Fix #1268 (or rather enforce some security measures, there's nothing really broken)
diff --git a/system/core/Lang.php b/system/core/Lang.php
index 3001f1b..601348a 100644
--- a/system/core/Lang.php
+++ b/system/core/Lang.php
@@ -65,11 +65,11 @@
/**
* Load a language file
*
- * @param mixed the name of the language file to be loaded
- * @param string the language (english, etc.)
- * @param bool return loaded array of translations
- * @param bool add suffix to $langfile
- * @param string alternative path to look for language file
+ * @param mixed $langile the name of the language file to be loaded
+ * @param string $idiom = '' the language (english, etc.)
+ * @param bool $return = FALSE return loaded array of translations
+ * @param bool $add_suffix = TRUE add suffix to $langfile
+ * @param string $alt_path = '' alternative path to look for language file
* @return mixed
*/
public function load($langfile, $idiom = '', $return = FALSE, $add_suffix = TRUE, $alt_path = '')
@@ -83,10 +83,10 @@
$langfile .= '.php';
- if ($idiom === '')
+ if (empty($idiom) OR ! ctype_alpha($idiom))
{
$config =& get_config();
- $idiom = ( ! empty($config['language'])) ? $config['language'] : 'english';
+ $idiom = empty($config['language']) ? 'english' : $config['language'];
}
if ($return === FALSE && isset($this->is_loaded[$langfile]) && $this->is_loaded[$langfile] === $idiom)
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index de5ec47..92f6a03 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -219,6 +219,7 @@
- :doc:`Encryption Library <libraries/encryption>` changes include:
- Added support for hashing algorithms other than SHA1 and MD5.
- Removed previously deprecated ``sha1()`` method.
+ - Changed :doc:`Language Library <libraries/language>` method ``load()`` to filter the language name with ``ctype_digit()``.
- Core
diff --git a/user_guide_src/source/libraries/language.rst b/user_guide_src/source/libraries/language.rst
index ec678cd..b231f14 100644
--- a/user_guide_src/source/libraries/language.rst
+++ b/user_guide_src/source/libraries/language.rst
@@ -54,7 +54,9 @@
Where filename is the name of the file you wish to load (without the
file extension), and language is the language set containing it (ie,
english). If the second parameter is missing, the default language set
-in your application/config/config.php file will be used.
+in your *application/config/config.php* file will be used.
+
+.. note:: The *language* parameter can only consist of letters.
Fetching a Line of Text
=======================
@@ -67,8 +69,7 @@
Where language_key is the array key corresponding to the line you wish
to show.
-Note: This function simply returns the line. It does not echo it for
-you.
+.. note:: This method simply returns the line. It does not echo it.
Using language lines as form labels
-----------------------------------