From e737aa08ec3068a8e4f6057550e6df3d0884cabf Mon Sep 17 00:00:00 2001
From: Sebastien Ros <sebastien.ros@microsoft.com>
Date: Tue, 30 Jun 2015 11:16:02 -0700
Subject: [PATCH] Applying security fix

http://docs.orchardproject.net/Documentation/Patch-20150630
---
 src/Orchard.Web/Core/Shapes/Views/User.cshtml |  2 +-
 .../Parts/WebSearch.WebSearchSettings.cshtml  |  2 +-
 src/Orchard.Web/Orchard/Localization/Text.cs  | 62 +++++++++++++++++++
 .../Themes/TheAdmin/Views/Title.cshtml        |  2 +-
 4 files changed, 65 insertions(+), 3 deletions(-)
 create mode 100644 src/Orchard.Web/Orchard/Localization/Text.cs

diff --git a/src/Orchard.Web/Core/Shapes/Views/User.cshtml b/src/Orchard.Web/Core/Shapes/Views/User.cshtml
index 6054c9adf9c..806cc83c784 100644
--- a/src/Orchard.Web/Core/Shapes/Views/User.cshtml
+++ b/src/Orchard.Web/Core/Shapes/Views/User.cshtml
@@ -3,7 +3,7 @@
 <div class="user-display">
     @if (WorkContext.CurrentUser != null) {
         <span class="user-actions welcome">
-            @T("Welcome, <strong>{0}</strong>!", "<a href=\"" + @Url.Action("ChangePassword", new { Controller = "Account", Area = "Orchard.Users" }) + "\">" + @Html.ItemDisplayText(WorkContext.CurrentUser) + "</a>")
+            @T("Welcome, <strong>{0}</strong>!", Html.Raw("<a href=\"" + @Url.Action("ChangePassword", new { Controller = "Account", Area = "Orchard.Users" }) + "\">" + Html.ItemDisplayText(WorkContext.CurrentUser) + "</a>"))
         </span>
         <span class="user-actions">
             @Html.ActionLink(T("Sign Out").ToString(), "LogOff", new { Controller = "Account", Area = "Orchard.Users", ReturnUrl = Context.Request.RawUrl }, new { rel = "nofollow" })
diff --git a/src/Orchard.Web/Modules/Orchard.MediaLibrary/Views/EditorTemplates/Parts/WebSearch.WebSearchSettings.cshtml b/src/Orchard.Web/Modules/Orchard.MediaLibrary/Views/EditorTemplates/Parts/WebSearch.WebSearchSettings.cshtml
index 1138cb701c8..6bfce428d32 100644
--- a/src/Orchard.Web/Modules/Orchard.MediaLibrary/Views/EditorTemplates/Parts/WebSearch.WebSearchSettings.cshtml
+++ b/src/Orchard.Web/Modules/Orchard.MediaLibrary/Views/EditorTemplates/Parts/WebSearch.WebSearchSettings.cshtml
@@ -7,7 +7,7 @@
         <span class="hint">@T("Your private key.")</span>
     </div>
 
-    @T("Get a free API Key on {0}", "<a href=\"http://datamarket.azure.com/dataset/bing/search\">http://datamarket.azure.com/dataset/bing/search</a>")
+    @T("Get a free API Key on {0}", Html.Raw("<a href=\"http://datamarket.azure.com/dataset/bing/search\">http://datamarket.azure.com/dataset/bing/search</a>"))
 </fieldset>
 
 
diff --git a/src/Orchard.Web/Orchard/Localization/Text.cs b/src/Orchard.Web/Orchard/Localization/Text.cs
new file mode 100644
index 00000000000..82ddc75d932
--- /dev/null
+++ b/src/Orchard.Web/Orchard/Localization/Text.cs
@@ -0,0 +1,62 @@
+using System;
+using System.Globalization;
+using System.Linq;
+using System.Web;
+using Orchard.Localization.Services;
+using Orchard.Logging;
+
+namespace Orchard.Localization {
+    public class Text : IText {
+        private readonly string _scope;
+        private readonly IWorkContextAccessor _workContextAccessor;
+        private readonly ILocalizedStringManager _localizedStringManager;
+
+        public Text(string scope, IWorkContextAccessor workContextAccessor, ILocalizedStringManager localizedStringManager) {
+            _scope = scope;
+            _workContextAccessor = workContextAccessor;
+            _localizedStringManager = localizedStringManager;
+            Logger = NullLogger.Instance;
+        }
+
+        public ILogger Logger { get; set; }
+
+        public LocalizedString Get(string textHint, params object[] args) {
+            Logger.Debug("{0} localizing '{1}'", _scope, textHint);
+
+            var workContext = _workContextAccessor.GetContext();
+	        
+	        if (workContext != null) {
+		        var currentCulture = workContext.CurrentCulture;
+		        var localizedFormat = _localizedStringManager.GetLocalizedString(_scope, textHint, currentCulture);
+
+				return args.Length == 0
+				? new LocalizedString(localizedFormat, _scope, textHint, args)
+				: new LocalizedString(
+                    String.Format(GetFormatProvider(currentCulture), localizedFormat, args.Select(Encode).ToArray()), 
+                    _scope, 
+                    textHint, 
+                    args);
+	        }
+
+			return new LocalizedString(textHint, _scope, textHint, args);
+        }
+
+        private static IFormatProvider GetFormatProvider(string currentCulture) {
+            try {
+                return CultureInfo.GetCultureInfoByIetfLanguageTag(currentCulture);
+            }
+            catch {
+                return null;
+            }
+        }
+        
+        static object Encode(object arg)
+        {
+            if (arg is IFormattable || arg is IHtmlString) {
+                return arg;
+            }
+
+            return HttpUtility.HtmlEncode(arg);
+        }        
+    }
+}
\ No newline at end of file
diff --git a/src/Orchard.Web/Themes/TheAdmin/Views/Title.cshtml b/src/Orchard.Web/Themes/TheAdmin/Views/Title.cshtml
index 730480609bc..ecd04b226ff 100644
--- a/src/Orchard.Web/Themes/TheAdmin/Views/Title.cshtml
+++ b/src/Orchard.Web/Themes/TheAdmin/Views/Title.cshtml
@@ -1 +1 @@
-<h1 id="page-title">@Model.Title.ToString()</h1>
\ No newline at end of file
+<h1 id="page-title">@Model.Title</h1>
\ No newline at end of file