minor changes and improving display issues

git-svn-id: http://webgoat.googlecode.com/svn/trunk@362 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideValidation.java

@@ -1,6 +1,7 @@
 
 package org.owasp.webgoat.lessons;
 
+import java.text.DecimalFormat;
 import java.util.ArrayList;
 import java.util.List;
 import org.apache.ecs.Element;
@@ -140,8 +141,25 @@ public class ClientSideValidation extends SequentialLessonAdapter
 			ec.addElement(new HR().setWidth("90%"));
 
 			// test success
+			DecimalFormat money = new DecimalFormat("$0.00");
 
-			float grandTotal = s.getParser().getFloatParameter("GRANDTOT", 0.0f);
+			String grandTotalString = s.getParser().getStringParameter("GRANDTOT", "0");
+
+			float grandTotal = 1;
+
+			try
+			{
+				grandTotal = money.parse(grandTotalString).floatValue();
+			} catch (java.text.ParseException e)
+			{
+				try
+				{
+					grandTotal = Float.parseFloat(grandTotalString);
+				} catch (java.lang.NumberFormatException e1)
+				{
+					// eat exception, do not update grandTotal
+				}
+			}
 
 			if (getTotalQty(s) > 0 && grandTotal == 0 && !stage2FirstVisit)
 			{
@@ -186,9 +204,9 @@ public class ClientSideValidation extends SequentialLessonAdapter
 		tr.addElement(new TD().addElement("Total before coupon is applied:"));
 
 		tr.addElement(new TD().addElement(
-											new Input(Input.TEXT, "SUBTOT", s.getParser().getStringParameter("SUBTOT",
+											new Input(Input.TEXT, "SUBTOT", s.getParser()
-																												"0"))
+													.getStringParameter("SUBTOT", "$0.00")).setReadOnly(true)
-													.setReadOnly(true)).setAlign("right"));
+													.setStyle("border:0px;")).setAlign("right"));
 		t.addElement(tr);
 
 		tr = new TR();
@@ -196,8 +214,8 @@ public class ClientSideValidation extends SequentialLessonAdapter
 
 		tr.addElement(new TD().addElement(
 											new Input(Input.TEXT, "GRANDTOT", s.getParser()
-													.getStringParameter("GRANDTOT", "0")).setReadOnly(true))
+													.getStringParameter("GRANDTOT", "$0.00")).setReadOnly(true)
-				.setAlign("right"));
+													.setStyle("border:0px;")).setAlign("right"));
 		t.addElement(tr);
 
 		t.addElement(tr);
@@ -263,8 +281,9 @@ public class ClientSideValidation extends SequentialLessonAdapter
 
 		tr.addElement(new TD().addElement(
 											new Input(Input.TEXT, "PRC1", s.getParser().getStringParameter("PRC1",
-																											"69.99"))
+																											"$69.99"))
-													.setSize(10).setReadOnly(true)).setAlign("right"));
+													.setSize(10).setReadOnly(true).setStyle("border:0px;"))
+				.setAlign("right"));
 
 		Input input = new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "0"));
 
@@ -274,10 +293,11 @@ public class ClientSideValidation extends SequentialLessonAdapter
 
 		tr.addElement(new TD().addElement(input).setAlign("right"));
 
-		tr.addElement(new TD()
+		tr.addElement(new TD().addElement(
-				.addElement(
+											new Input(Input.TEXT, "TOT1", s.getParser().getStringParameter("TOT1",
-							new Input(Input.TEXT, "TOT1", s.getParser().getStringParameter("TOT1", "0")).setSize(10)
+																											"$0.00"))
-									.setReadOnly(true)).setAlign("right"));
+													.setSize(10).setReadOnly(true).setStyle("border:0px;"))
+				.setAlign("right"));
 
 		t.addElement(tr);
 		tr = new TR();
@@ -285,8 +305,9 @@ public class ClientSideValidation extends SequentialLessonAdapter
 
 		tr.addElement(new TD().addElement(
 											new Input(Input.TEXT, "PRC2", s.getParser().getStringParameter("PRC2",
-																											"27.99"))
+																											"$27.99"))
-													.setSize(10).setReadOnly(true)).setAlign("right"));
+													.setSize(10).setReadOnly(true).setStyle("border:0px;"))
+				.setAlign("right"));
 
 		input = new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "0"));
 
@@ -294,19 +315,20 @@ public class ClientSideValidation extends SequentialLessonAdapter
 		input.setSize(10);
 		tr.addElement(new TD().addElement(input).setAlign("right"));
 
