Fix: language problem when querying related content with non-default lang

[gortiz-dotcms]

Problem

The language used for getting the related content was the default one

Fix

Now when obtaining the related content, the language used for this will be the same as the parent/root content, ensuring consistency with the relation

This PR fixes: #34285

This PR fixes: #34285

[semgrep-code-dotcms-test]

Semgrep found 1 ssc-4fd3a3fc-acff-4277-9d88-60469f5a4fa5 finding:

• core-web/libs/sdk/angular/src/lib/components/dotcms-layout-body/components/row/row.component.ts
  • L16-30 - Triage

Risk: Affected versions of @angular/compiler and @angular/core are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Angular's template compiler fails to classify the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. This allows an attacker to bind a malicious data: URI or external script via [attr.href] or [attr.xlink:href], resulting in arbitrary JavaScript execution (XSS) in the victim's browser.

Fix: Upgrade this library to at least version 20.3.16 at core/core-web/yarn.lock:512.

Reference(s): GHSA-jrmj-c5cx-3cw6, CVE-2026-22610

If this is a critical or high severity finding, please also link this issue in the #security channel in Slack.

[Copilot]

Pull request overview

This PR fixes a defect where querying related content in a non-default language was not being respected. The issue occurred when using the /api/content/_search endpoint with languageId explicitly set - the parent content would be returned in the correct language, but related content (via relationship fields) would incorrectly be returned in the default language instead.

Changes:

• Modified ContentHelper.getJSONObject() to use the parent contentlet's language (contentlet.getLanguageId()) instead of the passed language parameter when fetching related content
• Minor formatting change to add a blank line at the end of ContentHelperTest.java

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
dotCMS/src/main/java/com/dotcms/rest/ContentHelper.java	Changed the language parameter passed to addRelationshipsToJSON from the method's language parameter to contentlet.getLanguageId(), ensuring related content is fetched in the same language as the parent contentlet
dotCMS/src/test/java/com/dotcms/rest/ContentHelperTest.java	Added trailing blank line for formatting consistency

[Copilot]

The javadoc for the language parameter on lines 337-338 states it is "The Language ID for the related Contentlets" and is "required only if the depth parameter is specified." However, with this change, the language parameter is no longer used for fetching related contentlets. Instead, contentlet.getLanguageId() is now used on line 362, which means related content will always use the parent contentlet's language regardless of the language parameter value.

The javadoc should be updated to reflect that the language parameter is now unused or deprecated in this context, or the parameter should be removed if it's no longer needed (though this would be a breaking API change).