changed to using lxml instead of ETree

Allows for XPath injection because ETree doesn't really allow for XPath logic.

Author: ocartsonis

injection/teacher-login-7/server

@@ -2,30 +2,29 @@
 
 import os, flask, xml.etree.ElementTree as ET
 from markupsafe import escape
+from lxml import etree
 
 app = flask.Flask(__name__)
 
 @app.route("/login", methods=["POST"])
 def login():
+    username = flask.request.form.get("user", "")
     try:
-        tree = ET.parse("users.xml")
+        tree = etree.parse("users.xml")
         root = tree.getroot()
-    except Exception:
-        return "Error reading users.xml"
+    except Exception as e:
+        return f"Error reading XML: {e}"
 
-    username = flask.request.form.get("user", "")
-    
-    # XPATH INJECTION VULNERABILITY HERE ↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓
-    user = root.find(f".//user[username='{username}']")  # UNSAFE!
-    
-    if user is not None:
-        teacher = user.findtext("is_teacher", default="no")
-        if teacher in ("yes", "true", "1"):
-            return f"<p>Logged in as a teacher!<br/>{open('/flag').read()}</p>"
-        else:
-            return "Logged in … but not as a teacher. <a href='/'>Try again?</a>"
-    
-    return "No such user… <a href='/'>Try again?</a>"
+    query = f"//user[username/text()='{username}' and is_teacher/text()='yes']"
+    try:
+        results = root.xpath(query)
+    except Exception as e:
+        return f"XPath error: {e}"
+
+    if results:
+        return f"<p>Logged in as a teacher!<br/>{open('/flag').read()}</p>"
+    else:
+        return "Login failed. <a href='/'>Try again?</a>"
 
 @app.route("/add", methods=["POST"])
 def add():