From 75d0405da1e493ba53d7773e845bd36218b64666 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Fri, 17 Nov 2017 07:07:43 +0100
Subject: [PATCH] Fixed XXE lesson the posting of the comments did not show up
 directly only after page refresh

---
 .../org/owasp/webgoat/plugin/Comments.java    |  4 ++-
 .../xxe/src/main/resources/html/XXE.html      |  3 ++
 .../xxe/src/main/resources/js/xxe.js          | 33 +++++++++++--------
 3 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java
index 8bcf3f618..b3fb13697 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java
@@ -19,8 +19,10 @@ import javax.xml.stream.XMLStreamReader;
 import java.io.IOException;
 import java.io.StringReader;
 import java.util.Collection;
+import java.util.Comparator;
 import java.util.Map;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
 import static java.util.Optional.empty;
 import static java.util.Optional.of;
@@ -54,7 +56,7 @@ public class Comments {
             allComments.addAll(xmlComments);
         }
         allComments.addAll(comments);
-        return allComments;
+        return allComments.stream().sorted(Comparator.comparing(Comment::getDateTime).reversed()).collect(Collectors.toList());
     }
 
     protected Comment parseXml(String xml) throws Exception {
diff --git a/webgoat-lessons/xxe/src/main/resources/html/XXE.html b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
index e46925552..39eadc226 100644
--- a/webgoat-lessons/xxe/src/main/resources/html/XXE.html
+++ b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
@@ -26,6 +26,7 @@
               method="POST" name="form"
               prepareData="simpleXXE"
               successCallback="simpleXXECallback"
+              failureCallback="simpleXXECallback"
               contentType="application/xml"
               action="/WebGoat/xxe/simple">
             <div class="container-fluid">
@@ -82,6 +83,7 @@
               method="POST" name="form"
               prepareData="contentTypeXXE"
               successCallback="contentTypeXXECallback"
+              failureCallback="contentTypeXXECallback"
               action="xxe/content-type"
               contentType="application/json">
             <div class="container-fluid">
@@ -147,6 +149,7 @@
               method="POST" name="form"
               prepareData="blindXXE"
               successCallback="blindXXECallback"
+              failureCallback="blindXXECallback"
               action="/WebGoat/xxe/blind"
               contentType="application/xml">
             <div class="container-fluid">
diff --git a/webgoat-lessons/xxe/src/main/resources/js/xxe.js b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
index 391101e89..9c8ded38e 100644
--- a/webgoat-lessons/xxe/src/main/resources/js/xxe.js
+++ b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
@@ -8,7 +8,7 @@ webgoat.customjs.simpleXXE = function () {
 }
 
 webgoat.customjs.simpleXXECallback = function() {
-    $("#commentInputBlind").val('');
+    $("#commentInputSimple").val('');
     getComments('#commentsListSimple');
 }
 
@@ -16,6 +16,25 @@ $(document).ready(function () {
     getComments('#commentsListSimple');
 });
 
+//// Content-type
+
+webgoat.customjs.contentTypeXXE = function() {
+    var commentInput = $("#commentInputContentType").val();
+    return JSON.stringify({text: commentInput});
+}
+
+webgoat.customjs.contentTypeXXECallback = function() {
+    $("#commentInputContentType").val('');
+    getComments('#commentsListContentType');
+}
+
+$(document).ready(function () {
+    getComments('#commentsListContentType');
+});
+
+
+//// Blind
+
 webgoat.customjs.blindXXE = function() {
     var commentInput = $("#commentInputBlind").val();
     var xml = '<?xml version="1.0"?>' +
@@ -34,19 +53,7 @@ $(document).ready(function () {
     getComments('#commentsListBlind');
 });
 
-webgoat.customjs.contentTypeXXE = function() {
-    var commentInput = $("#commentInputContentType").val();
-    return JSON.stringify({text: commentInput});
-}
 
-webgoat.customjs.contentTypeXXECallback = function() {
-    $("#commentInputContentType").val('');
-    getComments('#commentsListContentType');
-}
-
-$(document).ready(function () {
-    getComments('#commentsListContentType');
-});
 
 var html = '<li class="comment">' +
     '<div class="pull-left">' +