diff --git a/ webgoat/Exec.java b/ webgoat/Exec.java
new file mode 100644
index 000000000..abd43f3e7
--- /dev/null
+++ b/ webgoat/Exec.java
@@ -0,0 +1,508 @@
+package org.owasp.webgoat.util;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.BitSet;
+
+
+/**
+ * Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
+ * Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
+ * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
+ * this software.
+ *
+ * @author Jeff Williams Aspect Security
+ * @created October 28, 2003
+ */
+public class Exec
+{
+ /**
+ * Description of the Method
+ *
+ * @param command Description of the Parameter
+ * @param input Description of the Parameter
+ * @return Description of the Return Value
+ */
+ public static ExecResults execInput( String command, String input )
+ {
+ return ( execOptions( command, input, 0, 0, false ) );
+ }
+
+
+ /**
+ * Description of the Method
+ *
+ * @param command Description of the Parameter
+ * @return Description of the Return Value
+ */
+ public static ExecResults execLazy( String command )
+ {
+ return ( execOptions( command, "", 0, 0, true ) );
+ }
+
+
+ /*
+ * Execute an OS command and capture the output in an ExecResults.
+ * All exceptions are caught and stored in the ExecResults.
+ * @param String command is the OS command to execute
+ * @param String input is piped into the OS command
+ * @param int successCode is the expected return code if the command completes successfully
+ * @param int timeout is the number of milliseconds to wait before interrupting the command
+ * @param boolean quit tells the method to exit when there is no more output waiting
+ */
+ /**
+ * Description of the Method
+ *
+ * @param command Description of the Parameter
+ * @param input Description of the Parameter
+ * @param successCode Description of the Parameter
+ * @param timeout Description of the Parameter
+ * @param lazy Description of the Parameter
+ * @return Description of the Return Value
+ */
+ public static ExecResults execOptions( String[] command, String input, int successCode, int timeout, boolean lazy )
+ {
+ Process child = null;
+ ByteArrayOutputStream output = new ByteArrayOutputStream();
+ ByteArrayOutputStream errors = new ByteArrayOutputStream();
+ ExecResults results = new ExecResults( command[0], input, successCode, timeout );
+ BitSet interrupted = new BitSet( 1 );
+ boolean lazyQuit = false;
+ ThreadWatcher watcher;
+
+ try
+ {
+ // start the command
+ child = Runtime.getRuntime().exec( command );
+
+ // get the streams in and out of the command
+ InputStream processIn = child.getInputStream();
+ InputStream processError = child.getErrorStream();
+ OutputStream processOut = child.getOutputStream();
+
+ // start the clock running
+ if ( timeout > 0 )
+ {
+ watcher = new ThreadWatcher( child, interrupted, timeout );
+ new Thread( watcher ).start();
+ }
+
+ // Write to the child process' input stream
+ if ( ( input != null ) && !input.equals( "" ) )
+ {
+ try
+ {
+ processOut.write( input.getBytes() );
+ processOut.flush();
+ processOut.close();
+ }
+ catch ( IOException e1 )
+ {
+ results.setThrowable( e1 );
+ }
+ }
+
+ // Read from the child process' output stream
+ // The process may get killed by the watcher at any time
+ int c = 0;
+
+ try
+ {
+ while ( true )
+ {
+ if ( interrupted.get( 0 ) || lazyQuit )
+ {
+ break;
+ }
+
+ // interrupted
+ c = processIn.read();
+
+ if ( c == -1 )
+ {
+ break;
+ }
+
+ // end of stream
+ output.write( c );
+
+ if ( lazy && ( processIn.available() < 1 ) )
+ {
+ lazyQuit = true;
+ }
+
+ // if lazy and nothing then quit (after at least one read)
+ }
+
+ processIn.close();
+ }
+ catch ( IOException e2 )
+ {
+ results.setThrowable( e2 );
+ }
+ finally
+ {
+ if ( interrupted.get( 0 ) )
+ {
+ results.setInterrupted();
+ }
+
+ results.setOutput( output.toString() );
+ }
+
+ // Read from the child process' error stream
+ // The process may get killed by the watcher at any time
+ try
+ {
+ while ( true )
+ {
+ if ( interrupted.get( 0 ) || lazyQuit )
+ {
+ break;
+ }
+
+ // interrupted
+ c = processError.read();
+
+ if ( c == -1 )
+ {
+ break;
+ }
+
+ // end of stream
+ output.write( c );
+
+ if ( lazy && ( processError.available() < 1 ) )
+ {
+ lazyQuit = true;
+ }
+
+ // if lazy and nothing then quit (after at least one read)
+ }
+
+ processError.close();
+ }
+ catch ( IOException e3 )
+ {
+ results.setThrowable( e3 );
+ }
+ finally
+ {
+ if ( interrupted.get( 0 ) )
+ {
+ results.setInterrupted();
+ }
+
+ results.setErrors( errors.toString() );
+ }
+
+ // wait for the return value of the child process.
