replacements: fixed recently introduced bug

The recently introduced code to prevent Perl injection broke repeated
replacements with backreferences.

t/search.t

@@ -63,6 +63,8 @@ test_page(get_page('search=fooz replace=fuuz pwd=foo'), split('\n',<<'EOT'));
 This is <strong>fuuz</strong> and this is barz.
 EOT
 
+# 'This is fuuz and this is barz.'
+
 # Replace with empty string
 
 test_page(get_page('search=this%20is%20 replace= pwd=foo delete=1'), split('\n',<<'EOT'));
@@ -71,8 +73,11 @@ test_page(get_page('search=this%20is%20 replace= pwd=foo delete=1'), split('\n',
 fuuz and barz.
 EOT
 
-# Replace with backreferences, where the replacement pattern is no longer found
+# 'fuuz and barz.'
 
+
+# Replace with backreferences, where the replacement pattern is no longer found.
+# Take 'fuuz and barz.' and replace ([a-z]+)z with x$1 results in 'xfuu and xbar.'
 test_page(get_page('"search=([a-z]%2b)z" replace=x%241 pwd=foo'), '1 pages found');
 test_page(get_page('SearchAndReplace'), 'xfuu and xbar.');
 

wiki.pl

@@ -3498,8 +3498,9 @@ sub Replace {
     $_ = $Page{text};
     my $replacement = sub {
       my ($o1, $o2, $o3, $o4, $o5, $o6, $o7, $o8, $o9) = ($1, $2, $3, $4, $5, $6, $7, $8, $9);
-      $to =~ s/\$([1-9])/'$o' . $1/gee;
-      $to
+      my $str = $to;
+      $str =~ s/\$([1-9])/'$o' . $1/gee;
+      $str
     };
     if (s/$from/$replacement->()/gei) { # allows use of backreferences
       push (@result, $id);