From 6b9e9db4aa4c4faa170291a2e2465587c3c79c85 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nbaars@xebia.com>
Date: Tue, 15 Nov 2016 22:41:59 +0100
Subject: [PATCH] #272 Fix lesson client side filtering - Endpoint now returns
 proper json and no longer uses ecs.

---
 .../org/owasp/webgoat/plugin/Salaries.java    | 63 +++++--------------
 .../ClientSideFiltering/html/employees.xml    | 32 +++++-----
 .../js/clientSideFiltering.js                 | 21 ++++++-
 3 files changed, 53 insertions(+), 63 deletions(-)

diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java
index 5f20f1e69..1fa3d0cc2 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java
@@ -4,12 +4,11 @@ package org.owasp.webgoat.plugin;
  *
  */
 
-import org.apache.ecs.html.TD;
-import org.apache.ecs.html.TR;
-import org.apache.ecs.html.Table;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
 import org.owasp.webgoat.lessons.Endpoint;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.xml.sax.InputSource;
@@ -24,11 +23,14 @@ import javax.xml.xpath.XPathFactory;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.util.List;
+import java.util.Map;
 
 public class Salaries extends Endpoint {
 
-    @RequestMapping(method = RequestMethod.GET)
-    public void invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+    @RequestMapping(produces = {"application/json"})
+    @ResponseBody
+    public List<Map<String, Object>> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
         String userId = req.getParameter("userId");
         NodeList nodes = null;
         File d = new File(getPluginDirectory(), "ClientSideFiltering/html/employees.xml");
@@ -52,49 +54,18 @@ public class Salaries extends Endpoint {
         } catch (XPathExpressionException e) {
             e.printStackTrace();
         }
-        int nodesLength = nodes.getLength();
-
-
-        TR tr;
-
         int COLUMNS = 5;
-
-        Table t2 = null;
-        if (nodesLength > 0) {
-            t2 = new Table().setCellSpacing(0).setCellPadding(0)
-                    .setBorder(1).setWidth("90%").setAlign("center");
-            tr = new TR();
-            tr.addElement(new TD().addElement("UserID"));
-            tr.addElement(new TD().addElement("First Name"));
-            tr.addElement(new TD().addElement("Last Name"));
-            tr.addElement(new TD().addElement("SSN"));
-            tr.addElement(new TD().addElement("Salary"));
-            t2.addElement(tr);
-        }
-
-        tr = new TR();
-
-        for (int i = 0; i < nodesLength; i++) {
+        List json = Lists.newArrayList();
+        java.util.Map<String, Object> employeeJson = Maps.newHashMap();
+        for (int i = 0; i < nodes.getLength(); i++) {
+            if (i != 0 && i % COLUMNS == 0) {
+                employeeJson = Maps.newHashMap();
+                json.add(employeeJson);
+            }
             Node node = nodes.item(i);
-
-            if (i % COLUMNS == 0) {
-                tr = new TR();
-                tr.setID(node.getTextContent());
-                //tr.setStyle("display: none");
-            }
-
-            tr.addElement(new TD().addElement(node.getTextContent()));
-
-            if (i % COLUMNS == (COLUMNS - 1)) {
-                t2.addElement(tr);
-            }
-        }
-
-        if (t2 != null) {
-            resp.getWriter().println(t2.toString());
-        } else {
-            resp.getWriter().println("No Results");
+            employeeJson.put(node.getNodeName(), node.getTextContent());
         }
+        return json;
     }
 
