From: bugreport%peshkin.net <>
Date: Thu, 20 Oct 2005 03:07:00 +0000 (+0000)
Subject: Bug 312933 Query.cgi leaks product names
X-Git-Tag: bugzilla-2.22rc1~209
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a38539a73699a6d03c6d129375cecde85267269a;p=thirdparty%2Fbugzilla.git

Bug 312933 Query.cgi leaks product names
Patch by Joel Peshkin <bugreport@peshkin.net>
r=lpsolit, a=justdave
---

diff --git a/template/en/default/search/form.html.tmpl b/template/en/default/search/form.html.tmpl
index 80bf0a2b95..7d061b2aeb 100644
--- a/template/en/default/search/form.html.tmpl
+++ b/template/en/default/search/form.html.tmpl
@@ -43,7 +43,13 @@ var tms = new Array();
 [% nclass = 0 %]
 [% FOREACH c = classification %]
   prods[[% nclass FILTER js %]] = [
-    [%- FOREACH item = c.products %]'[% item.name FILTER js %]'[% ", " UNLESS loop.last %] [%- END -%] ];
+    [% sep = '' %]
+    [%- FOREACH item = c.products -%]
+      [%- IF user.can_see_product(item.name) -%]
+        [%- sep FILTER js %]'[% item.name FILTER js %]'
+        [%- sep = ',' -%] 
+      [%- END -%]
+    [%- END -%] ];
   [% nclass = nclass+1 %]
 [% END %]