From f78d70a8e7d3add65cff94b24c0ba46c26ba326e Mon Sep 17 00:00:00 2001
From: "rogan.dawes" <rogan.dawes@4033779f-a91e-0410-96ef-6bf7bf53c507>
Date: Thu, 10 Jan 2008 10:48:30 +0000
Subject: [PATCH] Only mark Stage 1 complete when someone else views the
 exploit

git-svn-id: http://webgoat.googlecode.com/svn/trunk@257 4033779f-a91e-0410-96ef-6bf7bf53c507
---
 .../webgoat/lessons/CrossSiteScripting/ViewProfile.java  | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java
index 0f4003972..c694b93ba 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java	
@@ -213,10 +213,17 @@ public class ViewProfile extends DefaultLessonAction
     private void updateLessonStatus(WebSession s, Employee employee)
     {
 	String stage = getStage(s);
+	int userId = -1;
+	try {
+		userId = getIntSessionAttribute(s, getLessonName() + "."
+		    + CrossSiteScripting.USER_ID);
+	} catch (ParameterNotFoundException pnfe) {
+	}
 	if (CrossSiteScripting.STAGE1.equals(stage))
 	{
 		String address1 = employee.getAddress1().toLowerCase();
-		if (address1.indexOf("<script>") > -1
+		if (userId != employee.getId()
+			&& address1.indexOf("<script>") > -1
 			&& address1.indexOf("alert") > -1
 			&& address1.indexOf("</script>") > -1)
 		{