     @Override
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/employees.xml b/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/employees.xml
index 31b95296b..e7c4b0246 100644
--- a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/employees.xml
+++ b/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/html/employees.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Employees>
-    <Employee >
+    <Employee>
         <UserID>101</UserID>
         <FirstName>Larry</FirstName>
         <LastName>Stooge</LastName>
@@ -19,7 +19,7 @@
             <Manager>102</Manager>
             <Manager>111</Manager>
             <Manager>112</Manager>
-        </Managers> 
+        </Managers>
     </Employee>
     <Employee>
         <UserID>102</UserID>
@@ -37,8 +37,8 @@
         <DisciplinaryExplanation>Hit Curly over head</DisciplinaryExplanation>
         <DisciplinaryDate>101013</DisciplinaryDate>
         <Managers>
-			<Manager>112</Manager>
-		</Managers> 
+            <Manager>112</Manager>
+        </Managers>
     </Employee>
     <Employee>
         <UserID>103</UserID>
@@ -59,7 +59,7 @@
             <Manager>102</Manager>
             <Manager>111</Manager>
             <Manager>112</Manager>
-        </Managers>  
+        </Managers>
     </Employee>
     <Employee>
         <UserID>104</UserID>
@@ -81,7 +81,7 @@
             <Manager>102</Manager>
             <Manager>111</Manager>
             <Manager>112</Manager>
-        </Managers> 
+        </Managers>
     </Employee>
     <Employee>
         <UserID>105</UserID>
@@ -103,7 +103,7 @@
             <Manager>102</Manager>
             <Manager>111</Manager>
             <Manager>112</Manager>
-        </Managers> 
+        </Managers>
     </Employee>
     <Employee>
         <UserID>106</UserID>
@@ -124,7 +124,7 @@
             <Manager>102</Manager>
             <Manager>111</Manager>
             <Manager>112</Manager>
-        </Managers>  
+        </Managers>
     </Employee>
     <Employee>
         <UserID>107</UserID>
@@ -145,7 +145,7 @@
             <Manager>102</Manager>
             <Manager>111</Manager>
             <Manager>112</Manager>
-        </Managers>         
+        </Managers>
     </Employee>
     <Employee>
         <UserID>108</UserID>
@@ -167,7 +167,7 @@
             <Manager>102</Manager>
             <Manager>111</Manager>
             <Manager>112</Manager>
-        </Managers>        
+        </Managers>
     </Employee>
     <Employee>
         <UserID>109</UserID>
@@ -189,7 +189,7 @@
             <Manager>102</Manager>
             <Manager>111</Manager>
             <Manager>112</Manager>
-        </Managers>        
+        </Managers>
     </Employee>
     <Employee>
         <UserID>110</UserID>
@@ -211,7 +211,7 @@
             <Manager>102</Manager>
             <Manager>111</Manager>
             <Manager>112</Manager>
-        </Managers> 
+        </Managers>
     </Employee>
     <Employee>
         <UserID>111</UserID>
@@ -230,7 +230,7 @@
         <DisciplinaryDate>112005</DisciplinaryDate>
         <Managers>
             <Manager>112</Manager>
-        </Managers>   
+        </Managers>
     </Employee>
     <Employee>
         <UserID>112</UserID>
@@ -246,9 +246,9 @@
         <Limit>300</Limit>
         <Comments></Comments>
         <DisciplinaryExplanation></DisciplinaryExplanation>
-        <DisciplinaryDate>112005</DisciplinaryDate>        
+        <DisciplinaryDate>112005</DisciplinaryDate>
         <Managers>
-		<Manager>112</Manager>
-	</Managers>
+            <Manager>112</Manager>
+        </Managers>
     </Employee>
 </Employees>
diff --git a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/js/clientSideFiltering.js b/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/js/clientSideFiltering.js
index 11fd03544..79694e532 100644
--- a/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/js/clientSideFiltering.js
+++ b/webgoat-lessons/client-side-filtering/src/main/resources/plugin/ClientSideFiltering/js/clientSideFiltering.js
@@ -15,8 +15,27 @@ function fetchUserData() {
 
 function ajaxFunction(userId) {
     $.get("clientSideFiltering/salaries?userId=" + userId, function (result, status) {
+        var html = "<table border = '1' width = '90%' align = 'center'";
+        html = html + '<tr>';
+        html = html + '<td>UserID</td>';
+        html = html + '<td>First Name</td>';
+        html = html + '<td>Last Name</td>';
+        html = html + '<td>SSN</td>';
+        html = html + '<td>Salary</td>';
+
+        for (var i = 0; i < result.length; i++) {
+            html = html + '<tr id = "' + result[i].UserID + '"</tr>';
+            html = html + '<td>' + result[i].UserID + '</td>';
+            html = html + '<td>' + result[i].FirstName + '</td>';
+            html = html + '<td>' + result[i].LastName + '</td>';
+            html = html + '<td>' + result[i].SSN + '</td>';
+            html = html + '<td>' + result[i].Salary + '</td>';
+            html = html + '</tr>';
+        }
+        html = html + '</tr></table>';
+
         var newdiv = document.createElement("div");
-        newdiv.innerHTML = result;
+        newdiv.innerHTML = html;
         var container = document.getElementById("hiddenEmployeeRecords");
         container.appendChild(newdiv);
     });