From a38539a73699a6d03c6d129375cecde85267269a Mon Sep 17 00:00:00 2001 From: "bugreport%peshkin.net" <> Date: Thu, 20 Oct 2005 03:07:00 +0000 Subject: Bug 312933 Query.cgi leaks product names Patch by Joel Peshkin r=lpsolit, a=justdave --- template/en/default/search/form.html.tmpl | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/template/en/default/search/form.html.tmpl b/template/en/default/search/form.html.tmpl index 80bf0a2b9..7d061b2ae 100644 --- a/template/en/default/search/form.html.tmpl +++ b/template/en/default/search/form.html.tmpl @@ -43,7 +43,13 @@ var tms = new Array(); [% nclass = 0 %] [% FOREACH c = classification %] prods[[% nclass FILTER js %]] = [ - [%- FOREACH item = c.products %]'[% item.name FILTER js %]'[% ", " UNLESS loop.last %] [%- END -%] ]; + [% sep = '' %] + [%- FOREACH item = c.products -%] + [%- IF user.can_see_product(item.name) -%] + [%- sep FILTER js %]'[% item.name FILTER js %]' + [%- sep = ',' -%] + [%- END -%] + [%- END -%] ]; [% nclass = nclass+1 %] [% END %] -- cgit v1.2.3-24-g4f1b