Applying security fix

http://docs.orchardproject.net/Documentation/Patch-20150630

src/Orchard.Web/Core/Shapes/Views/User.cshtml

@@ -3,7 +3,7 @@
 <div class="user-display">
     @if (WorkContext.CurrentUser != null) {
         <span class="user-actions welcome">
-            @T("Welcome, <strong>{0}</strong>!", "<a href=\"" + @Url.Action("ChangePassword", new { Controller = "Account", Area = "Orchard.Users" }) + "\">" + @Html.ItemDisplayText(WorkContext.CurrentUser) + "</a>")
+            @T("Welcome, <strong>{0}</strong>!", Html.Raw("<a href=\"" + @Url.Action("ChangePassword", new { Controller = "Account", Area = "Orchard.Users" }) + "\">" + Html.ItemDisplayText(WorkContext.CurrentUser) + "</a>"))
         </span>
         <span class="user-actions">
             @Html.ActionLink(T("Sign Out").ToString(), "LogOff", new { Controller = "Account", Area = "Orchard.Users", ReturnUrl = Context.Request.RawUrl }, new { rel = "nofollow" })

src/Orchard.Web/Modules/Orchard.MediaLibrary/Views/EditorTemplates/Parts/WebSearch.WebSearchSettings.cshtml

@@ -7,7 +7,7 @@
         <span class="hint">@T("Your private key.")</span>
     </div>
 
-    @T("Get a free API Key on {0}", "<a href=\"http://datamarket.azure.com/dataset/bing/search\">http://datamarket.azure.com/dataset/bing/search</a>")
+    @T("Get a free API Key on {0}", Html.Raw("<a href=\"http://datamarket.azure.com/dataset/bing/search\">http://datamarket.azure.com/dataset/bing/search</a>"))
 </fieldset>
 
 

src/Orchard.Web/Orchard/Localization/Text.cs

@@ -0,0 +1,62 @@
+using System;
+using System.Globalization;
+using System.Linq;
+using System.Web;
+using Orchard.Localization.Services;
+using Orchard.Logging;
+
+namespace Orchard.Localization {
+    public class Text : IText {
+        private readonly string _scope;
+        private readonly IWorkContextAccessor _workContextAccessor;
+        private readonly ILocalizedStringManager _localizedStringManager;
+
+        public Text(string scope, IWorkContextAccessor workContextAccessor, ILocalizedStringManager localizedStringManager) {
+            _scope = scope;
+            _workContextAccessor = workContextAccessor;
+            _localizedStringManager = localizedStringManager;
+            Logger = NullLogger.Instance;
+        }
+
+        public ILogger Logger { get; set; }
+
+        public LocalizedString Get(string textHint, params object[] args) {
+            Logger.Debug("{0} localizing '{1}'", _scope, textHint);
+
+            var workContext = _workContextAccessor.GetContext();
+
+	        if (workContext != null) {
+		        var currentCulture = workContext.CurrentCulture;
+		        var localizedFormat = _localizedStringManager.GetLocalizedString(_scope, textHint, currentCulture);
+
+				return args.Length == 0
+				? new LocalizedString(localizedFormat, _scope, textHint, args)
+				: new LocalizedString(
+                    String.Format(GetFormatProvider(currentCulture), localizedFormat, args.Select(Encode).ToArray()), 
+                    _scope, 
+                    textHint, 
+                    args);
+	        }
+
+			return new LocalizedString(textHint, _scope, textHint, args);
+        }
+
+        private static IFormatProvider GetFormatProvider(string currentCulture) {
+            try {
+                return CultureInfo.GetCultureInfoByIetfLanguageTag(currentCulture);
+            }
+            catch {
+                return null;
+            }
+        }
+
+        static object Encode(object arg)
+        {
+            if (arg is IFormattable || arg is IHtmlString) {
+                return arg;
+            }
+
+            return HttpUtility.HtmlEncode(arg);
+        }        
+    }
+}

src/Orchard.Web/Themes/TheAdmin/Views/Title.cshtml

@@ -1 +1 @@
-<h1 id="page-title">@Model.Title.ToString()</h1>
+<h1 id="page-title">@Model.Title</h1>