Missing input validation on language parameter

[ehumphrey-payments]

Describe the Bug

When a user is editing their profile on the Edit Profile page, entering a language string that contains special characters leads to the system's inability to process any future requests made by the logged-in user.

Entering alphanumeric characters only does not impact the system; the system defaults to using the English language. E.g., when entering "whatttt", the input is accepted, the language is set to "whattt" in the HTML, and the system defaults to displaying the English language in all future responses.

The issue occurs when the value supplied has a special character. For instance, when the input supplied was ><script>alert(document.domain)</script>, the server also accepted the input, however, all future requests made by the user were causing an HTTP 500 Internal Server Error.

Steps to Reproduce

Change the language in your profile, but intercept the HTTP request and replace the language parameter with an invalid value such as ><script>alert(document.domain)</script>, and submit the request to the server.

Expected Behaviour

BookStack should validate the input supplied in the language parameter and ensure it matches one of the acceptable languages defined in the application.

Screenshots or Additional Context

No response

Browser Details

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0

Exact BookStack Version

v22.06.2

PHP Version

7.4.26

Hosting Environment

• LinuxServer container on Ubuntu 22.04 LTS virtual machine
• LinuxServer MariaDB container
• Nginx 1.22 as reverse proxy / web server

[ssddanbrown]

Thanks for reporting @ErikHumphrey.

I don't see the value in full input value validation on this one, since valid options may be extended and variable creating a dynamic target hence requiring complexity, but a little validation on input length and format would for sure be wise.

[ssddanbrown]

Some extra validation sprinkled in within commit 89ec9a5