There was an HTML injection attack made possible by the fact that we
were including the unsanitized language inputs in the HTML page
returned to the user. This change filters any user-requested languages
(either from the Accept-Language header or the "lang" parameter) and
only includes languages supported by BridgeDB.