dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
af66f4ff002eaab0a1aa09befb42c3e5667c1e66
WebGoat/ webgoat/main/project/WebContent/lessons/CrossSiteScripting/ListStaff.jsp
mayhew64 98949c00d8 Moved remotely 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@15 4033779f-a91e-0410-96ef-6bf7bf53c507
2006-09-30 13:41:26 +00:00

55 lines
2.1 KiB
Plaintext
Raw Blame History

<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.CrossSiteScripting.*"
errorPage="" %>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
int myUserId = webSession.getUserIdInLesson();
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Staff Listing Page</div>
<br>
<br>
<br>
<p>Select from the list below </p>
<form id="form1" name="form1" method="post" action="attack?menu=<%=webSession.getCurrentMenu()%>">
<table width="60%" border="0" cellpadding="3">
<tr>
<td> <label>
<select name="<%=CrossSiteScripting.EMPLOYEE_ID%>" size="11">
<%
List employees = (List) session.getAttribute("CrossSiteScripting." + CrossSiteScripting.STAFF_ATTRIBUTE_KEY);
Iterator i = employees.iterator();
while (i.hasNext())
{
EmployeeStub stub = (EmployeeStub) i.next();%>
<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
}%>
</select>
</label></td>
<td>
<input type="submit" name="action" value="<%=CrossSiteScripting.SEARCHSTAFF_ACTION%>"/><br>
<input type="submit" name="action" value="<%=CrossSiteScripting.VIEWPROFILE_ACTION%>"/><br>
<%
if (webSession.isAuthorizedInLesson(myUserId, CrossSiteScripting.CREATEPROFILE_ACTION))
{
%>
<input type="submit" name="action" value="<%=CrossSiteScripting.CREATEPROFILE_ACTION%>"/><br>
<%
}
%>
<%
if (webSession.isAuthorizedInLesson(myUserId, CrossSiteScripting.DELETEPROFILE_ACTION))
{
%>
<input type="submit" name="action" value="<%=CrossSiteScripting.DELETEPROFILE_ACTION%>"/><br>
<%
}
%>
<br>
<input type="submit" name="action" value="<%=CrossSiteScripting.LOGOUT_ACTION%>"/>
</td>
</tr>
</table>
</form>
Reference in New Issue View Git Blame Copy Permalink