhO+(#cX!tBR1@n38}oX5x2KzNo|{FIg!`3R?_Z+ht*b
z?5)tyyO6#6Rl;ov_NX`VMYU1(Lsh)z0gh>1o13<GL-VBuhu<eO7jHNUkQbt;4CT8;
zx8+F&(a1KP9<wMhN<m}MywA&R*qN*(aJLq&u&uh<J_}j+mU^L<!pX7>oU=nJqdeLO
zPNGV(Dt~G$y<#Omsj8CWgs!)zvvD)+%b~sZZ`@oPq&4QKU*TJYa+)-q%@2&siV?(U
zylb!mVYh9UTzZj9jgEQs#P3MQ&D5Af;0zSTZiyC*mbRf^Z`LJfn%uf`6xBq4v;2%z
zIz5$boL4lK-~!oi!%JBUFJKwZ3On=L+h#PnxfAT9=%tpA^GkNtZv~055%>Yo@UPP|
z;mfym;T_)t-ZoV_nfM)B1-~uHEpChNa_LLi9&`WIKGlliUqK|e|B4YYf!t5O{Mux%
zVy455ZB${a>X%;ojFrKKjO9Gh!6cBk<Yo&1+dHNTq3M{<6fgj3@3HSu>$k=fR^=z1
zpFP@P!rmI~<vRC-5GpWuwm_o2wfH$<BEpmfE~XIFVd?kMd@o1b-9|sP<#2N1Nr69l
zdC&aUF3UK4SYOySU4?{#U;u&fQ2EcH@!#X6xoZ5=5jps*?xz9cuTguo8&2_EM6xe&
z5>E#g=C9NrPg9T9!W<%vL(jNG*tH>W>xi!(>#$3`oFs-_xd(#D_x4Omdz1{5!NSZ0
zrDwpi;v*j+i--rLG^azk0kt1zU#V0ibH?$^ka?{GTBNBbKi~*g0{io$k!0(Ok*NPL
zK@0{+bcENwHFdIt9(&B%?X_At2~J>egi&{BspF3RJT9g#*u)yV6qm3`5UnH4UT_c(
z*4L@&QOF#eR;;3YGFoZ$RA|^5qobGh>Yo|F()_1v9%{SQMK(YI{9-$k|L^-)iYH)P
z$G}^$_t{oT$xF0;-m0{Izjzk&6~bIo8}?H+#-j)kY16Ap>~Lv+Pp0IvQ-_<PMirl9
zN;7gobh6e%C<CJDyFktOJbf6<R;-;@uY>CJP3NBk?q=2LK97Rb(qz#A0s+nYOEd<h
zoe6bCNtU;D5tK&uc)hh=4COs4fuAy|`Ct3lJ#ex0g|b<eQ(ThBh+2w#S=Ah5LYjmd
z6j<(eTvbSTQA<3MgsBfp#8G547rRQyzIImrnd&=yI=G?Ztw(6xEtf+r=)QVmu<q{C
z_6+_>PD?*#yl=^+UgKAag1hDJv{jvNjb3O$KUGATS{?w%0ZDjgona&UAZhNxr9=1M
zwbU5%F(j{f0zA;Q+D<&5MO0?j%)C{J^(N@8q|{)o9`_TN{P|FP5I;&Fh$Np0i^;&i
zU}e=3ajkBv$c`q@dW{ABf)U3F{N-q6mH;DWAs|%~uc!4Nin=`52fg`RAh=GQ(3NCS
zK%9!b|9o4%&k*TIRC9ry+(XC76G%v={RJ2&aoMq1QHaCgN9p;(?ujumX1V{ohD6Cy
z_MI_kk25YI)45_!M!0D8$vR-Ni=4S{r5Q|0B+sT?)G-0C^*!=agM^I<+S82*RHlp@
z9TNYrm+y<Sl#b#%SpK07$j7T)k9Jld67CF1BbJ_#D9>S|uq)2XQJx+7BBG1|<8l<z
z0}Usf%FmWkvX*rVWf0DdCVb`EYl!ivg(}iOA$#8~hRG#1=Lv_SHjU1AZM}PWvF|l+
z+Hb#?UAM4X=i28>yDBP=OcuJQy?bHHOyWn7kCOk?@bWg#3T7`(*da~z^CM2AJ*>1-
zHz!~6nba&gR#y!J%t#^#qzT?`5dRpNKJ+2kX?NP`U>Aoh%ecytr-=q3->gx;@5^%(
zBOIP#VvH4T5@e6{$wKJuk}(&Z+L>{G+y-jdb_YffNmBf$V~3|8iI(41@f$mj@U&YS
zeOk6fI;GZssIos!Kvodr115N%j?a&$T;KHC0<acgU_vbHiVfr<d13b-kZXdQX$%72
zUYe;ocfiIX0?%TFTypOuY{tX9D-#daL#PCr7(1u9+bzr(b#!%;=%WW>Xdi3f;UlBS
zmdd%isE3{hz1hH%S1r$(_9z+cp3to<jN6jZ-pyTWye4h|ck74>M*k^Si#`@4KL2b6
zIN6<?V;}n#Rx^CIPs#W&3)?JB@?MDWy#yg2MtyJ~k&H3q`s`(iO7OBVeuMm_(ffY5
zy2S7X>!5Dl6HCc5&n>lB<!S7_vTcL&zkvAoedIh`Zu39M7)pvGgBF3{8H=u`(L;y@
z{kaGunuQ^dQCSJD#9a-UKE1D;K~ZGGlgju<jgyh#3#``un?cBLRY8jgD&G^dfYAXt
iI0mT0&BeV<LOJ0R8$<lKCWt}RWQUSbz%Bgm^8WzK+1DNb

