fix: Validate and allowlist language input to prevent prompt injection in multi-language README generation

[Copilot]

body.language from the request was interpolated directly into the Gemini prompt without validation, enabling prompt injection attacks. This PR implements an allowlist-based validation layer and wires up the full multi-language feature end-to-end.

Changes

• src/constants/languages.ts — New shared constant SUPPORTED_LANGUAGES (as const tuple + SupportedLanguage type) as single source of truth for both API and UI.

• src/app/api/generate/route.ts — Validates body.language immediately after req.json(): trims, normalizes to title case, checks against SUPPORTED_LANGUAGES, falls back to "English" if unrecognized. The validated local language variable is what gets interpolated into the prompt — body.language is never used directly.

const rawLanguage = typeof body.language === "string" ? body.language.trim() : "";
const normalized = rawLanguage.charAt(0).toUpperCase() + rawLanguage.slice(1).toLowerCase();
language = (SUPPORTED_LANGUAGES as readonly string[]).includes(normalized) ? normalized : "English";

• src/components/Generator/SearchInput.tsx — Adds language selector dropdown (populated from SUPPORTED_LANGUAGES) with aria-label for accessibility. Updates onGenerate signature to (url: string, language: string). Responsive layout (column on mobile, row on md+).

• src/app/generate/GeneratePageClient.tsx — Updates handleGenerate to accept and forward language to the API request body.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>fix issues in feat: Multi-Language README Support#92</issue_title>
<issue_description>@copilot
Verify each finding against the current code and only fix it if needed.

In @src/app/api/generate/route.ts around lines 13 - 17, The code reads
body.language into the local variable language and later interpolates it into
the model prompt; to prevent prompt manipulation validate and allowlist this
value immediately after parsing req.json(): accept only known languages (e.g.,
["English","Spanish",...]) by normalizing case/whitespace and mapping aliases,
otherwise set language = "English" or return a 400 error; update the assignment
site where language is set from body.language and ensure the same validated
language variable is the one used when building the prompt (replace any direct
use of body.language with the validated language).

Verify each finding against the current code and only fix it if needed.

In @src/components/Generator/SearchInput.tsx around lines 75 - 85, The language
in the SearchInput component lacks an accessible label; add one by giving the an id (e.g., "language-select") and either render a
corresponding Language (use your
existing "sr-only" or visually-hidden utility class to keep it visually hidden)
or add an aria-label/aria-labelledby on the ; ensure this change ties to the existing language, setLanguage and languages usage so screen readers announce the control properly. Verify each finding against the current code and only fix it if needed. In @src/app/api/generate/route.ts at line 11, The JSDoc for the API handler in src/app/api/generate/route.ts incorrectly labels the incoming parameter as a "Fastify request object"; update the comment for the handler (the exported route handler function) to reference the standard/Next.js Request (or "Web Request") instead and adjust the @param type/description to say it is a standard Request object carrying the repo URL and optional language so tooling and maintainers are accurate. Originally posted by @jaseel0 in https://github.com//issues/92#issuecomment-4109513916 </issue_description> <agent_instructions>fix the issue </agent_instructions> Comments on the Issue (you are @copilot in this section) Fixes #94 💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
readme-gen-ai	Ready	Preview, Comment	Mar 23, 2026 10:33am