From b38b3ca7235002137cc9ff74b3c24a4a78c9c2d1 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Mon, 12 Jan 2015 09:31:52 -0600
Subject: [PATCH] xss: Fix possible vuln setting client lang pref

---
 client.inc.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/client.inc.php b/client.inc.php
index bb8e8badb..64877cc46 100644
--- a/client.inc.php
+++ b/client.inc.php
@@ -48,7 +48,8 @@ $nav=null;
 $thisclient = UserAuthenticationBackend::getUser();
 
 if (isset($_GET['lang']) && $_GET['lang']) {
-    $_SESSION['client:lang'] = $_GET['lang'];
+    if (Internationalization::getLanguageInfo($_GET['lang']))
+        $_SESSION['client:lang'] = $_GET['lang'];
 }
 
 // Bootstrap gettext translations as early as possible, but after attempting
-- 
GitLab