From f2404903d6e1fe6f3c2fc267e9e8d5e24a71fdbe Mon Sep 17 00:00:00 2001
From: ghostubborn <ghostubborn@hotmail.com>
Date: Thu, 2 Apr 2026 14:01:24 +0800
Subject: [PATCH] fix(i18n): validate Accept-Language header against registered
 locales

---
 backend/app/utils/locale.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/backend/app/utils/locale.py b/backend/app/utils/locale.py
index 868c4f0b..23d04aa9 100644
--- a/backend/app/utils/locale.py
+++ b/backend/app/utils/locale.py
@@ -27,7 +27,8 @@ def set_locale(locale: str):
 
 def get_locale() -> str:
     if has_request_context():
-        return request.headers.get('Accept-Language', 'zh')
+        raw = request.headers.get('Accept-Language', 'zh')
+        return raw if raw in _translations else 'zh'
     return getattr(_thread_local, 'locale', 'zh')