Filter user-requested language input

There was an HTML injection attack made possible by the fact that we were including the unsanitized language inputs in the HTML page returned to the user. This change filters any user-requested languages (either from the Accept-Language header or the "lang" parameter) and only includes languages supported by BridgeDB.