Applying security fix

http://docs.orchardproject.net/Documentation/Patch-20150630

src/Orchard.Specs/Bindings/WebAppHosting.cs

@@ -306,10 +306,26 @@ namespace Orchard.Specs.Bindings {
             var submit = _doc.DocumentNode
                 .SelectSingleNode(string.Format("(//input[@type='submit'][@value='{0}']|//button[@type='submit'][text()='{0}'])", submitText));
 
+            string urlPath = null;
+
+            if (submit == null) {
+                // could be a simple link using "unsafeurl" property
+
+                submit = _doc.DocumentNode
+                            .SelectNodes("//a")
+                            .SingleOrDefault(elt => elt.InnerHtml == submitText)
+                       ?? _doc.DocumentNode
+                            .SelectSingleNode(string.Format("//a[@title='{0}']", submitText));
+
+                urlPath = HttpUtility.HtmlDecode(submit.Attributes["href"].Value);
+            }
+
             var form = Form.LocateAround(submit);
-            var urlPath = HttpUtility.HtmlDecode(form.Start.GetAttributeValue("action", Details.UrlPath));
-
-
+            
+            if (urlPath == null) {
+                urlPath = HttpUtility.HtmlDecode(form.Start.GetAttributeValue("action", Details.UrlPath));
+            }
+            
             var inputs = form.Children
                     .SelectMany(elt => elt.DescendantsAndSelf("input").Concat(elt.Descendants("textarea")))
                     .Where(node => !((node.GetAttributeValue("type", "") == "radio" || node.GetAttributeValue("type", "") == "checkbox") && node.GetAttributeValue("checked", "") != "checked"))

src/Orchard.Specs/Users.feature

@@ -256,11 +256,12 @@ Scenario: I should be able to filter users by status
         | Options.Search | user1 |
         And I hit "Filter"
     Then I should see "<a[^>]*>user1</a>"
-    When I follow "Disable"
+    When I hit "Disable"
         And I am redirected
     Then I should see "User user1 disabled"
     When I fill in
         | name | value |
+		| Options.Search | |
         | Options.Filter | Pending |
         And I hit "Filter"
     Then I should see "<a[^>]*>user1</a>"
@@ -268,20 +269,23 @@ Scenario: I should be able to filter users by status
         And I should not see "<a[^>]*>admin</a>"
     When I fill in
         | name | value |
-        | Options.Filter | EmailPending |
+        | Options.Search | |
+		| Options.Filter | EmailPending |
         And I hit "Filter"
     Then I should not see "<a[^>]*>user1</a>"
         And I should not see "<a[^>]*>user2</a>"
         And I should not see "<a[^>]*>admin</a>"
     When I fill in
         | name | value |
-        | Options.Filter | Approved |
+        | Options.Search | |
+		| Options.Filter | Approved |
         And I hit "Filter"
     Then I should not see "<a[^>]*>user1</a>"
         And I should see "<a[^>]*>user2</a>"
         And I should see "<a[^>]*>admin</a>"
     When I fill in
         | name | value |
+		| Options.Search | |
         | Options.Filter | All |
         And I hit "Filter"
     Then I should see "<a[^>]*>user1</a>"

