magento
diff --git a/‎app/code/Magento/Catalog/Controller/Product/Compare/Add.php
Lines changed: 7 additions & 2 deletions b/‎app/code/Magento/Catalog/Controller/Product/Compare/Add.php
Lines changed: 7 additions & 2 deletions
diff --git a/‎app/code/Magento/Catalog/Controller/Product/Compare/Remove.php
Lines changed: 8 additions & 2 deletions b/‎app/code/Magento/Catalog/Controller/Product/Compare/Remove.php
Lines changed: 8 additions & 2 deletions
diff --git a/‎app/code/Magento/Cms/etc/di.xml
Lines changed: 0 additions & 1 deletion b/‎app/code/Magento/Cms/etc/di.xml
Lines changed: 0 additions & 1 deletion
diff --git a/‎app/code/Magento/Newsletter/view/adminhtml/templates/preview/iframeswitcher.phtml
Lines changed: 9 additions & 1 deletion b/‎app/code/Magento/Newsletter/view/adminhtml/templates/preview/iframeswitcher.phtml
Lines changed: 9 additions & 1 deletion
diff --git a/‎app/code/Magento/Sales/Block/Order/Info/Buttons/Rss.php
Lines changed: 24 additions & 3 deletions b/‎app/code/Magento/Sales/Block/Order/Info/Buttons/Rss.php
Lines changed: 24 additions & 3 deletions
diff --git a/‎app/code/Magento/Sales/Model/Rss/OrderStatus.php
Lines changed: 41 additions & 7 deletions b/‎app/code/Magento/Sales/Model/Rss/OrderStatus.php
Lines changed: 41 additions & 7 deletions
@@ -8,10 +8,13 @@
 
 use Magento\Framework\Exception\NoSuchEntityException;
 
+/**
+ * Add item to compare list action.
+ */
 class Add extends \Magento\Catalog\Controller\Product\Compare
 {
     /**
-     * Add item to compare list
+     * Add item to compare list.
      *
      * @return \Magento\Framework\Controller\ResultInterface
      */
@@ -26,12 +29,13 @@ public function execute()
         if ($productId && ($this->_customerVisitor->getId() || $this->_customerSession->isLoggedIn())) {
             $storeId = $this->_storeManager->getStore()->getId();
             try {
+                /** @var \Magento\Catalog\Model\Product $product */
                 $product = $this->productRepository->getById($productId, false, $storeId);
             } catch (NoSuchEntityException $e) {
                 $product = null;
             }
 
-            if ($product) {
+            if ($product && $product->isSalable()) {
                 $this->_catalogProductCompareList->addProduct($product);
                 $productName = $this->_objectManager->get(\Magento\Framework\Escaper::class)
                     ->escapeHtml($product->getName());
@@ -43,6 +47,7 @@ public function execute()
 
             $this->_objectManager->get(\Magento\Catalog\Helper\Product\Compare::class)->calculate();
         }
+
         return $resultRedirect->setRefererOrBaseUrl();
     }
 
 
@@ -8,11 +8,15 @@
 
 use Magento\Framework\Exception\NoSuchEntityException;
 
+/**
+ * Remove item from compare list action.
+ */
 class Remove extends \Magento\Catalog\Controller\Product\Compare
 {
     /**
-     * Remove item from compare list
+     * Remove item from compare list.
      *
+     * @SuppressWarnings(PHPMD.CyclomaticComplexity)
      * @return \Magento\Framework\Controller\ResultInterface
      */
     public function execute()
@@ -21,12 +25,13 @@ public function execute()
         if ($this->isActionAllowed() && $productId) {
             $storeId = $this->_storeManager->getStore()->getId();
             try {
+                /** @var \Magento\Catalog\Model\Product $product */
                 $product = $this->productRepository->getById($productId, false, $storeId);
             } catch (NoSuchEntityException $e) {
                 $product = null;
             }
 
