2.0.0.0-dev58

* Fixed bugs:
  * Security improved for the Login, Update Cart, Add to Compare, Review, and Add entire wishlist actions on the frontend
  * Removed warnings on category pages when Flat Catalog Category is enabled
  * Fixed product price displayed in wrong currency after switching currency on the frontend
  * Fixed the Save & Duplicate action in product creation
  * Fixed big image scaling in product description
  * Fixed admin dashboard styling issue
  * Fixed validation message for the Quantity field on the product page in the backend
  * Fixed the email template for sharing a Wishlist
  * Fixed the response of the drop-down menu in the Plushe theme
  * Fixed the missing Related Banners tab for Catalog Price Rule
  * Fixed inability to enable the duplicated product
  * Removed warnings on saving payment method configuration
  * Fixed gift messages displaying on the Order View page after admin edits
  * Fixed inability to create a new order status
  * Fixed the behavior of the Save and Previous and the Previous buttons on the Edit Review page
  * Fixed inability to delete a website if the number of websites is less or equal to two
  * Fixed Export on the All Customers page
  * Fixed inability to add products to the Shopping Cart from the Category page in Internet Explorer
  * Fixed logo on the backend login page
  * Fixed visual elements to indicate that Tax details can be expanded on the order creation page in the backend
  * Fixed the CMS page preview design
  * Fixed the newsletter template preview design
  * Fixed the Matched Customers grid design in the Email Reminder Rules
  * Fixed the theme version validation message displayed when creating a new theme
  * Fixed performance degradation during installation wizard execution
  * Fixed cron shell script
  * Fixed user login on the frontend, when the Redirect Customer to Account Dashboard after Logging option is set to No
  * Fixed errors in requests to shipping carrier (DHL International) when the shipping address contains letters with diacritic marks
  * Fixed invalid account creation date
  * Fixed displaying Product Alert links on product view page when the functionality is disabled
  * Fixed the absence of some bundle options when configuring a bundle product in the Shopping Cart on the frontend
  * Fixed the issue which allowed to view and cancel billing agreements belonging to another customer
  * Fixed the content spoofing vulnerability when Solr was used
  * Fixed a potential XSS vulnerability in customer login
  * Fixed RSS feed for categories containing bundle product(s)
  * Fixed inability to place an order with 3D Secure in Internet Explorer 10
  * Fixed inability to place an order with PayPal Payflow Link and PayPal Payments Advanced
  * Fixed integrity constraint violation in catalog URL rewrites
  * Fixed the absence of the error when a wrong website code is specified during a website creation
  * Fixed saving in the backend a new customer address, which contains new customer address attributes configured to be not visible on frontend
  * Fixed USPS shipping method in the checkout
  * Fixed placing orders with recurring profile items via PayPal Express Checkout
  * Fixed email template creation in the backend
  * Fixed the issue with default billing address being used instead of default shipping address during admin order creation
  * Fixed inability to choose DB as Media Storage
  * Fixed PHP issues found during the UI testing of the backend
  * Fixed shipping label creation for USPS Priority Mail Shipping methods
  * Fixed the issue which allowed to create customers with duplicate email
  * Fixed the abstract product block error in the tier price template getter
  * Fixed system message displaying in the backend
  * Fixed the "404" error on customer review page
  * Fixed autocomplete enabled on the admin login page
  * Fixed the 3D Secure iframe
  * Fixed the indicators of mandatory fields on the Package Extension page
  * Fixed product image scaling on the Compare Products page
  * Fixed product page design for products with the Fixed Product Tax attribute
  * Removed spaces between parentheses and numbers in the Cart, Wishlist, and Compare Products blocks
  * Fixed the message displaying the quantity for products found on the Advanced Search page
  * Fixed incorrect caching of locale settings and URL settings during web installation
  * Fixed inability to use a newly created store for admin user roles
  * Fixed absence of the Advanced Search field on the frontend, when the Popular Search Terms functionality is disabled
  * Fixed incorrect link to downloadable product(s) in the email invoice copy
  * Fixed customs monetary value in labels/package info for international shipments
  * Fixed importing for files with blank URL Key field on the store view level
  * Fixed table rate error message
  * Fixed frontend login without pre-set cookies
  * Fixed date resetting to 1 Jan 1970 after saving a design change in the admin panel in case date format is DD/MM/YY
  * Fixed CAPTCHA on multi-address checkout flow
  * Fixed view files population tool
* GitHub requests:
  * [#122](#122) -- Added support of federal units of Brazil with 27 states
  * [#184](#184) -- Removed unused blocks and methods in Magento_Wishlist module
  * [#390](#390) -- Support of alphanumeric order increment ids by the quote resource model
* Themes update:
  * Responsive design improvements
* Improvements in code coverage calculation:
  * Code coverage calculation approach for unit tests was changed from blacklist to whitelist

