Fix sql injection through the type and language parameter of the tran…

…slation export

src/Backend/Modules/Locale/Actions/Export.php

@@ -5,6 +5,7 @@
 use Backend\Core\Engine\Base\ActionIndex as BackendBaseActionIndex;
 use Backend\Core\Engine\Model as BackendModel;
 use Backend\Core\Language\Language as BL;
+use Backend\Core\Language\Locale;
 use Backend\Modules\Locale\Engine\Model as BackendLocaleModel;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -47,7 +48,7 @@ private function buildQuery(): array
             // create an array for the languages, surrounded by quotes (example: 'en')
             $languages = [];
             foreach ($this->filter['language'] as $key => $val) {
-                $languages[$key] = '\'' . $val . '\'';
+                $languages[$key] = '\'' . Locale::fromString($val) . '\'';
             }
 
             $query .= ' AND l.language IN (' . implode(',', $languages) . ')';
@@ -70,7 +71,9 @@ private function buildQuery(): array
             // create an array for the types, surrounded by quotes (example: 'lbl')
             $types = [];
             foreach ($this->filter['type'] as $key => $val) {
-                $types[$key] = '\'' . $val . '\'';
+                if (in_array($val, BackendLocaleModel::TYPES)) {
+                    $types[$key] = '\'' . $val . '\'';
+                }
             }
 
             $query .= ' AND l.type IN (' . implode(',', $types) . ')';