Only thing I can imagine from your sample link is that the %27 %22 (single and double quote) get rendered on your page. Meaning it potentially could be used to mess with queries.
If you haven't changed anything else Kentico queries would make sure these are escaped from queries.
If you changed anything or want to check the code have a look at the documentation here:
docs.kentico.com/k12/.../sql-injection
Secondly most likely it gets rendered on your page you might be vulnerable for XSS. You probably have a "you searched for [keyword]" somewhere on your search results page.
Also a chapter in the documentation:
docs.kentico.com/k12/.../cross-site-scripting-xss
Depending on your implementation it comes down to make sure you use one of the following:
- HTMLHelper.HTMLEncode() - encodes HTML tags, replaces the < and > chars with their HTML entities.
- QueryHelper.GetText() - gets a HTML encoded string from the query string.
- ScriptHelper.GetString() - replaces special chars like apostrophes (alt+39).
- Use the HTMLEncode() transformation function.