literal 0
HcmV?d00001

diff --git a/webgoat-lessons/xxe/src/main/resources/js/xxe.js b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
index 3cf292d83..9002de2e4 100644
--- a/webgoat-lessons/xxe/src/main/resources/js/xxe.js
+++ b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
@@ -1,16 +1,45 @@
-webgoat.customjs.register = function () {
-    var xml = '<?xml version="1.0"?>' +
-        '<user>' +
-        '  <username>' + 'test' + '</username>' +
-        '  <password>' + 'test' + '</password>' +
-        '</user>';
-    return xml;
-}
-webgoat.customjs.registerJson = function () {
-   var json;
-    json = '{' +
-        '   "user":' + '"test"' +
-        '  "password":' + '"test"' +
-        '}';
-    return json;
-}
+$(document).ready(function () {
+    $("#postComment").unbind();
+    $("#postComment").on("click", function () {
+        var commentInput = $("#commentInput").val();
+        $.ajax({
+            type: 'POST',
+            url: 'xxe/simple',
+            data: JSON.stringify({text: commentInput}),
+            contentType: "application/json",
+            dataType: 'json'
+        }).then(
+            function () {
+                getComments();
+                $("#commentInput").val('');
+            }
+        )
+    })
+    getComments();
+})
+
+var html = '<li class="comment">' +
+    '<div class="pull-left">' +
+    '<img class="avatar" src="images/avatar1.png" alt="avatar"/>' +
+    '</div>' +
+    '<div class="comment-body">' +
+    '<div class="comment-heading">' +
+    '<h4 class="user">USER</h4>' +
+    '<h5 class="time">DATETIME</h5>' +
+    '</div>' +
+    '<p>COMMENT</p>' +
+    '</div>' +
+    '</li>';
+
+function getComments() {
+    $.get("xxe/simple", function (result, status) {
+        $("#comments_list").empty();
+        for (var i = 0; i < result.length; i++) {
+            var comment = html.replace('USER', result[i].user);
+            comment = comment.replace('DATETIME', result[i].dateTime);
+            comment = comment.replace('COMMENT', result[i].text);
+            $("#comments_list").append(comment);
+        }
+
+    });
+}
\ No newline at end of file
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple.adoc
index dd5506af9..ef51f2d19 100644
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple.adoc
@@ -1,4 +1,4 @@
 == Let's try
 
-In this assignment you will need to sign up with a registration form. When submitting the form try to execute an XXE injection with the
-username field. Try listing the root directory of the filesystem.
+In this assignment you will add a comment to the photo, when submitting the form try to execute an XXE
+injection with the comments field. Try listing the root directory of the filesystem.