One can inject JS in the user language setting /admin/user/settings/update/language by modifying the request. This is stored, and executed for the same user. Afaik it cannot be triggered by other users, so isn't exploitable, and not really a security issue. This may also apply to timezone, and other preferences values.

The data should ideally be washed against a whitelist of approved values, given by the content of the dropdowns. If not, it should at least be filtered against injections, and washed on output (for any existing injections already in the DB).