-            if ($product) {
+            if ($product && $product->isSalable()) {
                 /** @var $item \Magento\Catalog\Model\Product\Compare\Item */
                 $item = $this->_compareItemFactory->create();
                 if ($this->_customerSession->isLoggedIn()) {
@@ -58,6 +63,7 @@ public function execute()
 
         if (!$this->getRequest()->getParam('isAjax', false)) {
             $resultRedirect = $this->resultRedirectFactory->create();
+
             return $resultRedirect->setRefererOrBaseUrl();
         }
     }
 
@@ -43,7 +43,6 @@
                 </item>
                 <item name="media_allowed" xsi:type="array">
                     <item name="flv" xsi:type="string">video/x-flv</item>
-                    <item name="swf" xsi:type="string">application/x-shockwave-flash</item>
                     <item name="avi" xsi:type="string">video/x-msvideo</item>
                     <item name="mov" xsi:type="string">video/x-sgi-movie</item>
                     <item name="rm" xsi:type="string">application/vnd.rn-realmedia</item>
 
@@ -15,7 +15,15 @@
         </div>
         <?php endif;?>
     </div>
-    <iframe name="preview_iframe" id="preview_iframe" frameborder="0" title="<?php /* @escapeNotVerified */ echo __('Preview') ?>" width="100%"></iframe>
+    <iframe
+            name="preview_iframe"
+            id="preview_iframe"
+            frameborder="0"
+            title="<?php /* @escapeNotVerified */ echo __('Preview') ?>"
+            width="100%"
+            sandbox="allow-forms allow-pointer-lock"
+    >
+    </iframe>
     <?php echo $block->getChildHtml('preview_form'); ?>
 </div>
 
 
@@ -5,6 +5,9 @@
  */
 namespace Magento\Sales\Block\Order\Info\Buttons;
 
+use Magento\Framework\App\ObjectManager;
+use Magento\Sales\Model\Rss\Signature;
+
 /**
  * Block of links in Order view page
  */
@@ -25,24 +28,35 @@ class Rss extends \Magento\Framework\View\Element\Template
      */
     protected $rssUrlBuilder;
 
+    /**
+     * @var Signature
+     */
+    private $signature;
+
     /**
      * @param \Magento\Framework\View\Element\Template\Context $context
      * @param \Magento\Sales\Model\OrderFactory $orderFactory
      * @param \Magento\Framework\App\Rss\UrlBuilderInterface $rssUrlBuilder
      * @param array $data
+     * @param Signature|null $signature
      */
     public function __construct(
         \Magento\Framework\View\Element\Template\Context $context,
         \Magento\Sales\Model\OrderFactory $orderFactory,
         \Magento\Framework\App\Rss\UrlBuilderInterface $rssUrlBuilder,
-        array $data = []
+        array $data = [],
+        Signature $signature = null
     ) {
         $this->orderFactory = $orderFactory;
         $this->rssUrlBuilder = $rssUrlBuilder;
+        $this->signature = $signature ?: ObjectManager::getInstance()->get(Signature::class);
+
         parent::__construct($context, $data);
     }
 
     /**
+     * Get link url.
+     *
      * @return string
      */
     public function getLink()
@@ -51,6 +65,8 @@ public function getLink()
     }
 
     /**
+     * Get translatable label for url.
+     *
      * @return \Magento\Framework\Phrase
      */
     public function getLabel()
@@ -88,15 +104,20 @@ protected function getUrlKey($order)
     }
 
     /**
-     * @return string
+     * Get type, secure and query params for link.
+     *
+     * @return array
+     * @SuppressWarnings(PHPMD.RequestAwareBlockMethod)
      */
     protected function getLinkParams()
     {
         $order = $this->orderFactory->create()->load($this->_request->getParam('order_id'));
+        $data = $this->getUrlKey($order);
+
         return [
             'type' => 'order_status',
             '_secure' => true,
-            '_query' => ['data' => $this->getUrlKey($order)]
+            '_query' => ['data' => $data, 'signature' => $this->signature->signData($data)],
         ];
     }
 }
@@ -6,10 +6,10 @@
 namespace Magento\Sales\Model\Rss;
 
 use Magento\Framework\App\Rss\DataProviderInterface;
+use Magento\Framework\App\ObjectManager;
 
