fix: validate plugin id in toggleActive

public/language/en-GB/error.json

@@ -255,6 +255,7 @@
 	"no-connection": "There seems to be a problem with your internet connection",
 	"socket-reconnect-failed": "Unable to reach the server at this time. Click here to try again, or try again later",
 
+	"invalid-plugin-id": "Invalid plugin ID",
 	"plugin-not-whitelisted": "Unable to install plugin – only plugins whitelisted by the NodeBB Package Manager can be installed via the ACP",
 	"plugins-set-in-configuration": "You are not allowed to change plugin state as they are defined at runtime (config.json, environmental variables or terminal arguments), please modify the configuration instead.",
 	"theme-not-set-in-configuration": "When defining active plugins in configuration, changing themes requires adding the new theme to the list of active plugins before updating it in the ACP",

src/plugins/install.js

@@ -12,7 +12,7 @@ const request = require('../request');
 const db = require('../database');
 const meta = require('../meta');
 const pubsub = require('../pubsub');
-const { paths } = require('../constants');
+const { paths, pluginNamePattern } = require('../constants');
 const pkgInstall = require('../cli/package-install');
 
 const packageManager = pkgInstall.getPackageManager();
@@ -60,6 +60,9 @@ module.exports = function (Plugins) {
 			winston.error('Cannot activate plugins while plugin state is set in the configuration (config.json, environmental variables or terminal arguments), please modify the configuration instead');
 			throw new Error('[[error:plugins-set-in-configuration]]');
 		}
+		if (!pluginNamePattern.test(id)) {
+			throw new Error('[[error:invalid-plugin-id]]');
+		}
 		const isActive = await Plugins.isActive(id);
 		if (isActive) {
 			await db.sortedSetRemove('plugins:active', id);