+ if ( !interrupted.get( 0 ) && !lazyQuit )
+ {
+ int returnCode = child.waitFor();
+ results.setReturnCode( returnCode );
+
+ if ( returnCode != successCode )
+ {
+ results.setError( ExecResults.BADRETURNCODE );
+ }
+ }
+ }
+ catch ( InterruptedException i )
+ {
+ results.setInterrupted();
+ }
+ catch ( Throwable t )
+ {
+ results.setThrowable( t );
+ }
+ finally
+ {
+ if ( child != null )
+ {
+ child.destroy();
+ }
+ }
+
+ return ( results );
+ }
+
+
+ /*
+ * Execute an OS command and capture the output in an ExecResults.
+ * All exceptions are caught and stored in the ExecResults.
+ * @param String command is the OS command to execute
+ * @param String input is piped into the OS command
+ * @param int successCode is the expected return code if the command completes successfully
+ * @param int timeout is the number of milliseconds to wait before interrupting the command
+ * @param boolean quit tells the method to exit when there is no more output waiting
+ */
+ /**
+ * Description of the Method
+ *
+ * @param command Description of the Parameter
+ * @param input Description of the Parameter
+ * @param successCode Description of the Parameter
+ * @param timeout Description of the Parameter
+ * @param lazy Description of the Parameter
+ * @return Description of the Return Value
+ */
+ public static ExecResults execOptions( String command, String input, int successCode, int timeout, boolean lazy )
+ {
+ Process child = null;
+ ByteArrayOutputStream output = new ByteArrayOutputStream();
+ ByteArrayOutputStream errors = new ByteArrayOutputStream();
+ ExecResults results = new ExecResults( command, input, successCode, timeout );
+ BitSet interrupted = new BitSet( 1 );
+ boolean lazyQuit = false;
+ ThreadWatcher watcher;
+
+ try
+ {
+ // start the command
+ child = Runtime.getRuntime().exec( command );
+
+ // get the streams in and out of the command
+ InputStream processIn = child.getInputStream();
+ InputStream processError = child.getErrorStream();
+ OutputStream processOut = child.getOutputStream();
+
+ // start the clock running
+ if ( timeout > 0 )
+ {
+ watcher = new ThreadWatcher( child, interrupted, timeout );
+ new Thread( watcher ).start();
+ }
+
+ // Write to the child process' input stream
+ if ( ( input != null ) && !input.equals( "" ) )
+ {
+ try
+ {
+ processOut.write( input.getBytes() );
+ processOut.flush();
+ processOut.close();
+ }
+ catch ( IOException e1 )
+ {
+ results.setThrowable( e1 );
+ }
+ }
+
+ // Read from the child process' output stream
+ // The process may get killed by the watcher at any time
+ int c = 0;
+
+ try
+ {
+ while ( true )
+ {
+ if ( interrupted.get( 0 ) || lazyQuit )
+ {
+ break;
+ }
+
+ // interrupted
+ c = processIn.read();
+
+ if ( c == -1 )
+ {
+ break;
+ }
+
+ // end of stream
+ output.write( c );
+
+ if ( lazy && ( processIn.available() < 1 ) )
+ {
+ lazyQuit = true;
+ }
+
+ // if lazy and nothing then quit (after at least one read)
+ }
+
+ processIn.close();
+ }
+ catch ( IOException e2 )
+ {
+ results.setThrowable( e2 );
+ }
+ finally
+ {
+ if ( interrupted.get( 0 ) )
+ {
+ results.setInterrupted();
+ }
+
+ results.setOutput( output.toString() );
+ }
+
+ // Read from the child process' error stream
+ // The process may get killed by the watcher at any time
+ try
+ {
+ while ( true )
+ {
+ if ( interrupted.get( 0 ) || lazyQuit )
+ {
+ break;
+ }
+
+ // interrupted
+ c = processError.read();
+
+ if ( c == -1 )
+ {
+ break;
+ }
+
+ // end of stream
+ output.write( c );
+
+ if ( lazy && ( processError.available() < 1 ) )
+ {
+ lazyQuit = true;
+ }
+
+ // if lazy and nothing then quit (after at least one read)
+ }
+
+ processError.close();
+ }
+ catch ( IOException e3 )
+ {
+ results.setThrowable( e3 );
+ }
+ finally
+ {
+ if ( interrupted.get( 0 ) )
+ {
+ results.setInterrupted();
+ }
+
+ results.setErrors( errors.toString() );
+ }
+
+ // wait for the return value of the child process.
