package org.owasp.webgoat.plugin;

import java.text.DecimalFormat;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.B;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.support.PropertiesBeanDefinitionReader;

/* loaded from: input_file:WebGoat.war:plugin_lessons/hidden-field-tampering-1.0.jar:org/owasp/webgoat/plugin/HiddenFieldTampering.class */
public class HiddenFieldTampering extends LessonAdapter {
    private static final String PRICE = "Price";
    private static final String PRICE_TV = "2999.99";
    private static final String PRICE_TV_HACKED = "9.99";
    String regex = "^2999.99$";
    Pattern pattern1 = Pattern.compile(this.regex);
    String lineSep = System.getProperty("line.separator");
    String script = "<SCRIPT>" + this.lineSep + "regex=/" + this.regex + "/;function validate() { " + this.lineSep + "if (!regex.test(document.form." + PRICE + ".value)) {alert('Data tampering is disallowed');  document.form." + PRICE + ".value = " + PRICE_TV + ";}" + this.lineSep + "else document.form.submit();" + this.lineSep + "} " + this.lineSep + "</SCRIPT>" + this.lineSep;
    private static final Integer DEFAULT_RANKING = new Integer(50);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        String str;
        float parseFloat;
        ElementContainer elementContainer = new ElementContainer();
        elementContainer.addElement(new StringElement(this.script));
        DecimalFormat decimalFormat = new DecimalFormat("$0.00");
        try {
            str = webSession.getParser().getRawParameter(PRICE, PRICE_TV);
            parseFloat = webSession.getParser().getFloatParameter("QTY", 1.0f) * Float.parseFloat(str);
        } catch (Exception e) {
            webSession.setMessage(getLabelManager().get("Invaild data") + getClass().getName());
            str = PRICE_TV;
            parseFloat = 1.0f * Float.parseFloat(PRICE_TV);
        }
        if (str.equals(PRICE_TV)) {
            elementContainer.addElement(new Center().addElement(new H1().addElement(getLabelManager().get("ShoppingCart"))));
            elementContainer.addElement(new BR());
            Table align = new Table().setCellSpacing(0).setCellPadding(2).setBorder(1).setWidth("90%").setAlign("center");
            if (webSession.isColor()) {
                align.setBorder(1);
            }
            TR tr = new TR();
            tr.addElement(new TH().addElement(getLabelManager().get("ShoppingCartItems")).setWidth("80%"));
            tr.addElement(new TH().addElement(getLabelManager().get(PRICE)).setWidth("10%"));
            tr.addElement(new TH().addElement(getLabelManager().get("Quantity")).setWidth("3%"));
            tr.addElement(new TH().addElement(getLabelManager().get("Total")).setWidth("7%"));
            align.addElement(tr);
            TR tr2 = new TR();
            tr2.addElement(new TD().addElement("56 inch HDTV (model KTV-551)"));
            tr2.addElement(new TD().addElement(PRICE_TV).setAlign("right"));
            tr2.addElement(new TD().addElement(new Input("TEXT", "QTY", 1).setSize(6)).setAlign("right"));
            tr2.addElement(new TD().addElement(decimalFormat.format(parseFloat)));
            align.addElement(tr2);
            elementContainer.addElement(align);
            Table align2 = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
            if (webSession.isColor()) {
                align2.setBorder(1);
            }
            elementContainer.addElement(new BR());
            TR tr3 = new TR();
            tr3.addElement(new TD().addElement(getLabelManager().get("TotalChargedCreditCard") + ":"));
            tr3.addElement(new TD().addElement(decimalFormat.format(parseFloat)));
            tr3.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("UpdateCart"))));
            tr3.addElement(new TD().addElement(ECSFactory.makeButton(getLabelManager().get("Purchase"), "validate()")));
            align2.addElement(tr3);
            elementContainer.addElement(align2);
            elementContainer.addElement(new Input(Input.HIDDEN, PRICE, PRICE_TV));
            elementContainer.addElement(new BR());
        } else {
            if (!str.toString().equals(PRICE_TV)) {
                makeSuccess(webSession);
            }
            elementContainer.addElement(new P().addElement(getLabelManager().get("TotalPriceIs") + ":"));
            elementContainer.addElement(new B(PropertiesBeanDefinitionReader.CONSTRUCTOR_ARG_PREFIX + parseFloat));
            elementContainer.addElement(new BR());
            elementContainer.addElement(new P().addElement(getLabelManager().get("ThisAmountCharged")));
        }
        return elementContainer;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.PARAMETER_TAMPERING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(getLabelManager().get("HiddenFieldTamperingHint1"));
        arrayList.add(getLabelManager().get("HiddenFieldTamperingHint2"));
        arrayList.add(getLabelManager().get("HiddenFieldTamperingHint3") + PRICE_TV + getLabelManager().get("HiddenFieldTamperingHint32") + PRICE_TV_HACKED);
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "Exploit Hidden Fields";
    }
}
