From 5c2d9cd8e9d2536c0288873543b9e57dfbda8619 Mon Sep 17 00:00:00 2001
From: PhilippeSteinbach <steinbach.phil@gmail.com>
Date: Mon, 4 Feb 2019 14:45:40 +0100
Subject: [PATCH] assignment 5: display query string to user after success,
 improved regex to allow missing semicolon after query

---
 .../webgoat/plugin/introduction/SqlInjectionLesson5.java     | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java
index 118a0641e..66ff057f9 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java
@@ -59,13 +59,14 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint {
     protected AttackResult injectableQuery(String _query) {
         try {
             String query = _query;
-            String regex = "(?i)^grant alter table to unauthorizedUser;$";
+            String regex = "(?i)^(grant alter table to unauthorizedUser)(?:[;]?)$";
             Boolean isCorrect = false;
             StringBuffer output = new StringBuffer();
 
             // user completes lesson if the query is correct
             if (_query.matches(regex)) {
-                return trackProgress(success().feedbackArgs(output.toString()).build());
+                output.append("<span class='feedback-positive'>" + _query + "</span>");
+                return trackProgress(success().output(output.toString()).build());
             } else {
                 return trackProgress(failed().output(output.toString()).build());
             }