fix for script execution vulnerability

[lhc/web/wiklou.git] / includes / SpecialPreferences.php

diff --git a/includes/SpecialPreferences.php b/includes/SpecialPreferences.php
index d47ad5c..3666030 100644 (file)
--- a/includes/SpecialPreferences.php
+++ b/includes/SpecialPreferences.php
@@ -91,6 +91,11 @@ class PreferencesForm {
                                }
                        }
                }
+
+               # Validate language
+               if ( !preg_match( '/^[a-z\-]*$/', $this->mUserLanguage ) ) {
+                       $this->mUserLanguage = 'nolanguage';
+               }
        }
 
        function execute() {