Bug 721715: URLs in the See Also field must be detainted before inserted into the DB

r=dkl a=LpSolit

diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index ddfe5702855d00d16edc1bd40b38424b7d302249..a848c866b7acd431ca9c8239cc63fa0cb57d279b 100644 (file)
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -2853,14 +2853,13 @@ sub add_see_also {
     $class->check_required_create_fields($params);
 
     my $field_values = $class->run_create_validators($params);
-    $uri = $field_values->{value};
-    $field_values->{value} = $uri->as_string;
+    my $value = $field_values->{value}->as_string;
+    trick_taint($value);
+    $field_values->{value} = $value;
 
     # We only add the new URI if it hasn't been added yet. URIs are
     # case-sensitive, but most of our DBs are case-insensitive, so we do
     # this check case-insensitively.
-    my $value = $uri->as_string;
-
     if (!grep { lc($_->name) eq lc($value) } @{ $self->see_also }) {
         my $privs;
         my $can = $self->check_can_change_field('see_also', '', $value, \$privs);