<%@ page language="java" contentType="text/html; charset=ISO-8859-1" import="java.util.regex.*" import="org.owasp.webgoat.lessons.DangerousEval"
    pageEncoding="ISO-8859-1"%>
<%
String action = request.getParameter("action");
String field1 = request.getParameter("field1");
String field2 = request.getParameter("field2");
String regex1 = "^[0-9]{3}$";// any three digits
Pattern pattern1 = Pattern.compile(regex1);

if(action == null) action = "Purchase";
if(field1 == null) field1 = "123";
if(field2 == null) field2 = "-1";

/** For security reasons, we remove all '<' and '>' characters to prevent XSS **/
field1.replaceAll("<", "");
field1.replaceAll(">", "");
field2.replaceAll("<", "");
field2.replaceAll(">", "");

if("Purchase".equals(action))
{
	if(!pattern1.matcher(field1).matches())
	{
		/** If they supplied the right attack, pass them **/
		if(field1.indexOf("');") != -1 && field1.indexOf("alert") != -1 && field1.indexOf("document.cookie") != -1)
		{
			session.setAttribute(DangerousEval.PASSED, "true");
		}
		
		out.write("alert('Whoops: You entered an incorrect access code of \"" + field1 + "\"');");
	}
	else
	{
		out.write("alert('Purchase completed successfully with credit card \"" + field2 + "\" and access code \"" + field1 + "\"');");
	}
}
%>