src/Orchard.Specs/Users.feature.cs

@@ -3,7 +3,7 @@
 //      This code was generated by SpecFlow (http://www.specflow.org/).
 //      SpecFlow Version:1.9.0.77
 //      SpecFlow Generator Version:1.9.0.0
-//      Runtime Version:4.0.30319.33440
+//      Runtime Version:4.0.30319.0
 // 
 //      Changes to this file may cause incorrect behavior and will be lost if
 //      the code is regenerated.
@@ -712,7 +712,7 @@ this.ScenarioSetup(scenarioInfo);
 #line 258
     testRunner.Then("I should see \"<a[^>]*>user1</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "Then ");
 #line 259
-    testRunner.When("I follow \"Disable\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "When ");
+    testRunner.When("I hit \"Disable\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "When ");
 #line 260
         testRunner.And("I am redirected", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
 #line 261
@@ -721,69 +721,81 @@ this.ScenarioSetup(scenarioInfo);
             TechTalk.SpecFlow.Table table23 = new TechTalk.SpecFlow.Table(new string[] {
                         "name",
                         "value"});
+            table23.AddRow(new string[] {
+                        "Options.Search",
+                        ""});
             table23.AddRow(new string[] {
                         "Options.Filter",
                         "Pending"});
 #line 262
     testRunner.When("I fill in", ((string)(null)), table23, "When ");
-#line 265
-        testRunner.And("I hit \"Filter\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
 #line 266
-    testRunner.Then("I should see \"<a[^>]*>user1</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "Then ");
+        testRunner.And("I hit \"Filter\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
 #line 267
-        testRunner.And("I should not see \"<a[^>]*>user2</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
+    testRunner.Then("I should see \"<a[^>]*>user1</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "Then ");
 #line 268
+        testRunner.And("I should not see \"<a[^>]*>user2</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
+#line 269
         testRunner.And("I should not see \"<a[^>]*>admin</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
 #line hidden
             TechTalk.SpecFlow.Table table24 = new TechTalk.SpecFlow.Table(new string[] {
                         "name",
                         "value"});
+            table24.AddRow(new string[] {
+                        "Options.Search",
+                        ""});
             table24.AddRow(new string[] {
                         "Options.Filter",
                         "EmailPending"});
-#line 269
+#line 270
     testRunner.When("I fill in", ((string)(null)), table24, "When ");
-#line 272
-        testRunner.And("I hit \"Filter\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
-#line 273
-    testRunner.Then("I should not see \"<a[^>]*>user1</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "Then ");
 #line 274
-        testRunner.And("I should not see \"<a[^>]*>user2</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
+        testRunner.And("I hit \"Filter\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
 #line 275
+    testRunner.Then("I should not see \"<a[^>]*>user1</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "Then ");
+#line 276
+        testRunner.And("I should not see \"<a[^>]*>user2</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
+#line 277
         testRunner.And("I should not see \"<a[^>]*>admin</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
 #line hidden
             TechTalk.SpecFlow.Table table25 = new TechTalk.SpecFlow.Table(new string[] {
                         "name",
                         "value"});
+            table25.AddRow(new string[] {
+                        "Options.Search",
+                        ""});
             table25.AddRow(new string[] {
                         "Options.Filter",
                         "Approved"});
-#line 276
+#line 278
     testRunner.When("I fill in", ((string)(null)), table25, "When ");
-#line 279
-        testRunner.And("I hit \"Filter\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
-#line 280
-    testRunner.Then("I should not see \"<a[^>]*>user1</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "Then ");
-#line 281
-        testRunner.And("I should see \"<a[^>]*>user2</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
 #line 282
