fix(ui): replace ES6/ES2021 features with ES5 equivalents for IE compatibility

[TheAuditorTool]

Summary

Fixes #53 -- JavaScript in testsuiteutils.js uses ES6 and ES2021 features that are unsupported in Internet Explorer, causing all AJAX-based test case submissions to fail when accessing Benchmark from IE.

Single file changed: src/main/webapp/js/testsuiteutils.js (33 insertions, 31 deletions)

No Java files, HTML files, config files, or test cases were modified.

Root Cause

Five categories of IE-incompatible JavaScript features were identified in testsuiteutils.js:

Feature	Occurrences	IE Impact
const keyword	13 declarations	Fatal in IE 10 and below; broken semantics in IE 11 non-strict mode
String.prototype.endsWith()	3 call sites	TypeError in all IE versions (ES6, not implemented)
String.prototype.includes()	2 call sites	TypeError in all IE versions (ES6, not implemented)
String.prototype.replaceAll()	5 call sites (8 individual calls)	TypeError in all IE versions (ES2021, not implemented)
XMLHttpRequest.DONE	3 references	undefined in IE 8/9

These cause TypeError exceptions that prevent all five submission methods (submitHeaderForm, submitHeaderNamesForm, submitParameterNamesForm, submitJSONwAjax, submitXMLwAjax) from functioning in IE.

Changes

1. const -> var

All 13 const declarations were changed to var. Every declaration is a simple assignment that is never reassigned, and all are at function scope (not inside blocks), so there is no behavioral difference.

2. endsWith() -> indexOf() polyfill

// Before
if (testcase.endsWith(suffix)) ...

// After
if (testcase.indexOf(suffix, testcase.length - suffix.length) !== -1) ...

Standard MDN-recommended polyfill pattern. Applied in submitHeaderForm, submitHeaderNamesForm, and submitParameterNamesForm.

3. includes() -> indexOf()

// Before
if (URL.includes("xss")) ...

// After
if (URL.indexOf("xss") !== -1) ...

Direct ES5 equivalent. Applied in submitHeaderForm and submitParameterNamesForm.

4. Native .replaceAll() -> existing helper function

The file already contained an unused helper pair at lines 57-63:

function escapeRegExp(str) {
    return str.replace(/([.*+?^=!:${}()|\[\]\/\\])/g, "\\$1");
}

function replaceAll(str, find, replace) {
    return str.replace(new RegExp(escapeRegExp(find), 'g'), replace);
}

This helper was presumably the original IE-compatible implementation. The native String.prototype.replaceAll() method calls were converted to use this existing helper instead:

// Before
result = result.replaceAll("<br>", "\n");

// After
result = replaceAll(result, "<br>", "\n");

The chained call on line 197 was broken into separate statements for readability:

// Before
result = result.replaceAll("<xMLMessages>","").replaceAll("</xMLMessages>","").replaceAll("<message><msg>","");

// After
result = replaceAll(result, "<xMLMessages>", "");
result = replaceAll(result, "</xMLMessages>", "");
result = replaceAll(result, "<message><msg>", "");

All search strings are fixed literals (no user input), and all replacement strings contain no $ special patterns, so the helper produces identical results to the native method.

5. XMLHttpRequest.DONE -> 4

The numeric constant 4 is the spec-defined value of XMLHttpRequest.DONE. Applied in three onreadystatechange handlers.

What Was NOT Changed

• src/main/java/org/owasp/benchmark/testcode/ -- all 2,740 test case Java files are untouched
• src/main/webapp/{category}-{NN}/*.html -- all 2,741 test case HTML pages are untouched
• jquery.min.js (v2.1.4) and js.cookie.js (v2.1.3) -- vendor libraries, already IE-compatible
• HTTPResponseHeaderFilter.java -- CSP header uses 'self' which is origin-relative and works correctly for both localhost and remote IP access
• No new files, no new dependencies, no new functions

Regression Risk

Zero. Every replacement is a mechanical downlevel from ES6/ES2021 to ES5 with functionally identical behavior:

• var for const on non-reassigned bindings at function scope -- identical semantics
• indexOf() polyfills for endsWith()/includes() -- standard, well-tested patterns
• Helper replaceAll() uses regex with escaped special characters -- produces identical output to native String.prototype.replaceAll() for all 8 call sites (verified: regex escaping handles ?, ., =, /, \ correctly in all search strings; no $ patterns in any replacement strings)
• 4 === XMLHttpRequest.DONE by spec definition

Modern browsers (Chrome, Firefox, Edge, Safari) will behave exactly as before. IE 9+ will now also function correctly.

Test Plan

• Verify git diff --stat shows only testsuiteutils.js changed
• Verify no const, let, .endsWith(, .includes(, .replaceAll(, or XMLHttpRequest.DONE patterns remain in the file
• Build and run with runBenchmark.sh -- verify test case pages load and AJAX submissions work in a modern browser
• (Optional) Test in IE 11 with runRemoteAccessibleBenchmark.sh via remote IP access

[darkspirit510]

Is this PR really neccessary? Internet Explorer was discontinued years ago.

[TheAuditorTool]

Is this PR really neccessary? Internet Explorer was discontinued years ago.

I'm completely the wrong person to ask haha.
I spent 9 hours yesterday across 14 commits getting pixels correct on 2/4/6/8 tiers of items on a dynamically scaling TV menu that snowballed into an rls tentant isolated public endpoint with a full fledged backend to support it xD.

I'd say the value is fairly minor, probably edge cases like legacy enterprise that are locked down, i.e banks.
I'd argue the real value is product management for the owasp foundation but i'll leave this for you and Dave to decide!

[darkspirit510]

@davewichers what's your opinion about this?

[davewichers]

@darkspirit510 - I don't have a strong opinion here. I'm OK with merging it in if it really fixes the issue and doesn't break anything with current browsers. This is kind of a minor issue.