+ if ( !interrupted.get( 0 ) && !lazyQuit )
+ {
+ int returnCode = child.waitFor();
+ results.setReturnCode( returnCode );
+
+ if ( returnCode != successCode )
+ {
+ results.setError( ExecResults.BADRETURNCODE );
+ }
+ }
+ }
+ catch ( InterruptedException i )
+ {
+ results.setInterrupted();
+ }
+ catch ( Throwable t )
+ {
+ results.setThrowable( t );
+ }
+ finally
+ {
+ if ( child != null )
+ {
+ child.destroy();
+ }
+ }
+
+ return ( results );
+ }
+
+
+ /**
+ * Description of the Method
+ *
+ * @param command Description of the Parameter
+ * @return Description of the Return Value
+ */
+ public static ExecResults execSimple( String[] command )
+ {
+ return ( execOptions( command, "", 0, 0, false ) );
+ }
+
+
+ /**
+ * Description of the Method
+ *
+ * @param command Description of the Parameter
+ * @return Description of the Return Value
+ */
+ public static ExecResults execSimple( String command )
+ {
+ return ( execOptions( command, "", 0, 0, false ) );
+ }
+
+
+ /**
+ * Description of the Method
+ *
+ * @param command Description of the Parameter
+ * @param args Description of the Parameter
+ * @return Description of the Return Value
+ */
+ public static ExecResults execSimple( String command, String args )
+ {
+ return ( execOptions( command, args, 0, 0, false ) );
+ }
+
+
+ /**
+ * Description of the Method
+ *
+ * @param command Description of the Parameter
+ * @param timeout Description of the Parameter
+ * @return Description of the Return Value
+ */
+ public static ExecResults execTimeout( String command, int timeout )
+ {
+ return ( execOptions( command, "", 0, timeout, false ) );
+ }
+
+
+ /**
+ * The main program for the Exec class
+ *
+ * @param args The command line arguments
+ */
+ public static void main( String[] args )
+ {
+ ExecResults results;
+ String sep = System.getProperty( "line.separator" );
+ System.out.println( "-------------------------------------------" + sep + "TEST 1: execSimple" );
+ results = Exec.execSimple( "c:/swarm-2.1.1/bin/whoami.exe" );
+ System.out.println( results );
+ System.out.println( "-------------------------------------------" + sep + "TEST 2: execSimple (with search)" );
+ results = Exec.execSimple( "netstat -r" );
+ System.out.println( results );
+
+ if ( results.outputContains( "localhost:1031" ) )
+ {
+ System.out.println( "ERROR: listening on 1031" );
+ }
+
+ System.out.println( "-------------------------------------------" + sep + "TEST 3: execInput" );
+ results = Exec.execInput( "find \"cde\"", "abcdefg1\nhijklmnop\nqrstuv\nabcdefg2" );
+ System.out.println( results );
+ System.out.println( "-------------------------------------------" + sep + "TEST 4:execTimeout" );
+ results = Exec.execTimeout( "ping -t 127.0.0.1", 5 * 1000 );
+ System.out.println( results );
+ System.out.println( "-------------------------------------------" + sep + "TEST 5:execLazy" );
+ results = Exec.execLazy( "ping -t 127.0.0.1" );
+ System.out.println( results );
+ System.out.println( "-------------------------------------------" + sep + "TEST 6:ExecTimeout process never outputs" );
+ results = Exec.execTimeout( "c:/swarm-2.1.1/bin/sleep.exe 20", 5 * 1000 );
+ System.out.println( results );
+ System.out.println( "-------------------------------------------" + sep + "TEST 7:ExecTimeout process waits for input" );
+ results = Exec.execTimeout( "c:/swarm-2.1.1/bin/cat", 5 * 1000 );
+ System.out.println( results );
+ }
+}
+
diff --git a/ webgoat/ExecResults.java b/ webgoat/ExecResults.java
new file mode 100644
index 000000000..eb8fb2fa1
--- /dev/null
+++ b/ webgoat/ExecResults.java
@@ -0,0 +1,320 @@
+package org.owasp.webgoat.util;
+
+/**
+ * Copyright (c) 2002 Free Software Foundation developed under the custody of
+ * the Open Web Application Security Project (http://www.owasp.org) This
+ * software package org.owasp.webgoat.is published by OWASP under the GPL. You should read and
+ * accept the LICENSE before you use, modify and/or redistribute this software.
