XSS Lesson Modifications (#367)

* initial cut on XSS, need to add some tests still

* initial unit tests for assignment endpoints

* updating header comment license thingy

* comment, clean up

* Stubs for security unit test

* Additional Unit Testing

* isEncoded and isNotEncoded Unit Tests added

* http-proxies updates

* update for XXE solutions

* Work-around to handle special chars in action ... currently to be able to match {userId} in hint creation/assignment for IDOR

* IDOR hints updated

* mitigation content update

* mitigation content update ... 2

* Lesson Overview updates

* including restart lesson fix for lesson overview

webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties

@@ -8,5 +8,7 @@ xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file.
 xss.lesson1.failure=Are you sure? Try using a tab from a different site.
 xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
 xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
-
-#xss-reflected-5b-do5a-first=Do the reflected xss attack prior to this, then come back and answer this.
+xss-stored-comment-success=It appears your payload should invoke the function. To tell for sure, you need to capture the value and put it in the form below. Then we will really know.
+xss-stored-comment-failure=We can't see the payload in your submission, but XSS can be tricky. Look for the call back fired after the comments reload. If you see that and can put the correct value there and put it in, maybe you did succeed.
+xss-stored-callback-success=Yes, that is the correct value (note, it will be a different value each time the phoneHome endpoint is called).
+xss-stored-callback-failure=No, that is not the correct value (note, it will be a different value each time the phoneHome endpoint is called).