package org.owasp.webgoat.plugin;

import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.B;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.HR;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.ecs.html.TextArea;
import org.apache.log4j.HTMLLayout;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.util.HtmlEncoder;
import org.springframework.aop.framework.autoproxy.target.QuickTargetSourceCreator;

/* loaded from: input_file:WebGoat.war:plugin_lessons/stored-xss-1.0.jar:org/owasp/webgoat/plugin/StoredXss.class */
public class StoredXss extends LessonAdapter {
    private static final String MESSAGE = "message";
    private static final int MESSAGE_COL = 3;
    private static final String NUMBER = "Num";
    private static final int NUM_COL = 1;
    private static final String STANDARD_QUERY = "SELECT * FROM messages";
    private static final String TITLE = "title";
    private static final int TITLE_COL = 2;
    private static final int USER_COL = 4;
    private static int count = 1;
    private static final Integer DEFAULT_RANKING = new Integer(100);

    protected void addMessage(WebSession webSession) {
        try {
            String encode = HtmlEncoder.encode(webSession.getParser().getRawParameter("title", ""));
            String rawParameter = webSession.getParser().getRawParameter("message", "");
            PreparedStatement prepareStatement = DatabaseUtilities.getConnection(webSession).prepareStatement("INSERT INTO messages VALUES (?, ?, ?, ?, ? )", 1004, 1007);
            int i = count;
            count = i + 1;
            prepareStatement.setInt(1, i);
            prepareStatement.setString(2, encode);
            prepareStatement.setString(3, rawParameter);
            prepareStatement.setString(4, webSession.getUserName());
            prepareStatement.setString(5, getClass().getName());
            prepareStatement.execute();
        } catch (Exception e) {
            if (e.getMessage().indexOf("No ResultSet was produced") == -1) {
                webSession.setMessage(getLabelManager().get("CouldNotAddMessage"));
            }
            e.printStackTrace();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        addMessage(webSession);
        ElementContainer elementContainer = new ElementContainer();
        elementContainer.addElement(makeInput(webSession));
        elementContainer.addElement(new HR());
        elementContainer.addElement(makeCurrent(webSession));
        elementContainer.addElement(new HR());
        elementContainer.addElement(makeList(webSession));
        return elementContainer;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.XSS;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(getLabelManager().get("StoredXssHint1"));
        arrayList.add(getLabelManager().get("StoredXssHint2"));
        arrayList.add(getLabelManager().get("StoredXssHint3"));
        arrayList.add(getLabelManager().get("StoredXssHint4"));
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "Stored XSS Attacks";
    }

    protected Element makeCurrent(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        try {
            int intParameter = webSession.getParser().getIntParameter(NUMBER, 0);
            PreparedStatement prepareStatement = DatabaseUtilities.getConnection(webSession).prepareStatement("SELECT * FROM messages WHERE user_name LIKE ? and num = ? and lesson_type = ?", 1004, 1007);
            prepareStatement.setString(1, getNameroot(webSession.getUserName()) + QuickTargetSourceCreator.PREFIX_THREAD_LOCAL);
            prepareStatement.setInt(2, intParameter);
            prepareStatement.setString(3, getClass().getName());
            ResultSet executeQuery = prepareStatement.executeQuery();
            if (executeQuery != null && executeQuery.first()) {
                elementContainer.addElement(new H1(getLabelManager().get("MessageContentsFor") + ": " + executeQuery.getString(2)));
                Table border = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
                TR tr = new TR(new TD(new B(new StringElement(getLabelManager().get(HTMLLayout.TITLE_OPTION) + ":"))));
                tr.addElement(new TD(new StringElement(executeQuery.getString(2))));
                border.addElement(tr);
                String string = executeQuery.getString(3);
                TR tr2 = new TR(new TD(new B(new StringElement(getLabelManager().get("Message") + ":"))));
                tr2.addElement(new TD(new StringElement(string)));
                border.addElement(tr2);
                TR tr3 = new TR(new TD(new StringElement(getLabelManager().get("PostedBy") + ":")));
                tr3.addElement(new TD(new StringElement(executeQuery.getString(4))));
                border.addElement(tr3);
                elementContainer.addElement(border);
                if (string.toLowerCase().indexOf("<script") != -1 && string.toLowerCase().indexOf("</script>") != -1 && string.toLowerCase().indexOf("alert") != -1) {
                    makeSuccess(webSession);
                }
            } else if (intParameter != 0) {
                elementContainer.addElement(new P().addElement(getLabelManager().get("CouldNotFindMessage") + intParameter));
            }
        } catch (Exception e) {
            webSession.setMessage(getLabelManager().get("ErrorGenerating") + getClass().getName());
            e.printStackTrace();
        }
        return elementContainer;
    }

    protected Element makeInput(WebSession webSession) {
        Table border = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
        TR tr = new TR();
        TR tr2 = new TR();
        tr.addElement(new TD(new StringElement(getLabelManager().get(HTMLLayout.TITLE_OPTION) + ": ")));
        tr.addElement(new TD(new Input("TEXT", "title", "")));
        TD td = new TD();
        td.setVAlign("TOP");
        td.addElement(new StringElement(getLabelManager().get("Message") + ": "));
        tr2.addElement(td);
        TD td2 = new TD();
        td2.addElement(new TextArea("message", 5, 60));
        tr2.addElement(td2);
        border.addElement(tr);
        border.addElement(tr2);
        Element makeButton = ECSFactory.makeButton(getLabelManager().get("Submit"));
        ElementContainer elementContainer = new ElementContainer();
        elementContainer.addElement(border);
        elementContainer.addElement(new P().addElement(makeButton));
        return elementContainer;
    }

    public Element makeList(WebSession webSession) {
        Table border = new Table(0).setCellSpacing(0).setCellPadding(0).setBorder(0);
        try {
            PreparedStatement prepareStatement = DatabaseUtilities.getConnection(webSession).prepareStatement("SELECT * FROM messages WHERE user_name LIKE ? and lesson_type = ?", 1004, 1007);
            prepareStatement.setString(1, getNameroot(webSession.getUserName()) + QuickTargetSourceCreator.PREFIX_THREAD_LOCAL);
            prepareStatement.setString(2, getClass().getName());
            ResultSet executeQuery = prepareStatement.executeQuery();
            if (executeQuery != null && executeQuery.first()) {
                executeQuery.beforeFirst();
                int i = 0;
                while (executeQuery.next()) {
                    border.addElement(new TR().addElement(new TD().addElement(ECSFactory.makeLink(executeQuery.getString(2), NUMBER, executeQuery.getInt(1)))));
                    i++;
                }
            }
        } catch (Exception e) {
            webSession.setMessage(getLabelManager().get("ErrorGeneratingMessageList"));
        }
        ElementContainer elementContainer = new ElementContainer();
        elementContainer.addElement(new H1(getLabelManager().get("MessageList")));
        elementContainer.addElement(border);
        return elementContainer;
    }

    private static String getNameroot(String str) {
        String str2 = str;
        if (str2.indexOf(45) != -1) {
            str2 = str2.substring(0, str2.indexOf(45));
        }
        return str2;
    }
}
