First off, this lesson is accessible at: http://localhost:8080/WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/11

Why does the URL have 11 as the stage reference and not 12? I.e., stage 1 starts at 0 up through 11, when it would be more natural for this to be /1 thru /12. Apparently all the lessons are like this. Seems like they should ALL be numbered 1 thru N.

Also, when you get ALL the questions correct, they all turn green, but the checkboxes filled in, go away. You should leave the checkboxes selected after they submit, regardless of whether they got any right or not, so they know what they selected. This also applies to the questions in Stage 6 of the SQL Injection (advanced), and Stage 5 of: SQL Injection (mitigation). Why 'erase' the supplied answers when the users gets them correct?