CHANGELOG.md

@@ -1,3 +1,84 @@
+2.0.0.0-dev58
+=============
+* Fixed bugs:
+  * Security improved for the Login, Update Cart, Add to Compare, Review, and Add entire wishlist actions on the frontend
+  * Removed warnings on category pages when Flat Catalog Category is enabled
+  * Fixed product price displayed in wrong currency after switching currency on the frontend
+  * Fixed the Save & Duplicate action in product creation
+  * Fixed big image scaling in product description
+  * Fixed admin dashboard styling issue
+  * Fixed validation message for the Quantity field on the product page in the backend
+  * Fixed the email template for sharing a Wishlist
+  * Fixed the response of the drop-down menu in the Plushe theme
+  * Fixed the missing Related Banners tab for Catalog Price Rule
+  * Fixed inability to enable the duplicated product
+  * Removed warnings on saving payment method configuration
+  * Fixed gift messages displaying on the Order View page after admin edits
+  * Fixed inability to create a new order status
+  * Fixed the behavior of the Save and Previous and the Previous buttons on the Edit Review page
+  * Fixed inability to delete a website if the number of websites is less or equal to two
+  * Fixed Export on the All Customers page
+  * Fixed inability to add products to the Shopping Cart from the Category page in Internet Explorer
+  * Fixed logo on the backend login page
+  * Fixed visual elements to indicate that Tax details can be expanded on the order creation page in the backend
+  * Fixed the CMS page preview design
+  * Fixed the newsletter template preview design
+  * Fixed the Matched Customers grid design in the Email Reminder Rules
+  * Fixed the theme version validation message displayed when creating a new theme
+  * Fixed performance degradation during installation wizard execution
+  * Fixed cron shell script
+  * Fixed user login on the frontend, when the Redirect Customer to Account Dashboard after Logging option is set to No
+  * Fixed errors in requests to shipping carrier (DHL International) when the shipping address contains letters with diacritic marks
+  * Fixed invalid account creation date
+  * Fixed displaying Product Alert links on product view page when the functionality is disabled
+  * Fixed the absence of some bundle options when configuring a bundle product in the Shopping Cart on the frontend
+  * Fixed the issue which allowed to view and cancel billing agreements belonging to another customer
+  * Fixed the content spoofing vulnerability when Solr was used
+  * Fixed a potential XSS vulnerability in customer login
+  * Fixed RSS feed for categories containing bundle product(s)
+  * Fixed inability to place an order with 3D Secure in Internet Explorer 10
+  * Fixed inability to place an order with PayPal Payflow Link and PayPal Payments Advanced
+  * Fixed integrity constraint violation in catalog URL rewrites
+  * Fixed the absence of the error when a wrong website code is specified during a website creation
+  * Fixed saving in the backend a new customer address, which contains new customer address attributes configured to be not visible on frontend
+  * Fixed USPS shipping method in the checkout
+  * Fixed placing orders with recurring profile items via PayPal Express Checkout
+  * Fixed email template creation in the backend
+  * Fixed the issue with default billing address being used instead of default shipping address during admin order creation
+  * Fixed inability to choose DB as Media Storage
+  * Fixed PHP issues found during the UI testing of the backend
+  * Fixed shipping label creation for USPS Priority Mail Shipping methods
+  * Fixed the issue which allowed to create customers with duplicate email
+  * Fixed the abstract product block error in the tier price template getter
+  * Fixed system message displaying in the backend
+  * Fixed the "404" error on customer review page
+  * Fixed autocomplete enabled on the admin login page
+  * Fixed the 3D Secure iframe
+  * Fixed the indicators of mandatory fields on the Package Extension page
+  * Fixed product image scaling on the Compare Products page
+  * Fixed product page design for products with the Fixed Product Tax attribute
+  * Removed spaces between parentheses and numbers in the Cart, Wishlist, and Compare Products blocks
+  * Fixed the message displaying the quantity for products found on the Advanced Search page
+  * Fixed incorrect caching of locale settings and URL settings during web installation
+  * Fixed inability to use a newly created store for admin user roles
+  * Fixed absence of the Advanced Search field on the frontend, when the Popular Search Terms functionality is disabled
+  * Fixed incorrect link to downloadable product(s) in the email invoice copy
+  * Fixed customs monetary value in labels/package info for international shipments
+  * Fixed importing for files with blank URL Key field on the store view level
+  * Fixed table rate error message
+  * Fixed frontend login without pre-set cookies
+  * Fixed date resetting to 1 Jan 1970 after saving a design change in the admin panel in case date format is DD/MM/YY
+  * Fixed CAPTCHA on multi-address checkout flow
+  * Fixed view files population tool
+* GitHub requests:
+  * [#122](https://github.com/magento/magento2/pull/122) -- Added support of federal units of Brazil with 27 states
+  * [#184](https://github.com/magento/magento2/issues/184) -- Removed unused blocks and methods in Magento_Wishlist module
+  * [#390](https://github.com/magento/magento2/pull/390) -- Support of alphanumeric order increment ids by the quote resource model
+* Themes update:
+  * Responsive design improvements
+* Improvements in code coverage calculation:
+  * Code coverage calculation approach for unit tests was changed from blacklist to whitelist
+
 2.0.0.0-dev57
 =============
 * Fixed bugs:
@@ -44,7 +125,7 @@
     * Session generic wrapper moved to library
     * Messages functionality moved from the Session model as separate component, message manager interface created
     * Sid resolver interface created to handle session sid from request
-  
+
 2.0.0.0-dev56
 =============
 * Fixed bugs:

