some cleanup, and removing unneeded ClassNotFoundExceptions

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@361 4033779f-a91e-0410-96ef-6bf7bf53c507

main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java

@@ -149,6 +149,9 @@ public class CrossSiteScripting extends GoatHillsFinancial
 		hints.add("Stage2: The java.util.regex package is useful for filtering string values.");
 
 		// Stage 3
+		hints
+				.add("Stage3: Browsers recognize and decode HTML entity encoded content after parsing and interpretting HTML tags.");
+		hints.add("Stage3: An HTML entity encoder is provided in the ParameterParser class.");
 
 		// Stage 4
 		hints
@@ -177,7 +180,7 @@ public class CrossSiteScripting extends GoatHillsFinancial
 			{
 				instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br>"
 						+ "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page.  "
-						+ "Verify that 'Jerry' is affected by the attack. <br/>The passwords for the accounts are the prenames.";
+						+ "Verify that 'Jerry' is affected by the attack. <br/>(The passwords for the accounts are the first names.)";
 			}
 			else if (STAGE2.equals(stage))
 			{

main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java

@@ -17,7 +17,6 @@ import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.util.HtmlEncoder;
 
 
 /***************************************************************************************************

main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java

@@ -378,10 +378,6 @@ public class UpdateProfile extends DefaultLessonAction
 		{
 			sqle.printStackTrace();
 			s.setMessage("Error updating employee profile");
-		} catch (ClassNotFoundException e)
-		{
-			// TODO Auto-generated catch block
-			e.printStackTrace();
 		}
 		return uid + 1;
 	}

main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java

@@ -4,18 +4,14 @@ package org.owasp.webgoat.lessons.CrossSiteScripting;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-import org.apache.ecs.xhtml.html;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.session.Employee;
 import org.owasp.webgoat.session.ParameterNotFoundException;
-import org.owasp.webgoat.session.ParameterParser;
 import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.util.HtmlEncoder;
-import com.sun.corba.se.spi.activation.Server;
 
 
 /***************************************************************************************************

main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java

@@ -118,10 +118,6 @@ public class UpdateProfile extends DefaultLessonAction
 					setStageComplete(s, DBCrossSiteScripting.STAGE2);
 				}
 
-			} catch (ClassNotFoundException e)
-			{
-				s.setMessage("Error updating employee profile");
-				e.printStackTrace();
 			}
 
 			try
@@ -146,10 +142,7 @@ public class UpdateProfile extends DefaultLessonAction
 		return DBCrossSiteScripting.VIEWPROFILE_ACTION;
 	}
 
-	public void changeEmployeeProfile(WebSession s, int userId, int subjectId, Employee employee) throws SQLException,
+	public void changeEmployeeProfile(WebSession s, int userId, int subjectId, Employee employee) throws SQLException
-			ClassNotFoundException
-	{
-		try
 		{
 			String update = " { CALL UPDATE_EMPLOYEE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) }";
 			CallableStatement call = WebSession.getConnection(s).prepareCall(update);
@@ -171,10 +164,6 @@ public class UpdateProfile extends DefaultLessonAction
 			call.setString(15, employee.getDisciplinaryActionNotes());
 			call.setString(16, employee.getPersonalDescription());
 			call.executeUpdate();
-		} catch (ClassNotFoundException e)
-		{
-			e.printStackTrace();
-		}
 	}
 
 	public void createEmployeeProfile(WebSession s, int userId, Employee employee) throws UnauthorizedException
@@ -230,10 +219,6 @@ public class UpdateProfile extends DefaultLessonAction
 		{
 			sqle.printStackTrace();
 			s.setMessage("Error updating employee profile");
-		} catch (ClassNotFoundException e)
-		{
-			// TODO Auto-generated catch block
-			e.printStackTrace();
 		}
 		return uid + 1;
 	}

main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java

@@ -167,10 +167,6 @@ public class UpdateProfile extends DefaultLessonAction
 		{
 			sqle.printStackTrace();
 			s.setMessage("Error updating employee profile");
-		} catch (ClassNotFoundException e)
-		{
-			// TODO Auto-generated catch block
-			e.printStackTrace();
 		}
 		return uid + 1;
 	}

main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java

@@ -213,10 +213,6 @@ public class UpdateProfile extends DefaultLessonAction
 		{
 			sqle.printStackTrace();
 			s.setMessage("Error updating employee profile");
-		} catch (ClassNotFoundException e)
-		{
-			// TODO Auto-generated catch block
-			e.printStackTrace();
 		}
 		return uid + 1;
 	}

main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java

@@ -115,7 +115,7 @@ public class SQLInjection extends GoatHillsFinancial
 				.add("Many of WebGoat's database queries are already parameterized.  Search the project for PreparedStatement.");
 
