From b20f6492a3363a36207f86eb46b808c430bd4c10 Mon Sep 17 00:00:00 2001
From: avivmu <aviv.mu@gmail.com>
Date: Fri, 15 Jan 2021 15:36:04 +0200
Subject: [PATCH] Simplify regex (#927)

---
 .../webgoat/xss/CrossSiteScriptingLesson5a.java   | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
index 33a949f9e..6875d4d51 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java
@@ -30,11 +30,17 @@ import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;
 
+import java.util.function.Predicate;
+import java.util.regex.Pattern;
+
 
 @RestController
 @AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
 public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 
+    public static final Predicate<String> XSS_PATTERN = Pattern.compile(
+            ".*<script>(console\\.log|alert)\\(.*\\);?<\\/script>.*"
+            , Pattern.CASE_INSENSITIVE).asMatchPredicate();
     @Autowired
     UserSessionData userSessionData;
 
@@ -45,13 +51,13 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
                                   @RequestParam Integer QTY4, @RequestParam String field1,
                                   @RequestParam String field2) {
 
-        if (field2.toLowerCase().matches(".*<script>.*(console\\.log\\(.*\\)|alert\\(.*\\));?<\\/script>.*")) {
+        if (XSS_PATTERN.test(field2)) {
             return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build();
         }
 
         double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
 
-        userSessionData.setValue("xss-reflected1-complete", (Object) "false");
+        userSessionData.setValue("xss-reflected1-complete", "false");
         StringBuffer cart = new StringBuffer();
         cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
         cart.append("<p>We have charged credit card:" + field1 + "<br />");
@@ -60,11 +66,10 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 
         //init state
         if (userSessionData.getValue("xss-reflected1-complete") == null) {
-            userSessionData.setValue("xss-reflected1-complete", (Object) "false");
+            userSessionData.setValue("xss-reflected1-complete", "false");
         }
 
-        if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\);?|alert\\(.*\\));?<\\/script>")) {
-            //return )
+        if (XSS_PATTERN.test(field1)) {
             userSessionData.setValue("xss-reflected-5a-complete", "true");
             if (field1.toLowerCase().contains("console.log")) {
                 return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build();