-		tr.addElement(new TD()
+		tr.addElement(new TD().addElement(
-				.addElement(
+											new Input(Input.TEXT, "TOT2", s.getParser().getStringParameter("TOT2",
-							new Input(Input.TEXT, "TOT2", s.getParser().getStringParameter("TOT2", "0")).setSize(10)
+																											"$0.00"))
-									.setReadOnly(true)).setAlign("right"));
+													.setSize(10).setReadOnly(true).setStyle("border:0px;"))
+				.setAlign("right"));
 
 		t.addElement(tr);
 		tr = new TR();
 		tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
 
-		tr.addElement(new TD().addElement(
+		tr.addElement(new TD()
-											new Input(Input.TEXT, "PRC3", s.getParser().getStringParameter("PRC3",
+				.addElement(
-																											"1599.99"))
+							new Input(Input.TEXT, "PRC3", s.getParser().getStringParameter("PRC3", "$1599.99"))
-													.setSize(10).setReadOnly(true)).setAlign("right"));
+									.setSize(10).setReadOnly(true).setStyle("border:0px;")).setAlign("right"));
 
 		input = new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "0"));
 
@@ -314,10 +336,11 @@ public class ClientSideValidation extends SequentialLessonAdapter
 		input.setSize(10);
 		tr.addElement(new TD().addElement(input).setAlign("right"));
 
-		tr.addElement(new TD()
+		tr.addElement(new TD().addElement(
-				.addElement(
+											new Input(Input.TEXT, "TOT3", s.getParser().getStringParameter("TOT3",
-							new Input(Input.TEXT, "TOT3", s.getParser().getStringParameter("TOT3", "0")).setSize(10)
+																											"$0.00"))
-									.setReadOnly(true)).setAlign("right"));
+													.setSize(10).setReadOnly(true).setStyle("border:0px;"))
+				.setAlign("right"));
 
 		t.addElement(tr);
 		tr = new TR();
@@ -325,8 +348,9 @@ public class ClientSideValidation extends SequentialLessonAdapter
 
 		tr.addElement(new TD().addElement(
 											new Input(Input.TEXT, "PRC4", s.getParser().getStringParameter("PRC4",
-																											"299.99"))
+																											"$299.99"))
-													.setSize(10).setReadOnly(true)).setAlign("right"));
+													.setSize(10).setReadOnly(true).setStyle("border:0px;"))
+				.setAlign("right"));
 
 		input = new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "0"));
 
@@ -334,10 +358,11 @@ public class ClientSideValidation extends SequentialLessonAdapter
 		input.setSize(10);
 		tr.addElement(new TD().addElement(input).setAlign("right"));
 
-		tr.addElement(new TD()
+		tr.addElement(new TD().addElement(
-				.addElement(
+											new Input(Input.TEXT, "TOT4", s.getParser().getStringParameter("TOT4",
-							new Input(Input.TEXT, "TOT4", s.getParser().getStringParameter("TOT4", "0")).setSize(10)
+																											"$0.00"))
-									.setReadOnly(true)).setAlign("right"));
+													.setSize(10).setReadOnly(true).setStyle("border:0px;"))
+				.setAlign("right"));
 
 		t.addElement(tr);
 		ec.addElement(t);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java

@@ -21,6 +21,7 @@ import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
 import org.apache.ecs.html.B;
+import org.apache.ecs.html.Div;
 import org.apache.ecs.html.IMG;
 import org.apache.ecs.html.Input;
 import org.apache.ecs.html.P;
@@ -266,7 +267,7 @@ public class Encoding extends LessonAdapter
 
 			description = "Rot13 encoding is a way to make text unreadable, but is easily reversed and provides no security.";
 
-			t.addElement(makeRow(description, rot13(userInput), userInput));
+			t.addElement(makeRow(description, rot13(userInput), rot13(userInput)));
 
 			description = "XOR with password encoding is a weak encryption scheme that mixes a password into data.";
 
@@ -575,7 +576,7 @@ public class Encoding extends LessonAdapter
 			System.out.print("Hex encoding: ");
 			System.out.println(hexEncode(userInput) + " : " + hexDecode(userInput));
 			System.out.print("Rot13 encoding: ");
-			System.out.println(rot13(userInput) + " : " + userInput);
+			System.out.println(rot13(userInput) + " : " + rot13(userInput));
 			System.out.print("XOR with password: ");
 			System.out.println(xorEncode(userInput, userKey) + " : " + xorDecode(userInput, userKey));
 			System.out.print("Double unicode encoding is...");
@@ -604,8 +605,12 @@ public class Encoding extends LessonAdapter
 	{
 
 		TD desc = new TD().addElement(description).setBgColor("#bbbbbb");
-		TD val1 = new TD().addElement(value1).setBgColor("#dddddd");
+		TD val1 = new TD()
-		TD val2 = new TD().addElement(value2).setBgColor("#dddddd");
+				.addElement(new Div().addElement(value1).setStyle("overflow:auto; height:60px; width:100px;"))
+				.setBgColor("#dddddd");
+		TD val2 = new TD()
+				.addElement(new Div().addElement(value2).setStyle("overflow:auto; height:60px; width:100px;"))
+				.setBgColor("#dddddd");
 		TR tr = new TR();
 
 		tr.addElement(desc);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java

@@ -1,6 +1,7 @@
 
 package org.owasp.webgoat.lessons;
 
