Security: escape language original name to prevent stored XSS

Refs GHSA-j9jg-h6cw-jj7v

The admin language list rendered the stored original_name directly inside an
input value attribute (and a label / table cell) without HTML-attribute
encoding, so a name containing a double quote could break out of the value
attribute and inject an event handler that runs in another admin's browser.

Encode the value with htmlspecialchars(..., ENT_QUOTES, 'UTF-8') at every
render point of original_name.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: AngelFQC

public/main/admin/languages.php

@@ -282,15 +282,16 @@
             $checked = ' checked="checked" ';
         }
 
+        $originalName = htmlspecialchars($row['original_name'], ENT_QUOTES, 'UTF-8');
         $row_td[] = '
             <input type="hidden" name="edit_id" value="'.$id.'" />
-            <input type="text" name="txt_name" value="'.$row['original_name'].'" />
+            <input type="text" name="txt_name" value="'.$originalName.'" />
             <input type="checkbox" '.$checked.' name="platformlanguage" id="platformlanguage" value="'.$row['isocode'].'" />
-            <label for="platformlanguage">'.sprintf(get_lang('%s as platform language'), $row['original_name']).'</label>
+            <label for="platformlanguage">'.sprintf(get_lang('%s as platform language'), $originalName).'</label>
             <input class="btn btn--primary" type="submit" name="Submit" value="'.get_lang('Validate').'" />
             <a name="value" />';
     } else {
-        $row_td[] = $row['original_name'];
+        $row_td[] = htmlspecialchars($row['original_name'], ENT_QUOTES, 'UTF-8');
     }
 
     $row_td[] = $row['english_name'].' ('.$row['isocode'].')';