potential denial of service attack via the locale parameter