app/code/Magento/AdminNotification/view/adminhtml/layout/default.xml

@@ -24,32 +24,28 @@
  */
 -->
 <layout xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-    <referenceBlock name="root">
-        <container name="notifications" as="notifications" label="Notifications" after="header">
-            <block class="Magento\AdminNotification\Block\System\Messages" name="system_messages" as="system_messages" before="-" template="Magento_AdminNotification::system/messages.phtml"/>
-            <block class="Magento\AdminNotification\Block\System\Messages\UnreadMessagePopup" name="unread_system_messages" as="unread_system_messages" after="system_messages" template="Magento_AdminNotification::system/messages/popup.phtml"/>
-            <block class="Magento\AdminNotification\Block\Window" name="notification_window" as="notification_window" acl="Magento_AdminNotification::show_toolbar" template="notification/window.phtml"/>
-        </container>
-        <referenceBlock name="head">
-            <block class="Magento\Theme\Block\Html\Head\Script" name="magento-adminnotification-system-notification-js">
-                <arguments>
-                    <argument name="file" xsi:type="string">Magento_AdminNotification::system/notification.js</argument>
-                </arguments>
-            </block>
-        </referenceBlock>
-    </referenceBlock>
+    <referenceContainer name="notifications">
+        <block class="Magento\AdminNotification\Block\System\Messages" name="system_messages" as="system_messages" before="-" template="Magento_AdminNotification::system/messages.phtml"/>
+        <block class="Magento\AdminNotification\Block\System\Messages\UnreadMessagePopup" name="unread_system_messages" as="unread_system_messages" after="system_messages" template="Magento_AdminNotification::system/messages/popup.phtml"/>
+        <block class="Magento\AdminNotification\Block\Window" name="notification_window" as="notification_window" acl="Magento_AdminNotification::show_toolbar" template="notification/window.phtml"/>
+    </referenceContainer>
     <referenceBlock name="header">
         <block class="Magento\AdminNotification\Block\ToolbarEntry" template="toolbar_entry.phtml" before="-"/>
     </referenceBlock>
     <referenceBlock name="head">
-        <block class="Magento\Theme\Block\Html\Head\Css" name="magento-core-prototype-magento-css">
+        <block class="Magento\Theme\Block\Html\Head\Script" name="magento-adminnotification-toolbar-entry-js" after="jquery-jquery-js">
             <arguments>
-                <argument name="file" xsi:type="string">Magento_Core::prototype/magento.css</argument>
+                <argument name="file" xsi:type="string">Magento_AdminNotification::toolbar_entry.js</argument>
             </arguments>
         </block>
-        <block class="Magento\Theme\Block\Html\Head\Script" name="magento-adminnotification-toolbar-entry-js">
+        <block class="Magento\Theme\Block\Html\Head\Script" name="magento-adminnotification-system-notification-js" after="jquery-jquery-js">
