Review person and doc search apis for abuse possibilities

[richsalz]

Description

If you type /person/@ as a datatracker URL, it will apparently end up returning if #6007 is merged. Or /person/mark
That PR changed "exact match" to "case insensitive contains" which means that the found more than one name is much more likely to happen. (The API seems like it always used __icontains so this is maybe not a new hole)

This also opens the datatracker to spam harvesters. I think we should do the following for both API and HTML/web

• If just one match is found, return or display it
• If multiple matches are found, just return/display the list (I prefer not to linkify them; see above)
• Limit the number of rows returned via SQL

Code of Conduct

• I agree to follow the IETF's Code of Conduct

[rjsparks]

6007 was change to iexact. We should review the endpoints meant for the person/document choosing form widgets to see how abuse-able they are.