+ *
+ * @author Jeff Williams Aspect Security
+ */
+public class ExecResults
+{
+ /**
+ * Description of the Field
+ */
+ public final static int BADRETURNCODE = 2;
+
+ /**
+ * Description of the Field
+ */
+ public final static int THROWABLE = 1;
+ private String myCommand;
+ private boolean myError = false;
+ private int myErrorType = 0;
+ private String myErrors = null;
+ private String myInput;
+ private boolean myInterrupted = false;
+ private String myOutput = null;
+ private int myReturnCode = 0;
+ private int mySuccessCode;
+ private Throwable myThrowable = null;
+ private int myTimeout;
+
+ /**
+ * Constructor for the ExecResults object
+ *
+ *@param command Description of the Parameter
+ *@param input Description of the Parameter
+ *@param successCode Description of the Parameter
+ *@param timeout Description of the Parameter
+ */
+ public ExecResults(String command, String input, int successCode, int timeout)
+ {
+ myCommand = command.trim();
+ myInput = input.trim();
+ mySuccessCode = successCode;
+ myTimeout = timeout;
+ }
+
+ /**
+ * Description of the Method
+ *
+ *@param haystack Description of the Parameter
+ *@param needle Description of the Parameter
+ *@param fromIndex Description of the Parameter
+ *@return Description of the Return Value
+ */
+ private boolean contains(String haystack, String needle, int fromIndex)
+ {
+ return (haystack.trim().toLowerCase().indexOf(needle.trim().toLowerCase(), fromIndex) != -1);
+ }
+
+
+ /**
+ * Description of the Method
+ *
+ *@param value Description of the Parameter
+ *@return Description of the Return Value
+ */
+ public boolean errorsContains(String value)
+ {
+ return (errorsContains(value, 0));
+ }
+
+
+ /**
+ * Description of the Method
+ *
+ *@param value Description of the Parameter
+ *@param fromIndex Description of the Parameter
+ *@return Description of the Return Value
+ */
+ public boolean errorsContains(String value, int fromIndex)
+ {
+ return (contains(myErrors, value, fromIndex));
+ }
+
+
+ /**
+ * Gets the error attribute of the ExecResults object
+ *
+ *@return The error value
+ */
+ public boolean getError()
+ {
+ return (myError);
+ }
+
+
+ /**
+ * Gets the errorMessage attribute of the ExecResults object
+ *
+ *@return The errorMessage value
+ */
+ public String getErrorMessage()
+ {
+ switch (getErrorType())
+ {
+ case THROWABLE:
+ return ("Exception: " + myThrowable.getMessage());
+
+ case BADRETURNCODE:
+ return ("Bad return code (expected " + mySuccessCode + ")");
+
+ default:
+ return ("Unknown error");
+ }
+ }
+
+
+ /**
+ * Gets the errorType attribute of the ExecResults object
+ *
+ *@return The errorType value
+ */
+ public int getErrorType()
+ {
+ return (myErrorType);
+ }
+
+
+ /**
+ * Gets the errors attribute of the ExecResults object
+ *
+ *@return The errors value
+ */
+ public String getErrors()
+ {
+ return (myErrors);
+ }
+
+
+ /**
+ * Gets the interrupted attribute of the ExecResults object
+ *
+ *@return The interrupted value
+ */
+ public boolean getInterrupted()
+ {
+ return (myInterrupted);
+ }
+
+
+ /**
+ * Gets the output attribute of the ExecResults object
+ *
+ *@return The output value
+ */
+ public String getOutput()
+ {
+ return (myOutput);
+ }
+
+
+ /**
+ * Gets the returnCode attribute of the ExecResults object
+ *
+ *@return The returnCode value
+ */
+ public int getReturnCode()
