+ *
* This file is part of WebGoat, an Open Web Application Security Project * utility. For details, please see http://www.owasp.org/ - * + *
* Copyright (c) 2002 - 20014 Bruce Mayhew - * + *
* This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; either version 2 of the License, or (at your option) any later * version. - * + *
* This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * details. - * + *
* You should have received a copy of the GNU General Public License along with * this program; if not, write to the Free Software Foundation, Inc., 59 Temple * Place - Suite 330, Boston, MA 02111-1307, USA. - * + *
* Getting Source ============== - * + *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * for free software projects. - * + *
* For details, please see http://webgoat.github.io * * @author Bruce Mayhew WebGoat @@ -69,25 +73,21 @@ public abstract class LessonAdapter extends AbstractLesson { ec.addElement(new P()); ec .addElement(new StringElement( - "Lesson are simple to create and very little coding is required. " + "Lesson are simple to create and very little coding is required. " + "In fact, most lessons can be created by following the easy to use instructions in the " + "WebGoat User Guide. " + "If you would prefer, send your lesson ideas to " + getWebgoatContext().getFeedbackAddressHTML())); - String fileName = s.getContext().getRealPath("WEB-INF/classes/New Lesson Instructions.txt"); - if (fileName != null) { - try { + try (InputStream is = Thread.currentThread().getContextClassLoader() + .getResourceAsStream("New Lesson Instructions.txt")) { + if (is != null) { PRE pre = new PRE(); - BufferedReader in = new BufferedReader(new FileReader(fileName)); - String line = null; - while ((line = in.readLine()) != null) { - pre.addElement(line + "\n"); - } + pre.addElement(Joiner.on("\n").join(IOUtils.readLines(is))); ec.addElement(pre); - } catch (Exception e) { - e.printStackTrace(); } + } catch (IOException e) { + e.printStackTrace(); } return (ec); } @@ -140,9 +140,9 @@ public abstract class LessonAdapter extends AbstractLesson { /** * Gets the credits attribute of the AbstractLesson object * - * @deprecated Credits are in the about page. This method s no - * longer called from WebGoat * @return The credits value + * @deprecated Credits are in the about page. This method s no + * longer called from WebGoat */ public Element getCredits() { return new StringElement(); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java index a9b2121c1..b7e27b7c3 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java @@ -16,9 +16,6 @@ import java.util.HashMap; import java.util.List; import java.util.Map; -import static java.nio.file.StandardOpenOption.APPEND; -import static java.nio.file.StandardOpenOption.CREATE; -import static java.nio.file.StandardOpenOption.TRUNCATE_EXISTING; import static org.owasp.webgoat.plugins.PluginFileUtils.fileEndsWith; import static org.owasp.webgoat.plugins.PluginFileUtils.hasParentDirectoryWithName; import static org.owasp.webgoat.plugins.PluginFileUtils.replaceInFiles; @@ -94,7 +91,7 @@ public class Plugin { Path propertiesPath = createPropertiesDirectory(); LabelProvider.updatePluginResources(propertiesPath); PluginFileUtils.createDirsIfNotExists(file.getParent()); - Files.write(propertiesPath.resolve(file.getFileName()), lines, CREATE, (reload ? APPEND : TRUNCATE_EXISTING)); + Files.write(propertiesPath.resolve(file.getFileName()), lines); } catch (IOException io) { throw new PluginLoadingFailure("Property file detected, but unable to copy the properties", io); } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java b/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java index ae3eaa8c9..daf2e922d 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java @@ -30,9 +30,7 @@ */ package org.owasp.webgoat.service; -import javax.servlet.http.HttpSession; -import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP; -import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP; +import org.apache.commons.lang3.StringEscapeUtils; import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.WebSession; @@ -40,6 +38,11 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; +import javax.servlet.http.HttpSession; + +import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP; +import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP; + /** * * @author rlawson @@ -61,10 +64,7 @@ public class SourceService extends BaseService { if (source == null) { source = "No source listing found"; } - return source; - //SourceListing sl = new SourceListing(); - //sl.setSource(source); - //return sl; + return StringEscapeUtils.escapeHtml4(source); } /** diff --git a/webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp b/webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp index cf00d7d8b..93ca8ba56 100644 --- a/webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp +++ b/webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp @@ -37,7 +37,8 @@ - + +