XSS lesson updates

webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties

@@ -1,10 +1,10 @@
-#StringSqlInjection.java
-StringSqlInjectionSecondStage=Now that you have successfully performed an SQL injection, try the same type of attack on a parameterized query.  Restart the lesson if you wish to return to the injectable query.
-EnterLastName=Enter your last name:
-NoResultsMatched=No results matched.  Try Again.
-SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
-SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
-SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
-SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
+# XSS success, failure messages and hints
+xss-reflected-5a-success=well done, but alerts aren't very impressive are they? Please continue.
+xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy)
+xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
+xss-reflected-5b-failure=Nope, pretty easy to guess now though.
+xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
+xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine.
+xss.lesson1.failure=Are you sure? Try using a tab from a different site.
 
-xss.lesson1.failure=Are you sure? Try using a tab from a different site.
+#xss-reflected-5b-do5a-first=Do the reflected xss attack prior to this, then come back and answer this.