+ {
+ return (myReturnCode);
+ }
+
+
+ /**
+ * Gets the throwable attribute of the ExecResults object
+ *
+ *@return The throwable value
+ */
+ public Throwable getThrowable()
+ {
+ return (myThrowable);
+ }
+
+
+ /**
+ * Description of the Method
+ *
+ *@param value Description of the Parameter
+ *@return Description of the Return Value
+ */
+ public boolean outputContains(String value)
+ {
+ return (outputContains(value, 0));
+ }
+
+
+ /**
+ * Description of the Method
+ *
+ *@param value Description of the Parameter
+ *@param fromIndex Description of the Parameter
+ *@return Description of the Return Value
+ */
+ public boolean outputContains(String value, int fromIndex)
+ {
+ return (contains(myOutput, value, fromIndex));
+ }
+
+
+ /**
+ * Sets the error attribute of the ExecResults object
+ *
+ *@param value The new error value
+ */
+ public void setError(int value)
+ {
+ myError = true;
+ myErrorType = value;
+ }
+
+
+ /**
+ * Sets the errors attribute of the ExecResults object
+ *
+ *@param errors The new errors value
+ */
+ public void setErrors(String errors)
+ {
+ myErrors = errors.trim();
+ }
+
+
+ /**
+ * Sets the interrupted attribute of the ExecResults object
+ */
+ public void setInterrupted()
+ {
+ myInterrupted = true;
+ }
+
+
+ /**
+ * Sets the output attribute of the ExecResults object
+ *
+ *@param value The new output value
+ */
+ public void setOutput(String value)
+ {
+ myOutput = value.trim();
+ }
+
+
+ /**
+ * Sets the returnCode attribute of the ExecResults object
+ *
+ *@param value The new returnCode value
+ */
+ public void setReturnCode(int value)
+ {
+ myReturnCode = value;
+ }
+
+
+ /**
+ * Sets the throwable attribute of the ExecResults object
+ *
+ *@param value The new throwable value
+ */
+ public void setThrowable(Throwable value)
+ {
+ setError(THROWABLE);
+ myThrowable = value;
+ }
+
+
+ /**
+ * Description of the Method
+ *
+ *@return Description of the Return Value
+ */
+ public String toString()
+ {
+ String sep = System.getProperty("line.separator");
+ StringBuffer value = new StringBuffer();
+ value.append("ExecResults for \'" + myCommand + "\'" + sep);
+
+ if ((myInput != null) && !myInput.equals(""))
+ {
+ value.append(sep + "Input..." + sep + myInput + sep);
+ }
+
+ if ((myOutput != null) && !myOutput.equals(""))
+ {
+ value.append(sep + "Output..." + sep + myOutput + sep);
+ }
+
+ if ((myErrors != null) && !myErrors.equals(""))
+ {
+ value.append(sep + "Errors..." + sep + myErrors + sep);
+ }
+
+ value.append(sep);
+
+ if (myInterrupted)
+ {
+ value.append("Command timed out after " + (myTimeout / 1000) + " seconds " + sep);
+ }
+
+ value.append("Returncode: " + myReturnCode + sep);
+
+ if (myError)
+ {
+ value.append(getErrorMessage() + sep);
+ }
+
+ return (value.toString());
+ }
+}
diff --git a/ webgoat/ExecutionException.java b/ webgoat/ExecutionException.java
new file mode 100644
index 000000000..e01c00f31
--- /dev/null
+++ b/ webgoat/ExecutionException.java
@@ -0,0 +1,31 @@
+package org.owasp.webgoat.util;
+
+/**
+ * Copyright (c) 2002 Free Software Foundation developed under the custody of
+ * the Open Web Application Security Project (http://www.owasp.org) This
+ * software package org.owasp.webgoat.is published by OWASP under the GPL. You should read and
+ * accept the LICENSE before you use, modify and/or redistribute this software.
