Bug 312933 Query.cgi leaks product names

Patch by Joel Peshkin <bugreport@peshkin.net>
r=lpsolit, a=justdave

diff --git a/template/en/default/search/form.html.tmpl b/template/en/default/search/form.html.tmpl
index 80bf0a2b95e152a95bb846290f151e4c94e0df9e..7d061b2aeb93a9ce8ba7725027a39856f942be6b 100644 (file)
--- a/template/en/default/search/form.html.tmpl
+++ b/template/en/default/search/form.html.tmpl
@@ -43,7 +43,13 @@ var tms = new Array();
 [% nclass = 0 %]
 [% FOREACH c = classification %]
   prods[[% nclass FILTER js %]] = [
-    [%- FOREACH item = c.products %]'[% item.name FILTER js %]'[% ", " UNLESS loop.last %] [%- END -%] ];
+    [% sep = '' %]
+    [%- FOREACH item = c.products -%]
+      [%- IF user.can_see_product(item.name) -%]
+        [%- sep FILTER js %]'[% item.name FILTER js %]'
+        [%- sep = ',' -%] 
+      [%- END -%]
+    [%- END -%] ];
   [% nclass = nclass+1 %]
 [% END %]