diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2012-01-27 22:26:28 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-01-27 22:26:28 +0100 |
| commit | 34af5791de2773d01f684085016df3bf5c7dc020 (patch) | |
| tree | 57fa6d6849f034f47b0f99f35815fb921abe69ff | |
| parent | df170fd24cc50966970e5e7a24bbbcfb171df978 (diff) | |
| download | bugzilla-34af5791de2773d01f684085016df3bf5c7dc020.tar.gz bugzilla-34af5791de2773d01f684085016df3bf5c7dc020.tar.xz | |
Bug 721715: URLs in the See Also field must be detainted before inserted into the DB
r=dkl a=LpSolit
| -rw-r--r-- | Bugzilla/Bug.pm | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index aeb2e16b7..4a00596b0 100644 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -2822,14 +2822,13 @@ sub add_see_also { $class->check_required_create_fields($params); my $field_values = $class->run_create_validators($params); - $uri = $field_values->{value}; - $field_values->{value} = $uri->as_string; + my $value = $field_values->{value}->as_string; + trick_taint($value); + $field_values->{value} = $value; # We only add the new URI if it hasn't been added yet. URIs are # case-sensitive, but most of our DBs are case-insensitive, so we do # this check case-insensitively. - my $value = $uri->as_string; - if (!grep { lc($_->name) eq lc($value) } @{ $self->see_also }) { my $privs; my $can = $self->check_can_change_field('see_also', '', $value, \$privs); |