diff --git a/webgoat-container/src/main/resources/static/css/lesson.css b/webgoat-container/src/main/resources/static/css/lesson.css
deleted file mode 100644
index 06174eecd..000000000
--- a/webgoat-container/src/main/resources/static/css/lesson.css
+++ /dev/null
@@ -1,11 +0,0 @@
-body.page {color: #000000;font-family: Verdana, Tahoma, sans-serif;font-size: 8pt;}
-td {font-family: Verdana, Tahoma, sans-serif;font-size: 8pt; }
-tr {font-family: Verdana, Tahoma, sans-serif;}
-span {font-family: Verdana, Tahoma, sans-serif;}
-.f8-0 {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;}
-.f8-1 {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;}
-.div_tree {padding-left:10px;overflow:visible;}
-.report_tree_link {width:100%;font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;margin-left:2px;padding-right:2px;margin-top:2px;border-spacing:0px;}
-.form_link {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;font-weight: bold;}
-.report_title {font-size: 8pt;font-family: Verdana, Tahoma, sans-serif;border: 1px solid #afafaf;background-color: #cfcfef;margin-top:3px;margin-bottom:3px;margin-left:1px;padding:3px;font-weight: bold;}
-.middle {vertical-align:middle;}
\ No newline at end of file
diff --git a/webgoat-container/src/main/resources/static/css/lessons.css b/webgoat-container/src/main/resources/static/css/lessons.css
new file mode 100644
index 000000000..7c13d819a
--- /dev/null
+++ b/webgoat-container/src/main/resources/static/css/lessons.css
@@ -0,0 +1,33 @@
+/* css for lessons */
+/* not efficient loading, but at least easier to maintain */
+
+.hidden-menu-item {
+ display:none;
+ visibility:hidden;
+}
+
+#ac-menu li {
+ list-style-type: none;
+ background-color: #aaa;
+ width: auto;
+ max-width: 20%;
+}
+
+#ac-menu li:hover {
+ color: white;
+ background-color: #333;
+}
+
+#ac-menu div {
+ margin-bottom: -60px;
+ margin-top: -10px;
+}
+
+#ac-menu h3 {
+ color:white;
+ background-color:#666;
+}
+
+#ac-menu-wrapper {
+ border-bottom: 2px solid #444;
+}
\ No newline at end of file
diff --git a/webgoat-container/src/main/resources/templates/main_new.html b/webgoat-container/src/main/resources/templates/main_new.html
index e96256199..f00916bda 100644
--- a/webgoat-container/src/main/resources/templates/main_new.html
+++ b/webgoat-container/src/main/resources/templates/main_new.html
@@ -17,11 +17,13 @@
+
+
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
index aa27c4195..7e6532865 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
@@ -52,7 +52,7 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
AttackResult completed(@RequestParam Integer param1,
@RequestParam Integer param2, HttpServletRequest request) throws IOException {
- UserSessionData userSessionData = getUserSessionData();
+ UserSessionData userSessionData = getUserSessionData();
SecureRandom number = new SecureRandom();
userSessionData.setValue("randValue",number.nextInt());
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java
index 9ff65eb5e..022abc883 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java
@@ -49,7 +49,9 @@ import org.owasp.encoder.*;
import static org.springframework.http.MediaType.ALL_VALUE;
import java.io.IOException;
+import java.util.ArrayList;
import java.util.Collection;
+import java.util.List;
import java.util.Map;
import static org.springframework.web.bind.annotation.RequestMethod.GET;
@@ -65,6 +67,7 @@ public class StoredXssComments extends AssignmentEndpoint {
private static final EvictingQueue comments = EvictingQueue.create(100);
private static final String phoneHomeString = "";
+
static {
comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "Comment for Unit Testing"));
comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "This comment is safe"));
@@ -76,7 +79,11 @@ public class StoredXssComments extends AssignmentEndpoint {
@ResponseBody
public Collection retrieveComments() {
Collection allComments = Lists.newArrayList();
- // no filtering applied here at render
+ Collection newComments = userComments.get(webSession.getUserName());
+ if (newComments != null) {
+ allComments.addAll(newComments);
+ }
+
allComments.addAll(comments);
return allComments;
@@ -89,10 +96,10 @@ public class StoredXssComments extends AssignmentEndpoint {
Comment comment = parseJson(commentStr);
EvictingQueue comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
- comments.add(comment);
comment.setDateTime(DateTime.now().toString(fmt));
comment.setUser(webSession.getUserName());
+ comments.add(comment);
userComments.put(webSession.getUserName(), comments);
if (comment.getText().contains(phoneHomeString)) {
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
index 4fae247b7..78e391b80 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
@@ -29,5 +29,6 @@ javascript:alert(document.cookie);
----
== Try It! Using Chrome or Firefox
-Type in `javascript:alert(document.cookie);` in the URL bar. *NOTE:* If you /cut/paste you'll need to add the `javascript:` back in.
-Try it on a different tab (with WebGoat open in that tab).
+
+* Open a second tab and use the same url as this page you are currently on (or any url within this instance of WebGoat)
+* Then, in the address bar on each tab, type `javascript:alert(document.cookie);` *NOTE:* If you /cut/paste you'll need to add the `javascript:` back in.
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc
index 16de62421..e0cf6f949 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc
@@ -7,4 +7,4 @@ Why is that?
That is because there is no link that would tigger that XSS.
You can try it yourself to see what happens ... go to (substitute localhost with your server's name or IP if you need to):
-link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=4128+3214+0002+1999&field2=111
+link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=4128+3214+0002+1999&field2=111