+        testRunner.And("I hit \"Filter\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
+#line 283
+    testRunner.Then("I should not see \"<a[^>]*>user1</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "Then ");
+#line 284
+        testRunner.And("I should see \"<a[^>]*>user2</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
+#line 285
         testRunner.And("I should see \"<a[^>]*>admin</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
 #line hidden
             TechTalk.SpecFlow.Table table26 = new TechTalk.SpecFlow.Table(new string[] {
                         "name",
                         "value"});
+            table26.AddRow(new string[] {
+                        "Options.Search",
+                        ""});
             table26.AddRow(new string[] {
                         "Options.Filter",
                         "All"});
-#line 283
-    testRunner.When("I fill in", ((string)(null)), table26, "When ");
 #line 286
+    testRunner.When("I fill in", ((string)(null)), table26, "When ");
+#line 290
         testRunner.And("I hit \"Filter\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
-#line 287
+#line 291
     testRunner.Then("I should see \"<a[^>]*>user1</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "Then ");
-#line 288
+#line 292
         testRunner.And("I should see \"<a[^>]*>user2</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
-#line 289
+#line 293
         testRunner.And("I should see \"<a[^>]*>admin</a>\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
 #line hidden
             this.ScenarioCleanup();
@@ -796,13 +808,13 @@ this.ScenarioSetup(scenarioInfo);
         {
             TechTalk.SpecFlow.ScenarioInfo scenarioInfo = new TechTalk.SpecFlow.ScenarioInfo("I should not be able to add users with invalid email addresses", new string[] {
                         "email"});
-#line 291
+#line 295
 this.ScenarioSetup(scenarioInfo);
-#line 292
+#line 296
     testRunner.Given("I have installed Orchard", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "Given ");
-#line 293
+#line 297
     testRunner.When("I go to \"admin/users\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "When ");
-#line 294
+#line 298
         testRunner.And("I follow \"Add a new user\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
 #line hidden
             TechTalk.SpecFlow.Table table27 = new TechTalk.SpecFlow.Table(new string[] {
@@ -820,11 +832,11 @@ this.ScenarioSetup(scenarioInfo);
             table27.AddRow(new string[] {
                         "ConfirmPassword",
                         "a12345!"});
-#line 295
+#line 299
         testRunner.And("I fill in", ((string)(null)), table27, "And ");
-#line 301
+#line 305
         testRunner.And("I hit \"Save\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
-#line 302
+#line 306
     testRunner.Then("I should see \"You must specify a valid email address.\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "Then ");
 #line hidden
             this.ScenarioCleanup();
@@ -837,13 +849,13 @@ this.ScenarioSetup(scenarioInfo);
         {
             TechTalk.SpecFlow.ScenarioInfo scenarioInfo = new TechTalk.SpecFlow.ScenarioInfo("I should be able to add users with valid email addresses", new string[] {
                         "email"});
-#line 304
+#line 308
 this.ScenarioSetup(scenarioInfo);
-#line 305
+#line 309
     testRunner.Given("I have installed Orchard", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "Given ");
-#line 306
+#line 310
     testRunner.When("I go to \"admin/users\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "When ");
-#line 307
+#line 311
         testRunner.And("I follow \"Add a new user\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
 #line hidden
             TechTalk.SpecFlow.Table table28 = new TechTalk.SpecFlow.Table(new string[] {
@@ -861,13 +873,13 @@ this.ScenarioSetup(scenarioInfo);
             table28.AddRow(new string[] {
                         "ConfirmPassword",
                         "a12345!"});
-#line 308
+#line 312
         testRunner.And("I fill in", ((string)(null)), table28, "And ");
-#line 314
+#line 318
         testRunner.And("I hit \"Save\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
-#line 315
+#line 319
         testRunner.And("I am redirected", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "And ");
-#line 316
+#line 320
     testRunner.Then("I should see \"User created\"", ((string)(null)), ((TechTalk.SpecFlow.Table)(null)), "Then ");
 #line hidden
             this.ScenarioCleanup();

