fixes GHSA-rr39-mf4j-6594 prevent displaying RAW cookie content

... and also factorize code checking the cookie.lang user input

include/functions.inc.php

@@ -1937,6 +1937,48 @@ function load_language($filename, $dirname = '', $options = array())
   return false;
 }
 
+function load_cookie_language($load_language=true, $update_user=false, $unset_cookie=false, $user_id=null)
+{
+  global $user;
+
+  // Load language if cookie is set from login/register/password pages
+  if (isset($_COOKIE['lang']) and $user['language'] != $_COOKIE['lang'])
+  {
+    if (!array_key_exists($_COOKIE['lang'], get_languages()))
+    {
+      fatal_error('[Hacking attempt] the input parameter "'.htmlspecialchars($_COOKIE['lang']).'" is not valid');
+    }
+  
+    $user['language'] = $_COOKIE['lang'];
+
+    if ($update_user)
+    {
+      single_update(
+        USER_INFOS_TABLE,
+        array(
+          'language' => $_COOKIE['lang']
+        ),
+        array(
+          'user_id' => $user_id ?? $user['id']
+        )
+      );
+    }
+
+    if ($load_language)
+    {
+      load_language('common.lang', '', array('language'=>$user['language']));
+    }
+
+    if ($unset_cookie)
+    {
+      // We unset the lang cookie, if user has changed their language using interface
+      // we don't want to keep setting it back to what was chosen using standard
+      // pages lang switch
+      setcookie("lang", "", time() - 3600);
+    }
+  }
+}
+
 /**
  * converts a string from a character set to another character set
  *