             <arguments>
-                <argument name="file" xsi:type="string">Magento_AdminNotification::toolbar_entry.js</argument>
+                <argument name="file" xsi:type="string">Magento_AdminNotification::system/notification.js</argument>
+            </arguments>
+        </block>
+        <block class="Magento\Theme\Block\Html\Head\Css" name="magento-core-prototype-magento-css">
+            <arguments>
+                <argument name="file" xsi:type="string">Magento_Core::prototype/magento.css</argument>
             </arguments>
         </block>
     </referenceBlock>

app/code/Magento/Authorizenet/view/frontend/directpost/form.phtml

@@ -56,7 +56,7 @@ $_orderUrl = $this->helper('Magento\Authorizenet\Helper\Data')->getPlaceOrderFro
         <div class="field required number">
             <label for="<?php echo $_code ?>_cc_number" class="label"><span><?php echo __('Credit Card Number') ?></span></label>
             <div class="control">
-                <input type="text" id="<?php echo $_code ?>_cc_number" data-container="cc-number" name="payment[cc_number]" title="<?php echo __('Credit Card Number') ?>" class="input-text" value="" data-validate='{required:true, "validate-cc-number":"#<?php echo $_code ?>_cc_type", "validate-cc-type":"#<?php echo $_code ?>_cc_type"}' autocomplete="off"/>
+                <input type="number" id="<?php echo $_code ?>_cc_number" data-container="cc-number" name="payment[cc_number]" title="<?php echo __('Credit Card Number') ?>" class="input-text" value="" data-validate='{required:true, "validate-cc-number":"#<?php echo $_code ?>_cc_type", "validate-cc-type":"#<?php echo $_code ?>_cc_type"}' autocomplete="off"/>
             </div>
         </div>
         <div class="field required date" id="<?php echo $_code ?>_cc_type_exp_div">
@@ -90,7 +90,7 @@ $_orderUrl = $this->helper('Magento\Authorizenet\Helper\Data')->getPlaceOrderFro
         <div class="field required cvv" id="<?php echo $_code ?>_cc_type_cvv_div">
             <label for="<?php echo $_code ?>_cc_cid" class="label"><span><?php echo __('Card Verification Number') ?></span></label>
             <div class="control">
-                <input type="text" title="<?php echo __('Card Verification Number') ?>" data-container="cc-cvv" class="input-text cvv" id="<?php echo $_code ?>_cc_cid" name="payment[cc_cid]" value="" data-validate='{required:true, "validate-cc-cvn":"#<?php echo $_code ?>_cc_type"}' autocomplete="off"/>
+                <input type="number" title="<?php echo __('Card Verification Number') ?>" data-container="cc-cvv" class="input-text cvv" id="<?php echo $_code ?>_cc_cid" name="payment[cc_cid]" value="" data-validate='{required:true, "validate-cc-cvn":"#<?php echo $_code ?>_cc_type"}' autocomplete="off"/>
                 <div class="note">
                     <a href="#" id="directpost-cvv-what-is-this" class="action cvv" data-mage-init='{toggleAdvanced: {toggleContainers:"#directpost-tool-tip"}}'><span><?php echo __('What is this?') ?></span></a>
                 </div>

