diff --git a/packages/frontend-core/src/utils/lucene.js b/packages/frontend-core/src/utils/lucene.js
index a1b9594684..1221e20664 100644
--- a/packages/frontend-core/src/utils/lucene.js
+++ b/packages/frontend-core/src/utils/lucene.js
@@ -121,7 +121,7 @@ export const buildLuceneQuery = filter => {
         query.allOr = true
         return
       }
-      if (type === "datetime") {
+      if (type === "datetime" && !isHbs) {
         // Ensure date value is a valid date and parse into correct format
         if (!value) {
           return
diff --git a/packages/server/src/api/routes/application.ts b/packages/server/src/api/routes/application.ts
index 49ecc2ee6f..0ebdf548e3 100644
--- a/packages/server/src/api/routes/application.ts
+++ b/packages/server/src/api/routes/application.ts
@@ -2,16 +2,27 @@ import Router from "@koa/router"
 import * as controller from "../controllers/application"
 import authorized from "../../middleware/authorized"
 import { BUILDER } from "@budibase/backend-core/permissions"
+import { applicationValidator } from "./utils/validators"
 
 const router = new Router()
 
 router
   .post("/api/applications/:appId/sync", authorized(BUILDER), controller.sync)
-  .post("/api/applications", authorized(BUILDER), controller.create)
+  .post(
+    "/api/applications",
+    authorized(BUILDER),
+    applicationValidator(),
+    controller.create
+  )
   .get("/api/applications/:appId/definition", controller.fetchAppDefinition)
   .get("/api/applications", controller.fetch)
   .get("/api/applications/:appId/appPackage", controller.fetchAppPackage)
-  .put("/api/applications/:appId", authorized(BUILDER), controller.update)
+  .put(
+    "/api/applications/:appId",
+    authorized(BUILDER),
+    applicationValidator(),
+    controller.update
+  )
   .post(
     "/api/applications/:appId/client/update",
     authorized(BUILDER),
diff --git a/packages/server/src/api/routes/utils/validators.js b/packages/server/src/api/routes/utils/validators.js
index b43eea9e36..000c9655bc 100644
--- a/packages/server/src/api/routes/utils/validators.js
+++ b/packages/server/src/api/routes/utils/validators.js
@@ -10,6 +10,7 @@ const Joi = require("joi")
 const OPTIONAL_STRING = Joi.string().optional().allow(null).allow("")
 const OPTIONAL_NUMBER = Joi.number().optional().allow(null)
 const OPTIONAL_BOOLEAN = Joi.boolean().optional().allow(null)
+const APP_NAME_REGEX = /^[\w\s]+$/
 
 exports.tableValidator = () => {
   // prettier-ignore
@@ -214,7 +215,7 @@ exports.applicationValidator = () => {
   return joiValidator.body(Joi.object({
     _id: OPTIONAL_STRING,
     _rev: OPTIONAL_STRING,
-    name: Joi.string().required(),
+    name: Joi.string().pattern(new RegExp(APP_NAME_REGEX)).required().error(new Error('App name must be letters, numbers and spaces only')),
     url: OPTIONAL_STRING,
     template: Joi.object({
       templateString: OPTIONAL_STRING,