+ *
+ * @author Jeff Williams Aspect Security
+ */
+public class ExecutionException extends Exception
+{
+ /**
+ * Constructor for the ExecutionException object
+ */
+ public ExecutionException()
+ {
+ super();
+ }
+
+
+ /**
+ * Constructor for the ExecutionException object
+ *
+ *@param msg Description of the Parameter
+ */
+ public ExecutionException(String msg)
+ {
+ super(msg);
+ }
+}
diff --git a/ webgoat/HtmlEncoder.java b/ webgoat/HtmlEncoder.java
new file mode 100644
index 000000000..09401378a
--- /dev/null
+++ b/ webgoat/HtmlEncoder.java
@@ -0,0 +1,195 @@
+package org.owasp.webgoat.util;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class HtmlEncoder
+{
+ static Map e2i = new HashMap();
+ static Map i2e = new HashMap();
+
+ // html entity list
+ private static Object[][] entities =
+ {
+ {"quot", new Integer( 34 )}, // " - double-quote
+ {"amp", new Integer( 38 )}, // & - ampersand
+ {"lt", new Integer( 60 )}, // < - less-than
+ {"gt", new Integer( 62 )}, // > - greater-than
+ {"nbsp", new Integer( 160 )}, // non-breaking space
+ {"copy", new Integer( 169 )}, // © - copyright
+ {"reg", new Integer( 174 )}, // ® - registered trademark
+ {"Agrave", new Integer( 192 )}, // À - uppercase A, grave accent
+ {"Aacute", new Integer( 193 )}, // Á - uppercase A, acute accent
+ {"Acirc", new Integer( 194 )}, // Â - uppercase A, circumflex accent
+ {"Atilde", new Integer( 195 )}, // Ã - uppercase A, tilde
+ {"Auml", new Integer( 196 )}, // Ä - uppercase A, umlaut
+ {"Aring", new Integer( 197 )}, // Å - uppercase A, ring
+ {"AElig", new Integer( 198 )}, // Æ - uppercase AE
+ {"Ccedil", new Integer( 199 )}, // Ç - uppercase C, cedilla
+ {"Egrave", new Integer( 200 )}, // È - uppercase E, grave accent
+ {"Eacute", new Integer( 201 )}, // É - uppercase E, acute accent
+ {"Ecirc", new Integer( 202 )}, // Ê - uppercase E, circumflex accent
+ {"Euml", new Integer( 203 )}, // Ë - uppercase E, umlaut
+ {"Igrave", new Integer( 204 )}, // Ì - uppercase I, grave accent
+ {"Iacute", new Integer( 205 )}, // Í - uppercase I, acute accent
+ {"Icirc", new Integer( 206 )}, // Î - uppercase I, circumflex accent
+ {"Iuml", new Integer( 207 )}, // Ï - uppercase I, umlaut
+ {"ETH", new Integer( 208 )}, // Ð - uppercase Eth, Icelandic
+ {"Ntilde", new Integer( 209 )}, // Ñ - uppercase N, tilde
+ {"Ograve", new Integer( 210 )}, // Ò - uppercase O, grave accent
+ {"Oacute", new Integer( 211 )}, // Ó - uppercase O, acute accent
+ {"Ocirc", new Integer( 212 )}, // Ô - uppercase O, circumflex accent
+ {"Otilde", new Integer( 213 )}, // Õ - uppercase O, tilde
+ {"Ouml", new Integer( 214 )}, // Ö - uppercase O, umlaut
+ {"Oslash", new Integer( 216 )}, // Ø - uppercase O, slash
+ {"Ugrave", new Integer( 217 )}, // Ù - uppercase U, grave accent
+ {"Uacute", new Integer( 218 )}, // Ú - uppercase U, acute accent
+ {"Ucirc", new Integer( 219 )}, // Û - uppercase U, circumflex accent
+ {"Uuml", new Integer( 220 )}, // Ü - uppercase U, umlaut
+ {"Yacute", new Integer( 221 )}, // Ý - uppercase Y, acute accent
+ {"THORN", new Integer( 222 )}, // Þ - uppercase THORN, Icelandic
+ {"szlig", new Integer( 223 )}, // ß - lowercase sharps, German
