fix(ui): replace ES6/ES2021 features with ES5 equivalents for IE compatibility

[TheAuditorTool]

Summary

Fixes #53 -- JavaScript in testsuiteutils.js uses ES6 and ES2021 features that are unsupported in Internet Explorer, causing all AJAX-based test case submissions to fail when accessing Benchmark from IE.

Single file changed: src/main/webapp/js/testsuiteutils.js (33 insertions, 31 deletions)

No Java files, HTML files, config files, or test cases were modified.

Root Cause

Five categories of IE-incompatible JavaScript features were identified in testsuiteutils.js:

Feature	Occurrences	IE Impact
const keyword	13 declarations	Fatal in IE 10 and below; broken semantics in IE 11 non-strict mode
String.prototype.endsWith()	3 call sites	TypeError in all IE versions (ES6, not implemented)
String.prototype.includes()	2 call sites	TypeError in all IE versions (ES6, not implemented)
String.prototype.replaceAll()	5 call sites (8 individual calls)	TypeError in all IE versions (ES2021, not implemented)
XMLHttpRequest.DONE	3 references	undefined in IE 8/9

These cause TypeError exceptions that prevent all five submission methods (submitHeaderForm, submitHeaderNamesForm, submitParameterNamesForm, submitJSONwAjax, submitXMLwAjax) from functioning in IE.

Changes

1. const -> var

All 13 const declarations were changed to var. Every declaration is a simple assignment that is never reassigned, and all are at function scope (not inside blocks), so there is no behavioral difference.

2. endsWith() -> indexOf() polyfill

// Before
if (testcase.endsWith(suffix)) ...

// After
if (testcase.indexOf(suffix, testcase.length - suffix.length) !== -1) ...

Standard MDN-recommended polyfill pattern. Applied in submitHeaderForm, submitHeaderNamesForm, and submitParameterNamesForm.

3. includes() -> indexOf()

// Before
if (URL.includes("xss")) ...

// After
if (URL.indexOf("xss") !== -1) ...

Direct ES5 equivalent. Applied in submitHeaderForm and submitParameterNamesForm.

4. Native .replaceAll() -> existing helper function

The file already contained an unused helper pair at lines 57-63:

function escapeRegExp(str) {
    return str.replace(/([.*+?^=!:${}()|\[\]\/\\])/g, "\\$1");
}

function replaceAll(str, find, replace) {
    return str.replace(new RegExp(escapeRegExp(find), 'g'), replace);
}

This helper was presumably the original IE-compatible implementation. The native String.prototype.replaceAll() method calls were converted to use this existing helper instead:

// Before
result = result.replaceAll("<br>", "\n");

// After
result = replaceAll(result, "<br>", "\n");

The chained call on line 197 was broken into separate statements for readability:

// Before
result = result.replaceAll("<xMLMessages>","").replaceAll("</xMLMessages>","").replaceAll("<message><msg>","");

// After
result = replaceAll(result, "<xMLMessages>", "");
result = replaceAll(result, "</xMLMessages>", "");
result = replaceAll(result, "<message><msg>", "");

All search strings are fixed literals (no user input), and all replacement strings contain no $ special patterns, so the helper produces identical results to the native method.

5. XMLHttpRequest.DONE -> 4

The numeric constant 4 is the spec-defined value of XMLHttpRequest.DONE. Applied in three onreadystatechange handlers.

What Was NOT Changed

• src/main/java/org/owasp/benchmark/testcode/ -- all 2,740 test case Java files are untouched
• src/main/webapp/{category}-{NN}/*.html -- all 2,741 test case HTML pages are untouched
• jquery.min.js (v2.1.4) and js.cookie.js (v2.1.3) -- vendor libraries, already IE-compatible
• HTTPResponseHeaderFilter.java -- CSP header uses 'self' which is origin-relative and works correctly for both localhost and remote IP access
• No new files, no new dependencies, no new functions

Regression Risk

Zero. Every replacement is a mechanical downlevel from ES6/ES2021 to ES5 with functionally identical behavior:

• var for const on non-reassigned bindings at function scope -- identical semantics
• indexOf() polyfills for endsWith()/includes() -- standard, well-tested patterns
• Helper replaceAll() uses regex with escaped special characters -- produces identical output to native String.prototype.replaceAll() for all 8 call sites (verified: regex escaping handles ?, ., =, /, \ correctly in all search strings; no $ patterns in any replacement strings)
• 4 === XMLHttpRequest.DONE by spec definition

Modern browsers (Chrome, Firefox, Edge, Safari) will behave exactly as before. IE 9+ will now also function correctly.

Test Plan

• Verify git diff --stat shows only testsuiteutils.js changed
• Verify no const, let, .endsWith(, .includes(, .replaceAll(, or XMLHttpRequest.DONE patterns remain in the file
• Build and run with runBenchmark.sh -- verify test case pages load and AJAX submissions work in a modern browser
• (Optional) Test in IE 11 with runRemoteAccessibleBenchmark.sh via remote IP access