pgsodium.mask_role does not properly quote the view_name argument before using it in a generated sql query. This is especially critical since mask_role is a security definer function.
There might be similar missing quoting in other non-security definer functions.
Fixed by #115
