From 02a131ec30f76d7de1d27384301e5e3082e20d4c Mon Sep 17 00:00:00 2001
From: audrasjb <audrasjb@git.wordpress.org>
Date: Tue, 16 May 2023 14:18:20 +0000
Subject: [PATCH] I18N: Introduce sanitization function for locale.

Introduce the `sanitize_locale_name()` for sanitizing user input of locales.

Props xknown, timothyblynjacobs, ocean90, peterwilsoncc.


Built from https://develop.svn.wordpress.org/trunk@55760


git-svn-id: http://core.svn.wordpress.org/trunk@55272 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/formatting.php | 23 +++++++++++++++++++++++
 wp-includes/l10n.php       |  4 ++--
 wp-includes/version.php    |  2 +-
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php
index 8240adcc82..01d1eebc4d 100644
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@@ -2433,6 +2433,29 @@ function sanitize_html_class( $classname, $fallback = '' ) {
 	return apply_filters( 'sanitize_html_class', $sanitized, $classname, $fallback );
 }
 
+/**
+ * Strips out all characters not allowed in a locale name.
+ *
+ * @since 6.2.1
+ *
+ * @param string $locale_name The locale name to be sanitized.
+ * @return string The sanitized value.
+ */
+function sanitize_locale_name( $locale_name ) {
+	// Limit to A-Z, a-z, 0-9, '_', '-'.
+	$sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $locale_name );
+
+	/**
+	 * Filters a sanitized locale name string.
+	 *
+	 * @since 6.2.1
+	 *
+	 * @param string $sanitized   The sanitized locale name.
+	 * @param string $locale_name The locale name before sanitization.
+	 */
+	return apply_filters( 'sanitize_locale_name', $sanitized, $locale_name );
+}
+
 /**
  * Converts lone & characters into `&#038;` (a.k.a. `&amp;`)
  *
diff --git a/wp-includes/l10n.php b/wp-includes/l10n.php
index 9d6135b470..448a233fa8 100644
--- a/wp-includes/l10n.php
+++ b/wp-includes/l10n.php
@@ -149,9 +149,9 @@ function determine_locale() {
 	$wp_lang = '';
 
 	if ( ! empty( $_GET['wp_lang'] ) ) {
-		$wp_lang = sanitize_text_field( $_GET['wp_lang'] );
+		$wp_lang = sanitize_locale_name( wp_unslash( $_GET['wp_lang'] ) );
 	} elseif ( ! empty( $_COOKIE['wp_lang'] ) ) {
-		$wp_lang = sanitize_text_field( $_COOKIE['wp_lang'] );
+		$wp_lang = sanitize_locale_name( wp_unslash( $_COOKIE['wp_lang'] ) );
 	}
 
 	if ( ! empty( $wp_lang ) && ! empty( $GLOBALS['pagenow'] ) && 'wp-login.php' === $GLOBALS['pagenow'] ) {
diff --git a/wp-includes/version.php b/wp-includes/version.php
index e9b7b9bcee..ef3d800aeb 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.3-alpha-55759';
+$wp_version = '6.3-alpha-55760';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.