Missing input validation on language parameter #2936

New Issue

Closed

opened 2026-02-05 05:47:23 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-05 05:47:23 +03:00

Owner

Copy Link

Originally created by @ehumphrey-payments on GitHub (Aug 2, 2022).

Describe the Bug

When a user is editing their profile on the Edit Profile page, entering a language string that contains special characters leads to the system's inability to process any future requests made by the logged-in user.

Entering alphanumeric characters only does not impact the system; the system defaults to using the English language. E.g., when entering "whatttt", the input is accepted, the language is set to "whattt" in the HTML, and the system defaults to displaying the English language in all future responses.

The issue occurs when the value supplied has a special character. For instance, when the input supplied was ><script>alert(document.domain)</script>, the server also accepted the input, however, all future requests made by the user were causing an HTTP 500 Internal Server Error.

Steps to Reproduce

Change the language in your profile, but intercept the HTTP request and replace the language parameter with an invalid value such as ><script>alert(document.domain)</script>, and submit the request to the server.

Expected Behaviour

BookStack should validate the input supplied in the language parameter and ensure it matches one of the acceptable languages defined in the application.

Screenshots or Additional Context

No response

Browser Details

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0

Exact BookStack Version

v22.06.2

PHP Version

7.4.26

Hosting Environment

• LinuxServer container on Ubuntu 22.04 LTS virtual machine
• LinuxServer MariaDB container
• Nginx 1.22 as reverse proxy / web server

Originally created by @ehumphrey-payments on GitHub (Aug 2, 2022). ### Describe the Bug When a user is editing their profile on the Edit Profile page, entering a language string that contains special characters leads to the system's inability to process any future requests made by the logged-in user. Entering alphanumeric characters only does not impact the system; the system defaults to using the English language. E.g., when entering "whatttt", the input is accepted, the language is set to "whattt" in the HTML, and the system defaults to displaying the English language in all future responses. The issue occurs when the value supplied has a special character. For instance, when the input supplied was `><script>alert(document.domain)</script>`, the server also accepted the input, however, all future requests made by the user were causing an HTTP 500 Internal Server Error. ### Steps to Reproduce Change the language in your profile, but intercept the HTTP request and replace the language parameter with an invalid value such as `><script>alert(document.domain)</script>`, and submit the request to the server. ### Expected Behaviour BookStack should validate the input supplied in the language parameter and ensure it matches one of the acceptable languages defined in the application. ### Screenshots or Additional Context _No response_ ### Browser Details Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0 ### Exact BookStack Version v22.06.2 ### PHP Version 7.4.26 ### Hosting Environment * LinuxServer container on Ubuntu 22.04 LTS virtual machine * LinuxServer MariaDB container * Nginx 1.22 as reverse proxy / web server

OVERLORD added the 🐛 Bug label 2026-02-05 05:47:23 +03:00

OVERLORD closed this issue 2026-02-05 05:47:25 +03:00

OVERLORD commented 2026-02-05 05:47:29 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 4, 2022):

Thanks for reporting @ErikHumphrey.

I don't see the value in full input value validation on this one, since valid options may be extended and variable creating a dynamic target hence requiring complexity, but a little validation on input length and format would for sure be wise.

@ssddanbrown commented on GitHub (Aug 4, 2022): Thanks for reporting @ErikHumphrey. I don't see the value in full input value validation on this one, since valid options may be extended and variable creating a dynamic target hence requiring complexity, but a little validation on input length and format would for sure be wise.

OVERLORD commented 2026-02-05 05:47:35 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 4, 2022):

Some extra validation sprinkled in within commit 89ec9a5081

@ssddanbrown commented on GitHub (Aug 4, 2022): Some extra validation sprinkled in within commit 89ec9a5081caa95d5c3bbddd3f09015cc74329b7

OVERLORD referenced this issue 2026-02-05 10:24:21 +03:00

[PR #2936] [MERGED] Log ip address #6094

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2936