Improved special character handling in manticore and URL query.

src/actors.js

@@ -7,6 +7,7 @@ import { utilsApi } from './manticore.js';
 import { HttpError } from './errors.js';
 import { fetchCountriesByAlpha2 } from './countries.js';
 import { curateStash } from './stashes.js';
+import escape from '../utils/escape-manticore.js';
 import slugify from '../utils/slugify.js';
 
 export function curateActor(actor, context = {}) {
@@ -153,7 +154,7 @@ function curateOptions(options) {
 		page: options?.page || 1,
 		limit: options?.limit || 30,
 		requireAvatar: options?.requireAvatar || false,
-		order: [options.order?.[0] || 'name', options.order?.[1] || 'asc'],
+		order: [escape(options.order?.[0]) || 'name', escape(options.order?.[1]) || 'asc'],
 	};
 }
 
@@ -364,7 +365,7 @@ async function queryManticoreSql(filters, options, _reqUser) {
 				}
 
 				if (filters.query) {
-					builder.whereRaw('match(\'@name :query:\', actors)', { query: filters.query });
+					builder.whereRaw('match(\'@name :query:\', actors)', { query: escape(filters.query) });
 				}
 
 				// attribute filters