fix: escape config.userLang/acpLang, don't allow invalid language codes

public/src/overrides.js

@@ -123,14 +123,16 @@ if (typeof window !== 'undefined') {
 		$.timeago.settings.allowFuture = true;
 		var userLang = config.userLang.replace('_', '-');
 		var options = { year: 'numeric', month: 'short', day: 'numeric', hour: 'numeric', minute: 'numeric' };
-		var formatFn;
+		var formatFn = function (date) {
-		if (typeof Intl === 'undefined') {
+			return date.toLocaleString(userLang, options);
-			formatFn = function (date) {
+		};
-				return date.toLocaleString(userLang, options);
+		try {
-			};
+			if (typeof Intl !== 'undefined') {
-		} else {
+				var dtFormat = new Intl.DateTimeFormat(userLang, options);
-			var dtFormat = new Intl.DateTimeFormat(userLang, options);
+				formatFn = dtFormat.format;
-			formatFn = dtFormat.format;
+			}
+		} catch (err) {
+			console.error(err);
 		}
 
 		var iso;

src/controllers/api.js

@@ -86,8 +86,8 @@ apiController.loadConfig = async function (req) {
 	config.usePagination = settings.usePagination;
 	config.topicsPerPage = settings.topicsPerPage;
 	config.postsPerPage = settings.postsPerPage;
-	config.userLang = (req.query.lang ? validator.escape(String(req.query.lang)) : null) || settings.userLang || config.defaultLang;
+	config.userLang = validator.escape(String((req.query.lang ? req.query.lang : null) || settings.userLang || config.defaultLang));
-	config.acpLang = (req.query.lang ? validator.escape(String(req.query.lang)) : null) || settings.acpLang;
+	config.acpLang = validator.escape(String((req.query.lang ? req.query.lang : null) || settings.acpLang));
 	config.openOutgoingLinksInNewTab = settings.openOutgoingLinksInNewTab;
 	config.topicPostSort = settings.topicPostSort || config.topicPostSort;
 	config.categoryTopicSort = settings.categoryTopicSort || config.categoryTopicSort;

src/user/settings.js

@@ -5,6 +5,7 @@ const meta = require('../meta');
 const db = require('../database');
 const plugins = require('../plugins');
 const notifications = require('../notifications');
+const languages = require('../languages');
 
 module.exports = function (User) {
 	User.getSettings = async function (uid) {
@@ -87,6 +88,13 @@ module.exports = function (User) {
 			throw new Error('[[error:invalid-pagination-value, 2, ' + maxTopicsPerPage + ']]');
 		}
 
+		const languageCodes = await languages.listCodes();
+		if (data.userLang && !languageCodes.includes(data.userLang)) {
+			throw new Error('[[error:invalid-language]]');
+		}
+		if (data.acpLang && !languageCodes.includes(data.acpLang)) {
+			throw new Error('[[error:invalid-language]]');
+		}
 		data.userLang = data.userLang || meta.config.defaultLang;
 
 		plugins.fireHook('action:user.saveSettings', { uid: uid, settings: data });

test/user.js

@@ -1550,6 +1550,21 @@ describe('User', function () {
 			});
 		});
 
+		it('should error if language is invalid', function (done) {
+			var data = {
+				uid: testUid,
+				settings: {
+					userLang: '<invalid-string>',
+					topicsPerPage: '10',
+					postsPerPage: '5',
+				},
+			};
+			socketUser.saveSettings({ uid: testUid }, data, function (err) {
+				assert.equal(err.message, '[[error:invalid-language]]');
+				done();
+			});
+		});
+
 		it('should set moderation note', function (done) {
 			var adminUid;
 			async.waterfall([