fix: sanitise trip slug on input, escape single quotes in YAML frontmatter

Fix D: apply _sanitise_slug() to grav_trip_slug in POST /select before
storing in TripState, preventing path traversal via ../sequences.

Fix E: add _yaml_str() helper that doubles single quotes; apply to title,
location_city, and location_country in both run_export and overwrite_export
frontmatter blocks, preventing invalid YAML for values like Xi'an.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

services/travel-memories/app/routes/export.py

@@ -16,6 +16,10 @@ def slugify(text: str) -> str:
     return re.sub(r"[\s_-]+", "-", text).strip("-")
 
 
+def _yaml_str(s: str) -> str:
+    return s.replace("'", "''")
+
+
 def _client():
     return ImmichClient(
         current_app.config["IMMICH_URL"],
@@ -98,19 +102,19 @@ def run_export():
         if group.entry_type == "journal":
             frontmatter = (
                 f"---\n"
-                f"title: '{group.title}'\n"
+                f"title: '{_yaml_str(group.title)}'\n"
                 f"date: '{date_str}'\n"
                 f"template: {template}\n"
                 f"published: true\n"
-                f"location_city: '{group.location_city}'\n"
-                f"location_country: '{group.location_country}'\n"
+                f"location_city: '{_yaml_str(group.location_city)}'\n"
+                f"location_country: '{_yaml_str(group.location_country)}'\n"
                 f"hero_image: {hero_filename or ''}\n"
                 f"---\n"
             )
         else:
             frontmatter = (
                 f"---\n"
-                f"title: '{group.title}'\n"
+                f"title: '{_yaml_str(group.title)}'\n"
                 f"date: '{date_str}'\n"
                 f"template: {template}\n"
                 f"published: true\n"
@@ -192,19 +196,19 @@ def overwrite_export():
         if group.entry_type == "journal":
             frontmatter = (
                 f"---\n"
-                f"title: '{group.title}'\n"
+                f"title: '{_yaml_str(group.title)}'\n"
                 f"date: '{date_str}'\n"
                 f"template: {template}\n"
                 f"published: true\n"
-                f"location_city: '{group.location_city}'\n"
-                f"location_country: '{group.location_country}'\n"
+                f"location_city: '{_yaml_str(group.location_city)}'\n"
+                f"location_country: '{_yaml_str(group.location_country)}'\n"
                 f"hero_image: {hero_filename or ''}\n"
                 f"---\n"
             )
         else:
             frontmatter = (
                 f"---\n"
-                f"title: '{group.title}'\n"
+                f"title: '{_yaml_str(group.title)}'\n"
                 f"date: '{date_str}'\n"
                 f"template: {template}\n"
                 f"published: true\n"