I18N: Introduce sanitization function for locale.

Introduce the `sanitize_locale_name()` for sanitizing user input of locales. Props xknown, timothyblynjacobs, ocean90, peterwilsoncc. git-svn-id: https://develop.svn.wordpress.org/trunk@55760 602fd350-edb4-49c9-b593-d223f7449a82
2025-04-13 00:22:52 +02:00 · 2023-05-16 14:16:39 +00:00 · 2023-05-16 14:16:39 +00:00 · abbf859d53
commit abbf859d53
parent 4313210c82
3 changed files with 74 additions and 2 deletions
--- a/src/wp-includes/formatting.php
+++ b/src/wp-includes/formatting.php
@ -2433,6 +2433,29 @@ function sanitize_html_class( $classname, $fallback = '' ) {
 	return apply_filters( 'sanitize_html_class', $sanitized, $classname, $fallback );
 }

+/**
+ * Strips out all characters not allowed in a locale name.
+ *
+ * @since 6.2.1
+ *
+ * @param string $locale_name The locale name to be sanitized.
+ * @return string The sanitized value.
+ */
+function sanitize_locale_name( $locale_name ) {
+	// Limit to A-Z, a-z, 0-9, '_', '-'.
+	$sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $locale_name );
+
+	/**
+	 * Filters a sanitized locale name string.
+	 *
+	 * @since 6.2.1
+	 *
+	 * @param string $sanitized   The sanitized locale name.
+	 * @param string $locale_name The locale name before sanitization.
+	 */
+	return apply_filters( 'sanitize_locale_name', $sanitized, $locale_name );
+}
+
 /**
 * Converts lone & characters into `&#038;` (a.k.a. `&amp;`)
 *
--- a/src/wp-includes/l10n.php
+++ b/src/wp-includes/l10n.php
@ -149,9 +149,9 @@ function determine_locale() {
 	$wp_lang = '';

 	if ( ! empty( $_GET['wp_lang'] ) ) {
-		$wp_lang = sanitize_text_field( $_GET['wp_lang'] );
+		$wp_lang = sanitize_locale_name( wp_unslash( $_GET['wp_lang'] ) );
 	} elseif ( ! empty( $_COOKIE['wp_lang'] ) ) {
-		$wp_lang = sanitize_text_field( $_COOKIE['wp_lang'] );
+		$wp_lang = sanitize_locale_name( wp_unslash( $_COOKIE['wp_lang'] ) );
 	}

 	if ( ! empty( $wp_lang ) && ! empty( $GLOBALS['pagenow'] ) && 'wp-login.php' === $GLOBALS['pagenow'] ) {
--- a/tests/phpunit/tests/formatting/sanitizeLocaleName.php
+++ b/tests/phpunit/tests/formatting/sanitizeLocaleName.php
@ -0,0 +1,49 @@
+<?php
+
+/**
+ * @group formatting
+ *
+ * @covers ::sanitize_locale_name
+ */
+class Tests_Formatting_SanitizeLocaleName extends WP_UnitTestCase {
+	/**
+	 * @dataProvider data_sanitize_locale_name_returns_non_empty_string
+	 */
+	public function test_sanitize_locale_name_returns_non_empty_string( $expected, $input ) {
+		$this->assertSame( $expected, sanitize_locale_name( $input ) );
+	}
+
+	public function data_sanitize_locale_name_returns_non_empty_string() {
+		return array(
+			// array( expected, input )
+			array( 'en_US', 'en_US' ),
+			array( 'en', 'en' ),
+			array( 'fr_FR', 'fr_FR' ),
+			array( 'fr_FR', 'fr_FR' ),
+			array( 'fr_FR-e2791ba830489d23043be8650a22a22b', 'fr_FR-e2791ba830489d23043be8650a22a22b' ),
+			array( '-fr_FRmo', '-fr_FR.mo' ),
+			array( '12324', '$12324' ),
+			array( '4124FRRa', '/4124$$$%%FRRa' ),
+			array( 'FR', '<FR' ),
+			array( 'FR_FR', 'FR_FR' ),
+			array( '--__', '--__' ),
+		);
+	}
+
+	/**
+	 * @dataProvider data_sanitize_locale_name_returns_empty_string
+	 */
+	public function test_sanitize_locale_name_returns_empty_string( $input ) {
+		$this->assertSame( '', sanitize_locale_name( $input ) );
+	}
+
+	public function data_sanitize_locale_name_returns_empty_string() {
+		return array(
+			// array( input )
+			array( '$<>' ),
+			array( '/$$$%%\\)' ),
+			array( '....' ),
+			array( '@///' ),
+		);
+	}
+}