Validate the language parameter

diff --git a/wcfsetup/install/files/emoji/index.php b/wcfsetup/install/files/emoji/index.php
index fbe95f2dace52d9f6f413c5b8084f2b70f0d470b..d7e45e47800635bfa1da1364ec771ae337358b72 100644 (file)
--- a/wcfsetup/install/files/emoji/index.php
+++ b/wcfsetup/install/files/emoji/index.php
@@ -17,7 +17,7 @@ use GuzzleHttp\Psr7\Header;
 
 require(__DIR__ . '/../lib/system/api/autoload.php');
 
-if (!isset($_GET['l'])) {
+if (!isset($_GET['l']) || !\preg_match('~^[A-Za-z\-]+$~', $_GET['l'])) {
     @\http_response_code(404);
     exit;
 }