+ {"agrave", new Integer( 224 )}, // à - lowercase a, grave accent
+ {"aacute", new Integer( 225 )}, // á - lowercase a, acute accent
+ {"acirc", new Integer( 226 )}, // â - lowercase a, circumflex accent
+ {"atilde", new Integer( 227 )}, // ã - lowercase a, tilde
+ {"auml", new Integer( 228 )}, // ä - lowercase a, umlaut
+ {"aring", new Integer( 229 )}, // å - lowercase a, ring
+ {"aelig", new Integer( 230 )}, // æ - lowercase ae
+ {"ccedil", new Integer( 231 )}, // ç - lowercase c, cedilla
+ {"egrave", new Integer( 232 )}, // è - lowercase e, grave accent
+ {"eacute", new Integer( 233 )}, // é - lowercase e, acute accent
+ {"ecirc", new Integer( 234 )}, // ê - lowercase e, circumflex accent
+ {"euml", new Integer( 235 )}, // ë - lowercase e, umlaut
+ {"igrave", new Integer( 236 )}, // ì - lowercase i, grave accent
+ {"iacute", new Integer( 237 )}, // í - lowercase i, acute accent
+ {"icirc", new Integer( 238 )}, // î - lowercase i, circumflex accent
+ {"iuml", new Integer( 239 )}, // ï - lowercase i, umlaut
+ {"igrave", new Integer( 236 )}, // ì - lowercase i, grave accent
+ {"iacute", new Integer( 237 )}, // í - lowercase i, acute accent
+ {"icirc", new Integer( 238 )}, // î - lowercase i, circumflex accent
+ {"iuml", new Integer( 239 )}, // ï - lowercase i, umlaut
+ {"eth", new Integer( 240 )}, // ð - lowercase eth, Icelandic
+ {"ntilde", new Integer( 241 )}, // ñ - lowercase n, tilde
+ {"ograve", new Integer( 242 )}, // ò - lowercase o, grave accent
+ {"oacute", new Integer( 243 )}, // ó - lowercase o, acute accent
+ {"ocirc", new Integer( 244 )}, // ô - lowercase o, circumflex accent
+ {"otilde", new Integer( 245 )}, // õ - lowercase o, tilde
+ {"ouml", new Integer( 246 )}, // ö - lowercase o, umlaut
+ {"oslash", new Integer( 248 )}, // ø - lowercase o, slash
+ {"ugrave", new Integer( 249 )}, // ù - lowercase u, grave accent
+ {"uacute", new Integer( 250 )}, // ú - lowercase u, acute accent
+ {"ucirc", new Integer( 251 )}, // û - lowercase u, circumflex accent
+ {"uuml", new Integer( 252 )}, // ü - lowercase u, umlaut
+ {"yacute", new Integer( 253 )}, // ý - lowercase y, acute accent
+ {"thorn", new Integer( 254 )}, // þ - lowercase thorn, Icelandic
+ {"yuml", new Integer( 255 )}, // ÿ - lowercase y, umlaut
+ {"euro", new Integer( 8364 )},// Euro symbol
+ };
+
+
+ public HtmlEncoder()
+ {
+ for(int i=0; i
+ *
+ * e.g. "bread" & "butter" => "bread" &
+ * "butter" . Update: supports nearly all HTML entities, including funky
+ * accents. See the source code for more detail. Adapted from
+ * http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
+ *
+ * @param s1 Description of the Parameter
+ * @return Description of the Return Value
+ */
+ public static String encode( String s1 )
+ {
+ StringBuffer buf = new StringBuffer();
+
+ int i;
+ for ( i = 0; i < s1.length(); ++i )
+ {
+ char ch = s1.charAt( i );
+
+ String entity = (String) i2e.get( new Integer( (int) ch ) );
+
+ if ( entity == null )
+ {
+ if ( ( (int) ch ) > 128 )
+ {
+ buf.append( "&#" + ( (int) ch ) + ";" );
+ }
+ else
+ {
+ buf.append( ch );
+ }
+ }
+ else
+ {
+ buf.append( "&" + entity + ";" );
+ }
+ }
+
+ return buf.toString();