 /**
- * Class OrderStatus
- * @package Magento\Sales\Model\Rss
+ * Rss renderer for order statuses.
  */
 class OrderStatus implements DataProviderInterface
 {
@@ -55,6 +55,11 @@ class OrderStatus implements DataProviderInterface
      */
     protected $orderFactory;
 
+    /**
+     * @var Signature
+     */
+    private $signature;
+
     /**
      * @param \Magento\Framework\ObjectManagerInterface $objectManager
      * @param \Magento\Framework\UrlInterface $urlBuilder
@@ -63,6 +68,7 @@ class OrderStatus implements DataProviderInterface
      * @param \Magento\Framework\Stdlib\DateTime\TimezoneInterface $localeDate
      * @param \Magento\Sales\Model\OrderFactory $orderFactory
      * @param \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig
+     * @param Signature|null $signature
      */
     public function __construct(
         \Magento\Framework\ObjectManagerInterface $objectManager,
@@ -71,7 +77,8 @@ public function __construct(
         \Magento\Sales\Model\ResourceModel\Order\Rss\OrderStatusFactory $orderResourceFactory,
         \Magento\Framework\Stdlib\DateTime\TimezoneInterface $localeDate,
         \Magento\Sales\Model\OrderFactory $orderFactory,
-        \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig
+        \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig,
+        Signature $signature = null
     ) {
         $this->objectManager = $objectManager;
         $this->urlBuilder = $urlBuilder;
@@ -80,6 +87,7 @@ public function __construct(
         $this->localeDate = $localeDate;
         $this->orderFactory = $orderFactory;
         $this->config = $scopeConfig;
+        $this->signature = $signature ?: ObjectManager::getInstance()->get(Signature::class);
     }
 
     /**
@@ -96,7 +104,10 @@ public function isAllowed()
     }
 
     /**
+     * Get rss data.
+     *
      * @return array
+     * @throws \InvalidArgumentException
      */
     public function getRssData()
     {
@@ -108,6 +119,8 @@ public function getRssData()
     }
 
     /**
+     * Get cache key.
+     *
      * @return string
      */
     public function getCacheKey()
@@ -121,6 +134,8 @@ public function getCacheKey()
     }
 
     /**
+     * Get cache lifetime.
+     *
      * @return int
      */
     public function getCacheLifetime()
@@ -129,6 +144,8 @@ public function getCacheLifetime()
     }
 
     /**
+     * Get order.
+     *
      * @return \Magento\Sales\Model\Order
      */
     protected function getOrder()
@@ -137,8 +154,11 @@ protected function getOrder()
             return $this->order;
         }
 
-        $data = null;
-        $json = base64_decode((string)$this->request->getParam('data'));
+        $data = (string)$this->request->getParam('data');
+        if ((string)$this->request->getParam('signature') !== $this->signature->signData($data)) {
+            return null;
+        }
+        $json = base64_decode($data);
         if ($json) {
             $data = json_decode($json, true);
         }
@@ -154,14 +174,26 @@ protected function getOrder()
         $order = $this->orderFactory->create();
         $order->load($data['order_id']);
 
-        if ($order->getIncrementId() !== $data['increment_id'] || $order->getCustomerId() !== $data['customer_id']) {
+        if (!$this->isOrderSuitable($order, $data)) {
             $order = null;
         }
         $this->order = $order;
 
         return $this->order;
     }
 
+    /**
+     * Check if selected order data correspond incoming data.
+     *
+     * @param \Magento\Sales\Model\Order $order
+     * @param array $data
+     * @return bool
+     */
+    private function isOrderSuitable(\Magento\Sales\Model\Order $order, array $data)
+    {
+        return $order->getIncrementId() === $data['increment_id'] && $order->getCustomerId() === $data['customer_id'];
+    }
+
     /**
      * Get RSS feed items
      *
@@ -218,6 +250,8 @@ protected function getHeader()
     }
 
     /**
+     * Get feeds.
+     *
      * @return array
      */
     public function getFeeds()
@@ -226,7 +260,7 @@ public function getFeeds()
     }
 
     /**
-     * {@inheritdoc}
+     * @inheritdoc
      */
     public function isAuthRequired()
     {