From 4b8b2243c315c2f589afb91eebee8078501c8fe4 Mon Sep 17 00:00:00 2001
From: Ken Johnson <cktricky@Kens-MacBook-Pro.local>
Date: Thu, 23 May 2013 16:59:36 -0400
Subject: [PATCH] refactored xss

---
 .../layouts/tutorial/xss/_xss_first.html.erb  | 81 +++++++++++++++++
 app/views/tutorials/xss.html.erb              | 86 +------------------
 2 files changed, 84 insertions(+), 83 deletions(-)
 create mode 100644 app/views/layouts/tutorial/xss/_xss_first.html.erb

diff --git a/app/views/layouts/tutorial/xss/_xss_first.html.erb b/app/views/layouts/tutorial/xss/_xss_first.html.erb
new file mode 100644
index 0000000..ae77a52
--- /dev/null
+++ b/app/views/layouts/tutorial/xss/_xss_first.html.erb
@@ -0,0 +1,81 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A2 - Cross-Site Scripting ("XSS")
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
+            <div class="accordion-inner">
+             <p>XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.</p>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
+            <div class="accordion-inner">
+              <p><b>Stored Cross-Site Scripting - The following code was taken from app/views/layouts/shared/_header.html.erb</b></p>
+			  <font face="Courier New" style="color: rgb(69, 126, 136)"> 
+				 <p>
+  					<pre class="ruby">
+					  <%= @code %>
+	 				</pre>
+                  </p>
+		      </font>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
+            <div class="accordion-inner">
+             <p><b> Stored Cross-Site Scripting ATTACK:</b></p>
+
+			 <p> When registering, enter your JavaScript tag such as <%= %{<script>alert("ohai")} %> in the First Name field. Upon login the header navigation bar will echo "Welcome" + your JS code. You can have your XSS code point the victim to a <%= link_to "BeEF server", "http://beefproject.com", {:style => "color: rgb(69, 126, 136)" } %> and have some fun as well.
+			 </p>
+			 <p><b> Stored Cross-Site Scripting SOLUTION:</b></p>
+			 <p> 
+				Often developers error on the side of using "html_safe" versus "raw" with the idea being one is safer than the other. In this example, simply removing the .html_safe call would both eliminate the attack (by default, Rails 3.x html encodes these dangerous chars). Rails 2.x would require that any potentially malicious content is wrapped within an h() tag. Potentially malicious content should be thought of anything that is dynamically generated. Also, it is important to note that if for some reason you wanted to render HTML code in literal form, you can use things like sanitize() or strip_tags().
+			 </p>
+            </div>
+          </div>
+        </div>
+      	<div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
+            <div class="accordion-inner">
+              Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+            </div>
+          </div>
+        </div>
+	</div>
+    </div>
+  </div>
\ No newline at end of file
diff --git a/app/views/tutorials/xss.html.erb b/app/views/tutorials/xss.html.erb
index 69e0148..f8eff5c 100644
--- a/app/views/tutorials/xss.html.erb
+++ b/app/views/tutorials/xss.html.erb
@@ -1,89 +1,9 @@
 <div class="dashboard-wrapper">
 	<div class="main-container">
 		<div class="row-fluid">
-		    <div class="span12">
-		      <div class="widget">
-		        <div class="widget-header">
-		          <div class="title">
-		            <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A2 - Cross-Site Scripting ("XSS")
-		          </div>
-		        </div>
-		        <div class="widget-body">
-		          <div id="accordion1" class="accordion no-margin">
-		            <div class="accordion-group">
-		              <div class="accordion-heading">
-		                <a href="#collapseOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
-		                  <i class="icon-info icon-white">
-		                  </i>
-		                  Description
-		                </a>
-		              </div>
-		              <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
-		                <div class="accordion-inner">
-		                 <p>XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.</p>
-		                </div>
-		              </div>
-		            </div>
-		            <div class="accordion-group">
-		              <div class="accordion-heading">
-		                <a href="#collapseTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
-		                  <i class="icon-bug icon-white">
-		                  </i>
-		                  Bug
-		                </a>
-		              </div>
-		              <div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
-		                <div class="accordion-inner">
-		                  <p><b>Stored Cross-Site Scripting - The following code was taken from app/views/layouts/shared/_header.html.erb</b></p>
-						  <font face="Courier New" style="color: rgb(69, 126, 136)"> 
-							 <p>
-			  					<pre class="ruby">
-								  <%= @code %>
-				 				</pre>
-			                  </p>
-					      </font>
-		                </div>
-		              </div>
-		            </div>
-		            <div class="accordion-group">
-		              <div class="accordion-heading">
-		                <a href="#collapseThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
-		                  <i class="icon-lightning icon-white">
-		                  </i>
-		                  Solution
-		                </a>
-		              </div>
-		              <div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
-		                <div class="accordion-inner">
-		                 <p><b> Stored Cross-Site Scripting ATTACK:</b></p>
-		
-						 <p> When registering, enter your JavaScript tag such as <%= %{<script>alert("ohai")} %> in the First Name field. Upon login the header navigation bar will echo "Welcome" + your JS code. You can have your XSS code point the victim to a <%= link_to "BeEF server", "http://beefproject.com", {:style => "color: rgb(69, 126, 136)" } %> and have some fun as well.
-						 </p>
-						 <p><b> Stored Cross-Site Scripting SOLUTION:</b></p>
-						 <p> 
-							Often developers error on the side of using "html_safe" versus "raw" with the idea being one is safer than the other. In this example, simply removing the .html_safe call would both eliminate the attack (by default, Rails 3.x html encodes these dangerous chars). Rails 2.x would require that any potentially malicious content is wrapped within an h() tag. Potentially malicious content should be thought of anything that is dynamically generated. Also, it is important to note that if for some reason you wanted to render HTML code in literal form, you can use things like sanitize() or strip_tags().
-						 </p>
-		                </div>
-		              </div>
-		            </div>
-		          	<div class="accordion-group">
-		              <div class="accordion-heading">
-		                <a  style="background-color: rgb(181, 121, 158)" href="#collapseFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
-		                  <i class="icon-aid icon-white">
-		                  </i>
-		                  Hint
-		                </a>
-		              </div>
-		              <div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
-		                <div class="accordion-inner">
-		                  Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
-		                </div>
-		              </div>
-		            </div>
-				</div>
-		        </div>
-		      </div>
-		    </div>
+		    <div class="span12"> <!-- Begin Span12 -->
+		       <%= render :partial => "layouts/tutorial/xss/xss_first"%>
+		    </div> <!-- End Span12 -->
 		</div>
 	</div>
 </div>