src/Orchard.Web/Core/Shapes/Views/User.cshtml

@@ -3,7 +3,7 @@
 <div class="user-display">
     @if (WorkContext.CurrentUser != null) {
         <span class="user-actions welcome">
-            @T("Welcome, <strong>{0}</strong>!", "<a href=\"" + @Url.Action("ChangePassword", new { Controller = "Account", Area = "Orchard.Users" }) + "\">" + @Html.ItemDisplayText(WorkContext.CurrentUser) + "</a>")
+            @T("Welcome, <strong>{0}</strong>!", Html.Raw("<a href=\"" + @Url.Action("ChangePassword", new { Controller = "Account", Area = "Orchard.Users" }) + "\">" + Html.ItemDisplayText(WorkContext.CurrentUser) + "</a>"))
         </span>
         <span class="user-actions">
             @Html.ActionLink(T("Sign Out").ToString(), "LogOff", new { Controller = "Account", Area = "Orchard.Users", ReturnUrl = Context.Request.RawUrl }, new { rel = "nofollow" })

src/Orchard.Web/Modules/Orchard.Localization/Views/EditorTemplates/Parts/Localization.ContentTranslations.Edit.cshtml

@@ -1,22 +1,117 @@
 @model Orchard.Localization.ViewModels.EditLocalizationViewModel
-<fieldset class="localization culture-selection">
-@if (Model.ContentItem.ContentItem.Id > 0 && Model.SelectedCulture != null && Model.ContentLocalizations.Localizations.Count() > 0) {
+@using System.Globalization
+@{
     Style.Require("LocalizationAdmin");
-    <fieldset class="culture-selected">
-        <label for="SelectedCulture">@T("Content Localization")</label>
-        <div>@T("This is the <em>{0}</em> variation of {1}.",
-                            Html.Encode(Model.SelectedCulture),
-                            Html.ItemEditLink(Model.MasterContentItem ?? Model.ContentItem))</div>
-           @Html.Hidden("SelectedCulture", Model.SelectedCulture)
-    </fieldset>
-    if (Model.ContentLocalizations.Localizations.Count() > 0) {
-    <dl class="content-localization">
-        <dt>@T("Other translations:")</dt>
-        <dd class="content-localizations">
-            @Html.UnorderedList(Model.ContentLocalizations.Localizations, (c, i) => Html.ItemEditLink(c.Culture.Culture, c), "localizations")
-        </dd>
-    </dl>
-    }
-}    
-    <div class="add-localization">@Html.ActionLink(T("+ New translation").Text, "Translate", "Admin", new { area = "Orchard.Localization", id = Model.ContentItem.Id }, null)</div>
+}
+<fieldset class="localization culture-selection">
+    <label for="@Html.FieldIdFor(m => m.SelectedCulture)">@T("Content Localization")</label>
+    <div>
+        @*Brand new content item*@
+        @if (Model.ContentItem.ContentItem.Id == 0) {
+            if (Model.MasterContentItem == null) {
+                @T("This is the <em>{0}</em> variation of the content",
+                    BuildSelectedCultureList(
+                        Html.FieldIdFor(m => m.SelectedCulture),
+                        Html.FieldNameFor(m => m.SelectedCulture),
+                        Model.MissingCultures,
+                        Model.SelectedCulture))
+            }
+            else {
+                @T("This is the <em>{0}</em> variation of {1}",
+                    BuildSelectedCultureList(
+                        Html.FieldIdFor(m => m.SelectedCulture),
+                        Html.FieldNameFor(m => m.SelectedCulture),
+                        Model.MissingCultures,
+                        Model.SelectedCulture),
+                    Html.ItemEditLink(Model.MasterContentItem))
+            }
+        }
+
+        @if (Model.ContentItem.ContentItem.Id > 0) {
+            if (string.IsNullOrEmpty(Model.SelectedCulture)) {
+                @T("This content currently has no culture associated to it, please select a culture to associate to this piece of content: {0}",
+                    BuildSelectedCultureList(
+                        Html.FieldIdFor(m => m.SelectedCulture),
+                        Html.FieldNameFor(m => m.SelectedCulture),
+                        Model.MissingCultures,
+                        Model.SelectedCulture))
+            }
+            else {
+                @T("This is the <em>{0}</em> variation of the content",
+                    Html.Encode(Model.SelectedCulture))
+
+                if (Model.ContentLocalizations.Localizations.Any()) {
+                    <dl class="content-localization">
+                        <dt>@T("Other translations:")</dt>
+                        <dd class="content-localizations">
+                            @Html.UnorderedList(Model.ContentLocalizations.Localizations, (c, i) =>
+                                Html.ItemEditLink(c.Culture.Culture, c), "localizations")
+                        </dd>
+                    </dl>
+                }
+
+                if (Model.MissingCultures.Any()) {
+                    var contentItemId = Model.MasterContentItem != null ? Model.MasterContentItem.Id : Model.ContentItem.Id;
+
+                    <div class="add-localization">@Html.ActionLink(T("+ New translation").Text, "Translate", "Admin", new {area = "Orchard.Localization", id = contentItemId}, null)</div>
+                }
+
+                @Html.Hidden(Html.FieldNameFor(m => m.SelectedCulture), Model.SelectedCulture)
+            }
+        }
+    </div>
 </fieldset>
+
+
+
+@functions{
+    private IHtmlString BuildSelectedCultureList(string id, string name, IEnumerable<string> siteCultures, string culture) {
+        TagBuilder selectTag = new TagBuilder("select");
+        selectTag.Attributes["id"] = id;
+        selectTag.Attributes["name"] = name;
+
+        foreach (var siteCulture in siteCultures) {
+            TagBuilder optionTag = new TagBuilder("option");
+            optionTag.Attributes["data-content-dir"] = CultureInfo.GetCultureInfo(siteCulture).TextInfo.IsRightToLeft ? "rtl" : "ltr";
+
+            if (siteCulture == culture) {
+                optionTag.Attributes["selected"] = "selected";
+            }
+            optionTag.SetInnerText(Html.Encode(siteCulture));
+            selectTag.InnerHtml += optionTag.ToString();
+        }
+
+        return Html.Raw(selectTag);
+    }
+}
+@using (Script.Foot()) {
+    <script type="text/javascript">
+//<![CDATA[
+    (function($) {
+        "use strict";
+
+        var culture = $("#@Html.FieldIdFor(m => m.SelectedCulture)");
+
+        function flipCulture() {
+            var optionDirectionality = $("option:selected", culture).attr("data-content-dir");
+            var contentZone = $(".zone-content");
+            if (contentZone.hasClass(optionDirectionality))
+                return;
+
+            var oldClass = optionDirectionality === "ltr" ? "rtl" : "";
+
+            contentZone.removeClass("content-" + oldClass);
+            contentZone.addClass("content-" + optionDirectionality);
+
+            $(document).trigger("localization.ui.directionalitychanged", optionDirectionality);
+        }
+
+        culture.change(function () {
+            flipCulture();
+        });
+
+        flipCulture();
+    })(jQuery);
+//]]>
+    </script>
+}

