From da89c93daef3d42004be786c7fa39ce27cd2bde9 Mon Sep 17 00:00:00 2001
From: Joshua Ramon Enslin <joshua@museum-digital.de>
Date: Sun, 7 Dec 2025 00:15:23 +0100
Subject: [PATCH] Reject and reset invalid language cookies to default

Close #12
---
 src/MD_STD.php | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/MD_STD.php b/src/MD_STD.php
index b270d46..dd95b24 100644
--- a/src/MD_STD.php
+++ b/src/MD_STD.php
@@ -509,8 +509,24 @@ final class MD_STD {
             }
             $lang = $_GET['navlang'];
         }
-        else if (isset($_COOKIE['__Host-lang']) and in_array($_COOKIE['__Host-lang'], $allowed_langs, true)) {
-            $lang = $_COOKIE['__Host-lang'];
+        else if (isset($_COOKIE['__Host-lang'])) {
+
+            if (in_array($_COOKIE['__Host-lang'], $allowed_langs, true)) {
+                $lang = $_COOKIE['__Host-lang'];
+            }
+            else { // Invalid language cookie detected. Clean potential attempts at poisioning cookies.
+                $lang = $default_lang;
+
+                // If the user is a bot or has no user agent at all or one of curl's,
+                // setting a cookie usually makes little sense.
+                // On the other hand, setting the cookie prevents effective caching.
+                if (empty($_SERVER['HTTP_USER_AGENT']) || substr($_SERVER['HTTP_USER_AGENT'], 0, 5) === 'curl/') return $lang;
+
+                if (!setcookie('__Host-lang', $lang, $cookie_options)) {
+                    throw new Exception("Failed to set language");
+                }
+            }
+
         }
         else {
             $lang = self::lang_getfrombrowser($allowed_langs, $default_lang, "", false);