Bug 312933 Query.cgi leaks product names

Patch by Joel Peshkin <bugreport@peshkin.net> r=lpsolit, a=justdave
author: bugreport%peshkin.net <> 2005-10-20 05:07:00 +0200
committer: bugreport%peshkin.net <> 2005-10-20 05:07:00 +0200
commit: a38539a73699a6d03c6d129375cecde85267269a (patch)
tree: b76109ec212c37e3d396d7f8df7136c19bdb61c3 /template
parent: 22212e5112de8a21d1727a0ea090a8a37253751b (diff)
download: bugzilla-a38539a73699a6d03c6d129375cecde85267269a.tar.gz
bugzilla-a38539a73699a6d03c6d129375cecde85267269a.tar.xz
1 files changed, 7 insertions, 1 deletions
diff --git a/template/en/default/search/form.html.tmpl b/template/en/default/search/form.html.tmpl
index 80bf0a2b9..7d061b2ae 100644
--- a/template/en/default/search/form.html.tmpl
+++ b/template/en/default/search/form.html.tmpl
@@ -43,7 +43,13 @@ var tms = new Array();
 [% nclass = 0 %]
 [% FOREACH c = classification %]
   prods[[% nclass FILTER js %]] = [
-    [%- FOREACH item = c.products %]'[% item.name FILTER js %]'[% ", " UNLESS loop.last %] [%- END -%] ];
+    [% sep = '' %]
+    [%- FOREACH item = c.products -%]
+      [%- IF user.can_see_product(item.name) -%]
+        [%- sep FILTER js %]'[% item.name FILTER js %]'
+        [%- sep = ',' -%] 
+      [%- END -%]
+    [%- END -%] ];
   [% nclass = nclass+1 %]
 [% END %]
author	bugreport%peshkin.net <>	2005-10-20 05:07:00 +0200
committer	bugreport%peshkin.net <>	2005-10-20 05:07:00 +0200
commit	a38539a73699a6d03c6d129375cecde85267269a (patch)
tree	b76109ec212c37e3d396d7f8df7136c19bdb61c3 /template
parent	22212e5112de8a21d1727a0ea090a8a37253751b (diff)
download	bugzilla-a38539a73699a6d03c6d129375cecde85267269a.tar.gz bugzilla-a38539a73699a6d03c6d129375cecde85267269a.tar.xz