There’s a slight disconnect between your question title and the actual question.
It sounds like you’re using a plugin (or developing a plugin?) that allows for some front-end sorting. If it’s a plugin you’re using and the query string parameter is not sanitized, you need to notify that plugin’s developer, because that’s a security issue.
Fixing it yourself might solve the problem – for a while, but you really shouldn’t be editing plugins directly (even poorly coded ones) since that leaves you in the bad position of needing to re-apply any changes when there’s an update to the plugin.
The name of the get_query_var() function can be confusing. A lot of people look at this as a handy WP substitute for $_GET[], but that’s not what it does. get_query_var() is ONLY for variables that are set as part of the global WP query. This includes a number of WP defaults, along with any custom variables (added with set_query_var()).
A plugin that applies a custom URL rewrite for its endpoints might be an example of this. But if you think you can use it to just grab any query variable from the URL, that won’t work because that’s not what get_query_var() does.
You need to just search out where this query argument is collected. Most likely it’s done using $_GET['sort'].
Whatever that is, it should be:
$some_var = sanitize_text_field( $_GET['sort'] );
Or even better:
$some_var = ( isset( $_GET['sort'] ) ) ? sanitize_text_field( $_GET['sort'] ) : 'some default value';
Obviously, I’m answering based on some assumptions, the details of which were not included in your question. If I’m off base, update your question to include more info and I’ll edit accordingly.