feature-watchlist: fix format GET parameter

Changelog.md

@@ -24,7 +24,8 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
  - [security] Fix stored XSS attack in the wiki name via the first  run wizard [CVE-2021-38600](https://github.com/hmaverickadams/CVE-2021-38600); low severity since it requires the site secret to do the initial setup & said initial setup can only be performed once
  - [security] Fix reflected XSS attack (arbitrary code execution in the user's browser) via the following GET parameters
      - `action` 
-     - `action=watchlist`: `returnto`, `do`
+     - `action=watchlist-edit`: `returnto`, `do`
+     - `action=watchlist`: `format`
  - Fixed a weird bug in the `stats-update` action causing warnings
  - search: Properly apply weightings of matches in page titles and tags
  - Improved error handling on first run where the PHP Zip extension is not installed

modules/feature-watchlist.php

@@ -51,7 +51,7 @@ register_module([
 				exit(page_renderer::render_main("No email address specified -$settings->sitename", "<p>You are logged in, but have not specified an email address to send notifications to. Try specifying one in your <a href='?action=user-preferences'>user preferences</a> and then coming back here.</p>"));
 			}
 			
-			$format = $_GET["format"] ?? "html";
+			$format = slugify($_GET["format"] ?? "html");
 			
 			$watchlist = [];
 			if(!empty($env->user_data->watchlist))