src/Orchard.Web/Modules/Orchard.MediaLibrary/Views/EditorTemplates/Parts/WebSearch.WebSearchSettings.cshtml

@@ -7,7 +7,7 @@
         <span class="hint">@T("Your private key.")</span>
     </div>
 
-    @T("Get a free API Key on {0}", "<a href=\"http://datamarket.azure.com/dataset/bing/search\">http://datamarket.azure.com/dataset/bing/search</a>")
+    @T("Get a free API Key on {0}", Html.Raw("<a href=\"http://datamarket.azure.com/dataset/bing/search\">http://datamarket.azure.com/dataset/bing/search</a>"))
 </fieldset>
 
 

src/Orchard.Web/Orchard/Localization/Text.cs

@@ -0,0 +1,62 @@
+using System;
+using System.Globalization;
+using System.Linq;
+using System.Web;
+using Orchard.Localization.Services;
+using Orchard.Logging;
+
+namespace Orchard.Localization {
+    public class Text : IText {
+        private readonly string _scope;
+        private readonly IWorkContextAccessor _workContextAccessor;
+        private readonly ILocalizedStringManager _localizedStringManager;
+
+        public Text(string scope, IWorkContextAccessor workContextAccessor, ILocalizedStringManager localizedStringManager) {
+            _scope = scope;
+            _workContextAccessor = workContextAccessor;
+            _localizedStringManager = localizedStringManager;
+            Logger = NullLogger.Instance;
+        }
+
+        public ILogger Logger { get; set; }
+
+        public LocalizedString Get(string textHint, params object[] args) {
+            Logger.Debug("{0} localizing '{1}'", _scope, textHint);
+
+            var workContext = _workContextAccessor.GetContext();
+	        
+	        if (workContext != null) {
+		        var currentCulture = workContext.CurrentCulture;
+		        var localizedFormat = _localizedStringManager.GetLocalizedString(_scope, textHint, currentCulture);
+
+				return args.Length == 0
+				? new LocalizedString(localizedFormat, _scope, textHint, args)
+				: new LocalizedString(
+                    String.Format(GetFormatProvider(currentCulture), localizedFormat, args.Select(Encode).ToArray()), 
+                    _scope, 
+                    textHint, 
+                    args);
+	        }
+
+			return new LocalizedString(textHint, _scope, textHint, args);
+        }
+
+        private static IFormatProvider GetFormatProvider(string currentCulture) {
+            try {
+                return CultureInfo.GetCultureInfoByIetfLanguageTag(currentCulture);
+            }
+            catch {
+                return null;
+            }
+        }
+        
+        static object Encode(object arg)
+        {
+            if (arg is IFormattable || arg is IHtmlString) {
+                return arg;
+            }
+
+            return HttpUtility.HtmlEncode(arg);
+        }        
+    }
+}

src/Orchard.Web/Themes/TheAdmin/Views/Title.cshtml

@@ -1 +1 @@
-<h1 id="page-title">@Model.Title.ToString()</h1>
+<h1 id="page-title">@Model.Title</h1>