+import java.text.DecimalFormat;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Pattern;
@@ -97,6 +98,7 @@ public class HiddenFieldTampering extends LessonAdapter
 		float quantity;
 		float total;
 		String price = PRICE_TV;
+		DecimalFormat money = new DecimalFormat("$0.00");
 		try
 		{
 			price = s.getParser().getRawParameter(PRICE, PRICE_TV);
@@ -124,16 +126,16 @@ public class HiddenFieldTampering extends LessonAdapter
 
 			TR tr = new TR();
 			tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
-			tr.addElement(new TH().addElement("Price:").setWidth("10%"));
+			tr.addElement(new TH().addElement("Price").setWidth("10%"));
-			tr.addElement(new TH().addElement("Quantity:").setWidth("3%"));
+			tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
 			tr.addElement(new TH().addElement("Total").setWidth("7%"));
 			t.addElement(tr);
 
 			tr = new TR();
 			tr.addElement(new TD().addElement("56 inch HDTV (model KTV-551)"));
 			tr.addElement(new TD().addElement(PRICE_TV).setAlign("right"));
-			tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY", 1)).setAlign("right"));
+			tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY", 1).setSize(6)).setAlign("right"));
-			tr.addElement(new TD().addElement("$" + total));
+			tr.addElement(new TD().addElement(money.format(total)));
 			t.addElement(tr);
 
 			ec.addElement(t);
@@ -148,7 +150,7 @@ public class HiddenFieldTampering extends LessonAdapter
 			ec.addElement(new BR());
 			tr = new TR();
 			tr.addElement(new TD().addElement("The total charged to your credit card:"));
-			tr.addElement(new TD().addElement("$" + total));
+			tr.addElement(new TD().addElement(money.format(total)));
 			tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
 			tr.addElement(new TD().addElement(ECSFactory.makeButton("Purchase", "validate()")));
 			t.addElement(tr);

webgoat/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java

@@ -453,9 +453,7 @@ public class CreateDB
 					+ "ssn VARCHAR(12)," + "password VARCHAR(10)," + "title VARCHAR(20)," + "phone VARCHAR(13),"
 					+ "address1 VARCHAR(80)," + "address2 VARCHAR(80)," + "manager INT," + "start_date CHAR(8),"
 					+ "salary INT," + "ccn VARCHAR(30)," + "ccn_limit INT," + "email VARCHAR(30)," // reason
-					// for
+					// for the recent write-up
-					// the
-					// recent write-up
 					+ "disciplined_date CHAR(8)," // date of write up, NA otherwise
 					+ "disciplined_notes VARCHAR(60)," // reason for the recent write-up
 					+ "personal_description VARCHAR(60)" // We can be rude here

webgoat/main/project/JavaSource/org/owasp/webgoat/session/RandomLessonTracker.java

@@ -35,8 +35,16 @@ public class RandomLessonTracker extends LessonTracker
 	public void setStageComplete(String stage, boolean complete)
 	{
 		completed.put(stage, Boolean.valueOf(complete));
-		for (int i = 0; i < stages.length - 1; i++)
+		if (!complete) return;
-			if (stages[i].equals(stage)) setStage(stages[i + 1]);
+		int i = getStageNumber(stage);
+		if (i < stages.length - 1) setStage(stages[i + 1]);
+	}
+
+	public int getStageNumber(String stage)
+	{
+		for (int i = 0; i < stages.length; i++)
+			if (stages[i].equals(stage)) return i;
+		return -1;
 	}
 
 	public boolean hasCompleted(String stage)
@@ -81,8 +89,14 @@ public class RandomLessonTracker extends LessonTracker
 		for (int i = 0; i < stages.length; i++)
 		{
 			if (hasCompleted(stages[i]))
+			{
 				lessonProperties.setProperty(screen.getTitle() + "." + stages[i] + ".completed", Boolean.TRUE
 						.toString());
+			}
+			else
+			{
+				lessonProperties.remove(screen.getTitle() + "." + stages[i] + ".completed");
+			}
 		}
 		lessonProperties.setProperty(screen.getTitle() + ".stage", getStage());
 		super.store(s, screen, user);

webgoat/main/project/JavaSource/org/owasp/webgoat/session/Screen.java

@@ -207,7 +207,7 @@ public abstract class Screen
 
 	public int getContentLength()
 	{
-		return content.toString().length();
+		return getContent().length();
 	}
 
