Miscellaneous bug fixes

divide by zero, inaccurate discount and totals, reflection of user input


git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@273 4033779f-a91e-0410-96ef-6bf7bf53c507

main/project/WebContent/lesson_plans/HttpOnly.html

@@ -0,0 +1,25 @@
+<div align="Center">
+<p><b>Lesson Plan Title:</b> HttpOnly Test</p>
+</div>
+<p><b>Concept / Topic To Teach:</b></p>
+<!-- Start Instructions -->
+To help mitigate the cross site scripting threat, Microsoft has
+introduced a new cookie attribute entitled 'HttpOnly.' If this flag is
+set, then the browser should not allow client-side script to access the
+cookie. Since the attribute is relatively new, several browsers neglect
+to handle the new attribute properly.
+<p><b>General Goal(s):</b></p>
+The purpose of this lesson is to test whether your browser supports the
+HTTPOnly cookie flag. Note the value of the
+<strong>unique2u</strong>
+cookie. If your browser supports HTTPOnly, and you enable it for a
+cookie, client side code should NOT be able to read OR write to that
+cookie, but the browser can still send its value to the server. Some
+browsers only prevent client side read access, but don't prevent write
+access.
+<br />
+<br />
+With the HTTPOnly attribute turned on, type
+"javascript:alert(document.cookie)" in the browser address bar. Notice
+all cookies are displayed except the unique2u cookie.
+<!-- Stop Instructions -->