diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java index 8bcf3f618..b3fb13697 100644 --- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java @@ -19,8 +19,10 @@ import javax.xml.stream.XMLStreamReader; import java.io.IOException; import java.io.StringReader; import java.util.Collection; +import java.util.Comparator; import java.util.Map; import java.util.Optional; +import java.util.stream.Collectors; import static java.util.Optional.empty; import static java.util.Optional.of; @@ -54,7 +56,7 @@ public class Comments { allComments.addAll(xmlComments); } allComments.addAll(comments); - return allComments; + return allComments.stream().sorted(Comparator.comparing(Comment::getDateTime).reversed()).collect(Collectors.toList()); } protected Comment parseXml(String xml) throws Exception { diff --git a/webgoat-lessons/xxe/src/main/resources/html/XXE.html b/webgoat-lessons/xxe/src/main/resources/html/XXE.html index e46925552..39eadc226 100644 --- a/webgoat-lessons/xxe/src/main/resources/html/XXE.html +++ b/webgoat-lessons/xxe/src/main/resources/html/XXE.html @@ -26,6 +26,7 @@ method="POST" name="form" prepareData="simpleXXE" successCallback="simpleXXECallback" + failureCallback="simpleXXECallback" contentType="application/xml" action="/WebGoat/xxe/simple">
@@ -82,6 +83,7 @@ method="POST" name="form" prepareData="contentTypeXXE" successCallback="contentTypeXXECallback" + failureCallback="contentTypeXXECallback" action="xxe/content-type" contentType="application/json">
@@ -147,6 +149,7 @@ method="POST" name="form" prepareData="blindXXE" successCallback="blindXXECallback" + failureCallback="blindXXECallback" action="/WebGoat/xxe/blind" contentType="application/xml">
diff --git a/webgoat-lessons/xxe/src/main/resources/js/xxe.js b/webgoat-lessons/xxe/src/main/resources/js/xxe.js index 391101e89..9c8ded38e 100644 --- a/webgoat-lessons/xxe/src/main/resources/js/xxe.js +++ b/webgoat-lessons/xxe/src/main/resources/js/xxe.js @@ -8,7 +8,7 @@ webgoat.customjs.simpleXXE = function () { } webgoat.customjs.simpleXXECallback = function() { - $("#commentInputBlind").val(''); + $("#commentInputSimple").val(''); getComments('#commentsListSimple'); } @@ -16,6 +16,25 @@ $(document).ready(function () { getComments('#commentsListSimple'); }); +//// Content-type + +webgoat.customjs.contentTypeXXE = function() { + var commentInput = $("#commentInputContentType").val(); + return JSON.stringify({text: commentInput}); +} + +webgoat.customjs.contentTypeXXECallback = function() { + $("#commentInputContentType").val(''); + getComments('#commentsListContentType'); +} + +$(document).ready(function () { + getComments('#commentsListContentType'); +}); + + +//// Blind + webgoat.customjs.blindXXE = function() { var commentInput = $("#commentInputBlind").val(); var xml = '' + @@ -34,19 +53,7 @@ $(document).ready(function () { getComments('#commentsListBlind'); }); -webgoat.customjs.contentTypeXXE = function() { - var commentInput = $("#commentInputContentType").val(); - return JSON.stringify({text: commentInput}); -} -webgoat.customjs.contentTypeXXECallback = function() { - $("#commentInputContentType").val(''); - getComments('#commentsListContentType'); -} - -$(document).ready(function () { - getComments('#commentsListContentType'); -}); var html = '
  • ' + '
    ' +