app/code/Magento/Backend/App/AbstractAction.php

@@ -381,23 +381,4 @@ protected function _validateSecretKey()
         }
         return true;
     }
-
-    /**
-     * Render specified template
-     *
-     * @param string $tplName
-     * @param array $data parameters required by template
-     */
-    protected function _outTemplate($tplName, $data = array())
-    {
-        $this->_view->getLayout()->initMessages();
-        $block = $this->_view->getLayout()
-            ->createBlock('Magento\Backend\Block\Template')->setTemplate("{$tplName}.phtml");
-        foreach ($data as $index => $value) {
-            $block->assign($index, $value);
-        }
-        $html = $block->toHtml();
-        $this->_objectManager->get('Magento\Core\Model\Translate')->processResponseBody($html);
-        $this->getResponse()->setBody($html);
-    }
 }

app/code/Magento/Backend/Controller/Adminhtml/System/Config/System/Storage.php

@@ -64,7 +64,9 @@ public function synchronizeAction()
     {
         session_write_close();
 
-        if (!isset($_REQUEST['storage'])) {
+        $requestStorage = $this->getRequest()->getParam('storage');
+        $requestConnection = $this->getRequest()->getParam('connection');
+        if (!isset($requestStorage)) {
             return;
         }
 
@@ -80,9 +82,9 @@ public function synchronizeAction()
             ->setFlagData(array())
             ->save();
 
-        $storage = array('type' => (int) $_REQUEST['storage']);
-        if (isset($_REQUEST['connection']) && !empty($_REQUEST['connection'])) {
-            $storage['connection'] = $_REQUEST['connection'];
+        $storage = array('type' => $requestStorage);
+        if (isset($requestConnection) && !empty($requestConnection)) {
+            $storage['connection'] = $requestConnection;
         }
 
         try {

app/code/Magento/Backend/Controller/Adminhtml/System/Design.php

@@ -35,15 +35,23 @@ class Design extends \Magento\Backend\App\Action
      */
     protected $_coreRegistry = null;
 
+    /**
+     * @var \Magento\Core\Filter\Date
+     */
+    protected $dateFilter;
+
     /**
      * @param \Magento\Backend\App\Action\Context $context
      * @param \Magento\Core\Model\Registry $coreRegistry
+     * @param \Magento\Core\Filter\Date $dateFilter
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
-        \Magento\Core\Model\Registry $coreRegistry
+        \Magento\Core\Model\Registry $coreRegistry,
+        \Magento\Core\Filter\Date $dateFilter
     ) {
         $this->_coreRegistry = $coreRegistry;
+        $this->dateFilter = $dateFilter;
         parent::__construct($context);
     }
 
@@ -86,7 +94,9 @@ public function editAction()
         $this->_coreRegistry->register('design', $design);
 
         $this->_addContent($this->_view->getLayout()->createBlock('Magento\Backend\Block\System\Design\Edit'));
-        $this->_addLeft($this->_view->getLayout()->createBlock('Magento\Backend\Block\System\Design\Edit\Tabs', 'design_tabs'));
+        $this->_addLeft(
+            $this->_view->getLayout()->createBlock('Magento\Backend\Block\System\Design\Edit\Tabs', 'design_tabs')
+        );
 
