verint.com/obsidian-mcp
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix: preserve square brackets and escape quotes in note content (v1.1.1)

Browse Source 
- Fix square bracket removal: Remove [] from DANGEROUS_CHARS regex
  * Wikilinks ([[link]]) now work correctly
  * Task checkboxes (- [ ] Task) are properly preserved
  * Brackets are safe because values are quoted and passed as array args

- Fix quote truncation: Escape double quotes in formatParam
  * Content like "Bot QM" no longer truncates
  * Internal quotes escaped as \" before wrapping in parameter quotes
  * Prevents shell from misinterpreting quote boundaries

Bump version: 1.0.0 -> 1.1.1

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Peter Morton
2026-04-10 00:07:13 -05:00
parent 964ffd3814
commit 466587d1c5
5 changed files with 36 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
CHANGELOG.md
View File

@@ -73,6 +73,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Comprehensive input schema definitions
- Security audit of parameter handling
## [1.1.1] - 2026-04-10
### Fixed
- **Quote Escaping**: Fixed critical bug where note content was being truncated when containing double quotes
- Content like `"Bot QM"` is now properly escaped and passed to the CLI without truncation
- Internal double quotes are escaped as `\"` before being wrapped in parameter quotes
- Prevents shell from misinterpreting quote boundaries in parameter values
- Affects all tools that pass content: create, append, prepend, search queries, etc.
## [1.1.0] - 2026-04-10
### Fixed
- **Square Brackets Preservation**: Fixed critical bug where square brackets `[` and `]` were being removed from note content during sanitization
- Wikilinks (`[[link]]`) now work correctly when creating or modifying notes
- Task checkboxes (`- [ ] Task` and `- [x] Done`) are properly preserved
- Array notation and date formats with brackets are no longer corrupted
- Security: Square brackets are safe because parameter values are quoted and passed as array arguments to the CLI
- All dangerous shell metacharacters (`;`, `|`, `$()`, backticks, etc.) are still properly blocked
## [Unreleased]
### Planned
@@ -86,9 +105,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## Version History
- **1.1.1** - Bug fix release: Quote escaping in note content
- **1.1.0** - Bug fix release: Square brackets preservation in note content
- **1.0.0** - Initial release with 28 MCP tools across 3 user stories
- File Operations (8 tools)
- Search & Discovery (12 tools)
- Task & Property Management (8 tools)
[1.1.1]: https://github.com/yourusername/obsidian-mcp/releases/tag/v1.1.1
[1.1.0]: https://github.com/yourusername/obsidian-mcp/releases/tag/v1.1.0
[1.0.0]: https://github.com/yourusername/obsidian-mcp/releases/tag/v1.0.0

2
manifest.json
View File

@@ -1,7 +1,7 @@
{
"manifest_version": "0.3",
"name": "obsidian-mcp",
"version": "1.0.0",
"version": "1.1.1",
"display_name": "Obsidian CLI Bundle",
"description": "MCP Bundle for Obsidian CLI - Enable AI assistants to manage Obsidian vaults through conversational interface",
"long_description": "This MCP bundle provides a comprehensive set of tools for AI assistants to interact with and manage Obsidian vaults. It includes capabilities for creating, reading, updating, and deleting notes, managing links and tags, handling tasks, and more. With this bundle, AI assistants can seamlessly integrate with Obsidian to help users organize their knowledge and workflows.",

2
package.json
View File

@@ -1,6 +1,6 @@
{
"name": "obsidian-mcp",
"version": "1.0.0",
"version": "1.1.1",
"description": "MCP Bundle for Obsidian CLI - Enable AI assistants to manage Obsidian vaults through Model Context Protocol",
"type": "module",
"main": "dist/index.js",

7
src/utils/cli-helpers.ts
View File

@@ -13,7 +13,12 @@
export function formatParam(key: string, value: string | number): string {
// Always quote string values to handle spaces and special characters safely
// Note: Obsidian CLI docs say: "Quote values with spaces: name="My Note""
return `${key}="${value}"`;
// Escape any double quotes in the value to prevent shell interpretation issues
// This prevents truncation when content contains quotes like "Bot QM"
const escapedValue = String(value).replace(/"/g, '\\"');
return `${key}="${escapedValue}"`;
}
/**

7
src/validation/sanitizer.ts
View File

@@ -8,8 +8,10 @@ import { logger } from '../utils/logger.js';
/**
* Characters that should be removed or escaped for security
* Note: Square brackets [] are safe because values are quoted and passed as array args
* They're essential for Obsidian markdown (wikilinks [[link]] and tasks - [ ] Task)
*/
const DANGEROUS_CHARS = /[;&|`$(){}[\]<>]/g;
const DANGEROUS_CHARS = /[;&|`$(){}<>]/g;
const COMMAND_INJECTION_PATTERNS = [
/\$\(/g, // Command substitution $(...)
/`[^`]*`/g, // Command substitution `...`
@@ -67,7 +69,8 @@ export function sanitizePath(path: string): string {
sanitized = sanitized.replace(/^\/+|\/+$/g, '');
// Remove dangerous characters but allow path separators
sanitized = sanitized.replace(/[;&|`$(){}[\]<>]/g, '');
// Note: Square brackets are safe in paths (quoted args) but removed for consistency
sanitized = sanitized.replace(/[;&|`$(){}<>]/g, '');
return sanitized;
}