+ }
+
+
+ /**
+ * Given a string containing entity escapes, returns a string containing the actual Unicode
+ * characters corresponding to the escapes. Adapted from
+ * http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
+ *
+ * @param s1 Description of the Parameter
+ * @return Description of the Return Value
+ */
+ public static String decode( String s1 )
+ {
+ StringBuffer buf = new StringBuffer();
+
+ int i;
+ for ( i = 0; i < s1.length(); ++i )
+ {
+ char ch = s1.charAt( i );
+
+ if ( ch == '&' )
+ {
+ int semi = s1.indexOf( ';', i + 1 );
+ if ( semi == -1 )
+ {
+ buf.append( ch );
+ continue;
+ }
+ String entity = s1.substring( i + 1, semi );
+ Integer iso;
+ if ( entity.charAt( 0 ) == '#' )
+ {
+ iso = new Integer( entity.substring( 1 ) );
+ }
+ else
+ {
+ iso = (Integer) e2i.get( entity );
+ }
+ if ( iso == null )
+ {
+ buf.append( "&" + entity + ";" );
+ }
+ else
+ {
+ buf.append( (char) ( iso.intValue() ) );
+ }
+ i = semi;
+ }
+ else
+ {
+ buf.append( ch );
+ }
+ }
+
+ return buf.toString();
+ }
+}
diff --git a/ webgoat/ThreadWatcher.java b/ webgoat/ThreadWatcher.java
new file mode 100644
index 000000000..3a5b46b64
--- /dev/null
+++ b/ webgoat/ThreadWatcher.java
@@ -0,0 +1,90 @@
+package org.owasp.webgoat.util;
+
+import java.util.BitSet;
+
+
+/**
+ * Copyright (c) 2002 Free Software Foundation developed under the custody of
+ * the Open Web Application Security Project (http://www.owasp.org) This
+ * software package org.owasp.webgoat.is published by OWASP under the GPL. You should read and
+ * accept the LICENSE before you use, modify and/or redistribute this software.
+ *
+ *@author jwilliams@aspectsecurity.com
+ *@created November 6, 2002
+ */
+public class ThreadWatcher implements Runnable
+{
+ // time to live in milliseconds
+ private BitSet myInterrupted;
+ private Process myProcess;
+ private int myTimeout;
+
+ /**
+ * Constructor for the ThreadWatcher object
+ *
+ *@param p Description of the Parameter
+ *@param interrupted Description of the Parameter
+ *@param timeout Description of the Parameter
+ */
+ public ThreadWatcher(Process p, BitSet interrupted, int timeout)
+ {
+ myProcess = p;
+
+ // thread used by whoever constructed this watcher
+ myTimeout = timeout;
+ myInterrupted = interrupted;
+ }
+
+ /*
+ * Interrupt the thread by marking the interrupted bit and killing the process
+ */
+
+ /**
+ * Description of the Method
+ */
+ public void interrupt()
+ {
+ myInterrupted.set(0);
+
+ // set interrupted bit (bit 0 of the bitset) to 1
+ myProcess.destroy();
+
+ /*
+ * try
+ * {
+ * myProcess.getInputStream().close();
+ * }
+ * catch( IOException e1 )
+ * {
+ * / do nothing -- input streams are probably already closed
+ * }
+ * try
+ * {
+ * myProcess.getErrorStream().close();
+ * }
+ * catch( IOException e2 )
+ * {
+ * / do nothing -- input streams are probably already closed
+ * }
+ * myThread.interrupt();
+ */
+ }
+
+
+ /**
+ * Main processing method for the ThreadWatcher object
+ */
+ public void run()
+ {
+ try
+ {
+ Thread.sleep(myTimeout);
+ }
+ catch (InterruptedException e)
+ {
+ // do nothing -- if watcher is interrupted, so is thread
+ }
+
+ interrupt();
+ }
+}