Files
webgoat
main
project
JavaSource
WebContent
META-INF
WEB-INF
css
database
images
javascript
lesson_plans
lesson_template
lessons
ConfManagement
CrossSiteScripting
DBCrossSiteScripting
DBSQLInjection
General
GoatHillsFinancial
RoleBasedAccessControl
images
EditProfile.jsp
ListStaff.jsp
Login.jsp
RoleBasedAccessControl.css
RoleBasedAccessControl.jsp
SearchStaff.jsp
ViewProfile.jsp
error.jsp
SQLInjection
XPATHInjection
users
main.jsp
sideWindow.jsp
webgoat.jsp
webgoat_challenge.jsp
doc
build.xml
HOW TO create the WebGoat workspace.txt
WAR Installation Instructions.txt
build.xml
eclipse.bat
readme.txt
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
WebGoat/ webgoat/main/project/WebContent/lessons/RoleBasedAccessControl/EditProfile.jsp
rogan.dawes 9ea97126b8 Use AbstractLesson.getLink() and getFormAction() more
Rather than constructing URL's manually all the time, rather
make use of existing mechanisms to create the URL, and use
it consistently.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@184 4033779f-a91e-0410-96ef-6bf7bf53c507
2007-07-18 13:31:11 +00:00

137 lines
5.1 KiB
Plaintext

<%@ page contentType="text/html; charset=ISO-8859-1" language="java"
import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl"
errorPage="" %>
<%
WebSession webSession = ((WebSession)session.getAttribute("websession"));
Employee employee = (Employee) session.getAttribute("RoleBasedAccessControl.Employee");
%>
<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Edit Profile Page</div>
<div class="lesson_text">
<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
<Table border="0" cellpadding="0" cellspacing="0">
<TR><TD width="110">
First Name:
</TD>
<TD width="193">
<input class="lesson_text_db" name="<%=RoleBasedAccessControl.FIRST_NAME%>" type="text" value="<%=employee.getFirstName()%>"/>
</TD>
<TD width="110">
Last Name: </TD>
<TD width="196">
<input class="lesson_text_db" name="<%=RoleBasedAccessControl.LAST_NAME%>" type="text" value="<%=employee.getLastName()%>"/>
</TD>
</TR>
<TR><TD>
Street:
</TD>
<TD>
<input class="lesson_text_db" name="<%=RoleBasedAccessControl.ADDRESS1%>" type="text" value="<%=employee.getAddress1()%>"/>
</TD>
<TD>
City/State:
<TD>
<input class="lesson_text_db" name="<%=RoleBasedAccessControl.ADDRESS2%>" type="text" value="<%=employee.getAddress2()%>"/>
</TD>
</TR>
<TR><TD>
Phone:
</TD>
<TD>
<input class="lesson_text_db" name="<%=RoleBasedAccessControl.PHONE_NUMBER%>" type="text" value="<%=employee.getPhoneNumber()%>"/>
</TD>
<TD>
Start Date:
</TD>
<TD>
<input class="lesson_text_db" name="<%=RoleBasedAccessControl.START_DATE%>" type="text" value="<%=employee.getStartDate()%>"/>
</TD>
</TR>
<TR><TD>
SSN:
</TD>
<TD>
<input class="lesson_text_db" name="<%=RoleBasedAccessControl.SSN%>" type="text" value="<%=employee.getSsn()%>"/>
</TD>
<TD>
Salary:
</TD>
<TD>
<input class="lesson_text_db" name="<%=RoleBasedAccessControl.SALARY%>" type="text" value="<%=employee.getSalary()%>"/>
</TD>
</TR>
<TR><TD>
Credit Card:
</TD>
<TD>
<input class="lesson_text_db" name="<%=RoleBasedAccessControl.CCN%>" type="text" value="<%=employee.getCcn()%>"/>
</TD>
<TD>
Credit Card Limit:
</TD>
<TD>
<input class="lesson_text_db" name="<%=RoleBasedAccessControl.CCN_LIMIT%>" type="text" value="<%=employee.getCcnLimit()%>"/>
</TD>
</TR>
<TR><TD>
Comments:
</TD>
<TD colspan="3">
<input name="<%=RoleBasedAccessControl.DESCRIPTION%>" type="text" class="lesson_text_db" value="<%=employee.getPersonalDescription()%>" size="58"/>
</TD>
<TR>
<TD colspan="2">
Disciplinary Explanation:
</TD>
<TD>
Disc. Date:
</TD>
<TD>
<input class="lesson_text_db" name="<%=RoleBasedAccessControl.DISCIPLINARY_DATE%>" type="text" value="<%=employee.getDisciplinaryActionDate()%>"/>
</TD>
</TR>
<TR>
<TD colspan="4">
<textarea name="<%=RoleBasedAccessControl.DISCIPLINARY_NOTES%>" cols="53" rows="2" wrap="off" class="lesson_text_db" ><%=employee.getDisciplinaryActionNotes()%></textarea>
</TD>
</TR>
<TR>
<TD>
Manager:
</TD>
<TD>
<select class="lesson_text_db" name="<%=RoleBasedAccessControl.MANAGER%>">
<%
List employees = (List) session.getAttribute("RoleBasedAccessControl.Staff");
Iterator i = employees.iterator();
while (i.hasNext())
{
EmployeeStub stub = (EmployeeStub) i.next();
%>
<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()%></option>
<%}%>
</select>
</TD>
</TR>
</Table>
<BR>
<div class="lesson_buttons_bottom">
<table width="460" height="20" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="57">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.VIEWPROFILE_ACTION%>"/>
</td>
<td width="81">
<input name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" type="hidden" value="<%=employee.getId()%>">
<input name="<%=RoleBasedAccessControl.TITLE%>" type="hidden" value="<%=employee.getTitle()%>">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.UPDATEPROFILE_ACTION%>"/>
</td>
<td width="211"></td>
<td width="83">
<input type="submit" name="action" value="<%=RoleBasedAccessControl.LOGOUT_ACTION%>"/>
</td>
</tr>
</table>
</div></form>
</div>