verint.com/obsidian-mcp
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix: preserve square brackets and escape quotes in note content (v1.1.1)

Browse Source 
- Fix square bracket removal: Remove [] from DANGEROUS_CHARS regex
  * Wikilinks ([[link]]) now work correctly
  * Task checkboxes (- [ ] Task) are properly preserved
  * Brackets are safe because values are quoted and passed as array args

- Fix quote truncation: Escape double quotes in formatParam
  * Content like "Bot QM" no longer truncates
  * Internal quotes escaped as \" before wrapping in parameter quotes
  * Prevents shell from misinterpreting quote boundaries

Bump version: 1.0.0 -> 1.1.1

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Peter Morton
2026-04-10 00:07:13 -05:00
parent 964ffd3814
commit 466587d1c5
5 changed files with 36 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/utils/cli-helpers.ts
View File

@@ -13,7 +13,12 @@
export function formatParam(key: string, value: string | number): string {
// Always quote string values to handle spaces and special characters safely
// Note: Obsidian CLI docs say: "Quote values with spaces: name="My Note""
return `${key}="${value}"`;
// Escape any double quotes in the value to prevent shell interpretation issues
// This prevents truncation when content contains quotes like "Bot QM"
const escapedValue = String(value).replace(/"/g, '\\"');
return `${key}="${escapedValue}"`;
}
/**

7
src/validation/sanitizer.ts
View File

@@ -8,8 +8,10 @@ import { logger } from '../utils/logger.js';
/**
* Characters that should be removed or escaped for security
* Note: Square brackets [] are safe because values are quoted and passed as array args
* They're essential for Obsidian markdown (wikilinks [[link]] and tasks - [ ] Task)
*/
const DANGEROUS_CHARS = /[;&|`$(){}[\]<>]/g;
const DANGEROUS_CHARS = /[;&|`$(){}<>]/g;
const COMMAND_INJECTION_PATTERNS = [
/\$\(/g, // Command substitution $(...)
/`[^`]*`/g, // Command substitution `...`
@@ -67,7 +69,8 @@ export function sanitizePath(path: string): string {
sanitized = sanitized.replace(/^\/+|\/+$/g, '');
// Remove dangerous characters but allow path separators
sanitized = sanitized.replace(/[;&|`$(){}[\]<>]/g, '');
// Note: Square brackets are safe in paths (quoted args) but removed for consistency
sanitized = sanitized.replace(/[;&|`$(){}<>]/g, '');
return sanitized;
}