I dont think we can use only 2 digits, some languages is much longer
zh-hans-TW for example
But the regex should stop it bening able handle nasty chars,
whitelisting safe ones instead
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>
I checked the patch doesn't break language switching and language selection.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
I confirm the bug security issue was not here for master, but this fix improve the behaviour, so pushing it
my @languages = split(",", C4::Context->preference(
$is_intranet ? 'language' : 'opaclanguages'));
my $lang;
- $lang = $query->cookie('KohaOpacLanguage')
- if defined $query and $query->cookie('KohaOpacLanguage');
+ $lang = getlanguagecookie($query);
unless ($lang) {
my $http_accept_language = $ENV{ HTTP_ACCEPT_LANGUAGE };
$lang = accept_language( $http_accept_language,
$lang = $ENV{HTTP_ACCEPT_LANGUAGE};
}
- $lang = substr($lang, 0, 2);
-
+ $lang =~ s/[^a-zA-Z_-]*//; #sanitzie
return $lang;
}