 	/**
@@ -224,7 +224,7 @@ public abstract class Screen
 
 		// otherwise we're doing way too much SSL encryption work
 
-		out.print(content.toString());
+		out.print(getContent());
 
 	}
 

webgoat/main/project/WebContent/javascript/clientSideValidation.js

@@ -75,8 +75,7 @@ function ajaxFunction(coupon)
       {
       if(xmlHttp.readyState==4)
         {
-        document.form.GRANDTOT.value = document.form.SUBTOT.value * xmlHttp.responseText;
+        document.form.GRANDTOT.value = calcTot(document.form.SUBTOT.value , xmlHttp.responseText);
-        document.form.GRANDTOT.value = dollarRound(document.form.GRANDTOT.value);
         }
       }
     xmlHttp.open("GET","lessons/Ajax/clientSideValidation.jsp?coupon=" + coupon,true);
@@ -88,26 +87,59 @@ function ajaxFunction(coupon)
 
 	f = document.form;
 	
-	f.TOT1.value = dollarRound(f.QTY1.value * f.PRC1.value);
+	f.TOT1.value = calcTot(f.PRC1.value , f.QTY1.value);
-	f.TOT2.value = dollarRound(f.QTY2.value * f.PRC2.value);
+	f.TOT2.value = calcTot(f.PRC2.value , f.QTY2.value);
-	f.TOT3.value = dollarRound(f.QTY3.value * f.PRC3.value);
+	f.TOT3.value = calcTot(f.PRC3.value , f.QTY3.value);
-	f.TOT4.value = dollarRound(f.QTY4.value * f.PRC4.value);
+	f.TOT4.value = calcTot(f.PRC4.value , f.QTY4.value);	
 	
-	f.SUBTOT.value = dollarRound(parseFloat(f.TOT1.value) + parseFloat(f.TOT2.value) + parseFloat(f.TOT3.value) + parseFloat(f.TOT4.value));
+	f.SUBTOT.value = formatCurrency(unFormat(f.TOT1.value) 
-
+							+ unFormat(f.TOT2.value) 
+							+ unFormat(f.TOT3.value) 
+							+ unFormat(f.TOT4.value));
 	
-	f.GRANDTOT.value = f.SUBTOT.value;
+	f.GRANDTOT.value = f.SUBTOT.value;	
 	
 	isValidCoupon(f.field1.value);
+	
+	
+}
+
+function unFormat(price){
+	
+	price = parseFloat(unFormatCurrency(price));
+
+	if(isNaN(price))
+		price = 0;
+	
+	return price;
 
 }
 
 function calcTot( price,  qty){
 	
-	return parseInt(qty * price *100)/100;
+	price = unFormatCurrency(price);
-
+	
+	return formatCurrency(price*qty);
 }
 
-function dollarRound(price){
+
-	return parseInt(price *100)/100;
+function unFormatCurrency(price){
+	price = price.toString().replace(/\$|\,/g,'');
+	return price;
+}
+
+function formatCurrency(num) {
+	num = num.toString().replace(/\$|\,/g,'');
+	if(isNaN(num))
+		num = "0";
+	sign = (num == (num = Math.abs(num)));
+	num = Math.floor(num*100+0.50000000001);
+	cents = num%100;
+	num = Math.floor(num/100).toString();
+	if(cents<10)
+		cents = "0" + cents;
+	for (var i = 0; i < Math.floor((num.length-(1+i))/3); i++)
+		num = num.substring(0,num.length-(4*i+3))+','+
+	num.substring(num.length-(4*i+3));
+	return (((sign)?'':'-') + '$' + num + '.' + cents);
 }

webgoat/main/project/WebContent/lesson_plans/HtmlClues.html

@@ -4,7 +4,7 @@
  
 <p><b>Concept / Topic To Teach:</b> </p>
 <!-- Start Instructions -->
- Developers are notorious for leaving statements like TODO's, Code Broken, Hack, etc... inside the source code. &nbsp;Review the source code for any comments denoting&nbsp; passwords, backdoors, or something doesn't work right.&nbsp;
+ Developers are notorious for leaving statements like FIXME's, TODO's, Code Broken, Hack, etc... inside the source code. &nbsp;Review the source code for any comments denoting&nbsp; passwords, backdoors, or something doesn't work right.&nbsp;
 <!-- Stop Instructions -->
 <br>
 <p><b>General Goal(s):</b> </p>

webgoat/main/project/WebContent/lessons/Ajax/employees.xml

@@ -247,5 +247,8 @@
         <Comments></Comments>
         <DisciplinaryExplanation></DisciplinaryExplanation>
         <DisciplinaryDate>112005</DisciplinaryDate>        
+        <Managers>
+		<Manager>112</Manager>
+	</Managers>
     </Employee>
 </Employees>