Index: openacs-4/packages/acs-lang/tcl/locale-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-lang/tcl/locale-procs.tcl,v
diff -u -r1.39.2.1 -r1.39.2.2
--- openacs-4/packages/acs-lang/tcl/locale-procs.tcl	10 Sep 2015 08:21:26 -0000	1.39.2.1
+++ openacs-4/packages/acs-lang/tcl/locale-procs.tcl	29 May 2016 10:25:58 -0000	1.39.2.2
@@ -612,7 +612,9 @@
 }
 
 ad_proc -private lang::conn::get_accept_language_header {} {
-
+    Obtain a list of locals from the request headers.
+    @return a list of locales in the syntax used by OpenAcs (ISO codes)
+} {
     set acclang [ns_set iget [ns_conn headers] "Accept-Language"]
 
     # Split by comma, and get rid of any ;q=0.5 parts
@@ -622,6 +624,9 @@
         # Get rid of trailing ;q=0.5 part
         set elm [lindex [split $elm ";"] 0]
 
+        if {![regexp {^[a-zA-Z-]+$} $elem]} {
+            error "invalid locale in provided Accept-Language header field"
+        }
         # elm is now either like 'da' or 'en-us'
         # make it into something like 'da' or 'en_US'
         set elmv [split $elm "-"]