 		// Stage 3
-		hints.add("Try entering an employee_id of [ 101 OR 1=1 ORDER BY salary ].");
+		hints.add("Try entering an employee_id of [ 101 or 1=1 order by salary desc ].");
 
 		// Stage 4
 

main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java

@@ -51,13 +51,12 @@ public class DatabaseUtilities
 	private static Map<String, Connection> connections = new HashMap<String, Connection>();
 	private static Map<String, Boolean> dbBuilt = new HashMap<String, Boolean>();
 
-	public static Connection getConnection(WebSession s) throws ClassNotFoundException, SQLException
+	public static Connection getConnection(WebSession s) throws SQLException
 	{
 		return getConnection(s.getUserName(), s.getWebgoatContext());
 	}
 
-	public static synchronized Connection getConnection(String user, WebgoatContext context)
+	public static synchronized Connection getConnection(String user, WebgoatContext context) throws SQLException
-			throws ClassNotFoundException, SQLException
 	{
 		Connection conn = connections.get(user);
 		if (conn != null && !conn.isClosed()) return conn;
@@ -87,8 +86,9 @@ public class DatabaseUtilities
 		}
 	}
 
-	private static Connection makeConnection(String user, WebgoatContext context) throws ClassNotFoundException,
+	private static Connection makeConnection(String user, WebgoatContext context) throws SQLException
-			SQLException
+	{
+		try
 	{
 		Class.forName(context.getDatabaseDriver());
 
@@ -98,6 +98,11 @@ public class DatabaseUtilities
 		String password = context.getDatabasePassword();
 		String url = context.getDatabaseConnectionString();
 		return DriverManager.getConnection(url, userPrefix + "_" + user, password);
+		} catch (ClassNotFoundException cnfe)
+		{
+			cnfe.printStackTrace();
+			throw new SQLException("Couldn't load the database driver: " + cnfe.getLocalizedMessage());
+		}
 	}
 
 	private static Connection getHsqldbConnection(String user, WebgoatContext context) throws ClassNotFoundException,

main/project/JavaSource/org/owasp/webgoat/session/WebSession.java

@@ -3,6 +3,7 @@ package org.owasp.webgoat.session;
 
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.security.Principal;
 import java.sql.Connection;
 import java.sql.SQLException;
 import java.util.ArrayList;
@@ -219,7 +220,7 @@ public class WebSession
 		course.loadCourses(webgoatContext, context, "/");
 	}
 
-	public static synchronized Connection getConnection(WebSession s) throws SQLException, ClassNotFoundException
+	public static synchronized Connection getConnection(WebSession s) throws SQLException
 	{
 		return DatabaseUtilities.getConnection(s);
 	}
@@ -727,6 +728,11 @@ public class WebSession
 		message.append("<BR>" + " * " + text);
 	}
 
+	public void setLineBreak(String text)
+	{
+		message.append("<BR><BR>" + text);
+	}
+
 	/**
 	 * Description of the Method
 	 * 
@@ -779,10 +785,11 @@ public class WebSession
 	 */
 	public String getUserName()
 	{
-		// System.out.println("Request: " + getRequest() );
+		HttpServletRequest request = getRequest();
-		// System.out.println("Principal: " + getRequest().getUserPrincipal() );
+		if (request == null) throw new RuntimeException("Could not find the ServletRequest in the web session");
-		// System.out.println("Name: " + getRequest().getUserPrincipal().getName( ) );
+		Principal principal = request.getUserPrincipal();
-		return getRequest().getUserPrincipal().getName();
+		if (principal == null) throw new RuntimeException("Could not find the Principal in the Servlet Request");
+		return principal.getName();
 	}
 
 	/**
@@ -888,6 +895,7 @@ public class WebSession
 					RandomLessonAdapter rla = (RandomLessonAdapter) al;
 					int stage = myParser.getIntParameter(STAGE) - 1;
 					String[] stages = rla.getStages();
+					if (stages == null) stages = new String[0];
 					if (stage >= 0 && stage < stages.length) rla.setStage(this, stages[stage]);
 				} catch (ParameterNotFoundException pnfe)
 				{
@@ -979,6 +987,11 @@ public class WebSession
 			SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
 			sla.getLessonTracker(this).setStage(1);
 		}
+		else if (al instanceof RandomLessonAdapter)
+		{
+			RandomLessonAdapter rla = (RandomLessonAdapter) al;
+			rla.setStage(this, rla.getStages()[0]);
+		}
 	}
 
 	/**