         $this->_view->renderLayout();
     }
@@ -95,6 +105,7 @@ public function saveAction()
     {
         $data = $this->getRequest()->getPost();
         if ($data) {
+            $data['design'] = $this->_filterPostData($data['design']);
             $id = (int) $this->getRequest()->getParam('id');
 
             $design = $this->_objectManager->create('Magento\Core\Model\Design');
@@ -143,4 +154,18 @@ protected function _isAllowed()
     {
         return $this->_authorization->isAllowed('Magento_Adminhtml::design');
     }
+
+    /**
+     * Filtering posted data. Converting localized data if needed
+     *
+     * @param array
+     * @return array
+     */
+    protected function _filterPostData($data)
+    {
+        $inputFilter = new \Zend_Filter_Input(
+            array('date_from' => $this->dateFilter, 'date_to' => $this->dateFilter), array(), $data);
+        $data = $inputFilter->getUnescaped();
+        return $data;
+    }
 }

app/code/Magento/Backend/Controller/Adminhtml/System/Store.php

@@ -255,7 +255,7 @@ public function saveAction()
                 $this->_redirect('adminhtml/*/');
                 return;
             } catch (\Magento\Core\Exception $e) {
-                $this->messageManager->addMessages($e->getMessages());
+                $this->messageManager->addError($e->getMessage());
                 $this->_getSession()->setPostData($postData);
             } catch (\Exception $e) {
                 $this->messageManager->addException($e, __('An error occurred while saving. Please review the error log.'));

app/code/Magento/Backend/Model/Auth/Session.php

@@ -29,6 +29,13 @@
 /**
  * Backend Auth session model
  *
+ * @method \Magento\User\Model\User|null getUser()
+ * @method \Magento\Backend\Model\Auth\Session setUser(\Magento\User\Model\User $value)
+ * @method \Magento\Acl|null getAcl()
+ * @method \Magento\Backend\Model\Auth\Session setAcl(\Magento\Acl $value)
+ * @method int getUpdatedAt()
+ * @method \Magento\Backend\Model\Auth\Session setUpdatedAt(int $value)
+ *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  * @todo implement solution that keeps is_first_visit flag in session during redirects
  */

app/code/Magento/Backend/view/adminhtml/admin/login.phtml

@@ -68,7 +68,7 @@
                 <div id="messages" data-container-for="messages">
                     <?php echo $this->getLayout()->getMessagesBlock()->getGroupedHtml() ?>
                 </div>
-                <form method="post" action="" id="login-form">
+                <form method="post" action="" id="login-form" autocomplete="off">
                     <fieldset class="fieldset">
                         <legend class="legend"><span><?php echo __('Welcome') ?></span></legend><br/>
                         <input name="form_key" type="hidden" value="<?php echo $this->getFormKey() ?>" />
@@ -81,6 +81,8 @@
                         <div class="field field-password">
                             <label for="login" class="label"><?php echo __('Password:') ?></label>
                             <div class="control">
+                                <!-- This is a dummy hidden field to trick firefox from auto filling the password -->
+                                <input type="text" class="input-text no-display" name="dummy" id="dummy" />
                                 <input type="password" id="login" name="login[password]" class="required-entry input-text" value="" placeholder="password" />
                             </div>
                         </div>

app/code/Magento/Backend/view/adminhtml/layout/default.xml

@@ -279,6 +279,7 @@
         <block class="Magento\Backend\Block\Page\Header" name="header" as="header">
             <block class="Magento\Backend\Block\GlobalSearch" as="search" acl="Magento_Adminhtml::global_search"/>
         </block>
+        <container name="notifications" as="notifications" label="Notifications"/>
         <block class="Magento\Backend\Block\Widget\Breadcrumbs" name="breadcrumbs" as="breadcrumbs"/>
         <!--<update handle="formkey"/> this won't work, see the try/catch and a jammed exception in \Magento\Core\Model\Layout::createBlock() -->
         <block class="Magento\Backend\Block\Admin\Formkey" name="formkey" as="formkey" template="Magento_Backend::admin/formkey.phtml"/>