closes #4832

src/controllers/api.js

@@ -51,7 +51,7 @@ apiController.getConfig = function(req, res, next) {
 	config['theme:id'] = meta.config['theme:id'];
 	config['theme:src'] = meta.config['theme:src'];
 	config.defaultLang = meta.config.defaultLang || 'en_GB';
-	config.userLang = req.query.lang || config.defaultLang;
+	config.userLang = validator.escape(req.query.lang) || config.defaultLang;
 	config.loggedIn = !!req.user;
 	config['cache-buster'] = meta.config['cache-buster'] || '';
 	config.requireEmailConfirmation = parseInt(meta.config.requireEmailConfirmation, 10) === 1;
@@ -74,7 +74,7 @@ apiController.getConfig = function(req, res, next) {
 				config.topicsPerPage = settings.topicsPerPage;
 				config.postsPerPage = settings.postsPerPage;
 				config.notificationSounds = settings.notificationSounds;
-				config.userLang = req.query.lang || settings.userLang || config.defaultLang;
+				config.userLang = validator.escape(req.query.lang) || settings.userLang || config.defaultLang;
 				config.openOutgoingLinksInNewTab = settings.openOutgoingLinksInNewTab;
 				config.topicPostSort = settings.topicPostSort || config.topicPostSort;
 				config.categoryTopicSort = settings.categoryTopicSort || config.categoryTopicSort;

src/middleware/render.js

@@ -1,6 +1,7 @@
 'use strict';
 
 var nconf = require('nconf');
+var validator = require('validator');
 
 var plugins = require('../plugins');
 var translator = require('../../public/src/modules/translator');
@@ -80,7 +81,7 @@ module.exports = function(middleware) {
 							}
 							str = template + str;
 							var language = res.locals.config ? res.locals.config.userLang || 'en_GB' : 'en_GB';
-							language = req.query.lang || language;
+							language = validator.escape(req.query.lang) || language;
 							translator.translate(str, language, function(translated) {
 								translated = translator.unescape(translated);
 								translated = translated + '<script id="ajaxify-data" type="application/json">' + ajaxifyData + '</script>';