fix: allow ampersands in filenames while blocking command injection (v1.1.2)

Fixes #2 - Files with & in their names (e.g., 'Research & Development.md')
were being incorrectly sanitized, causing search and file-not-found errors.

Changes:
- Removed & from DANGEROUS_CHARS regex
- Single & is safe in quoted arguments passed to CLI
- Dangerous && patterns still blocked by COMMAND_INJECTION_PATTERNS
- Also allows (), [], {} which are safe in quoted args

Version: 1.1.2

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

src/validation/sanitizer.ts

@@ -8,10 +8,13 @@ import { logger } from '../utils/logger.js';
 
 /**
  * Characters that should be removed or escaped for security
- * Note: Square brackets [] are safe because values are quoted and passed as array args
- * They're essential for Obsidian markdown (wikilinks [[link]] and tasks - [ ] Task)
+ * Note: Brackets [], parentheses (), and braces {} are safe because values are quoted and passed as array args
+ * They're essential for Obsidian markdown (wikilinks [[link]], tasks - [ ] Task, templates {{...}}, etc.)
+ * Note: Single & is safe in quoted args (filenames like "Research & Development.md")
+ * We only block: ; | ` $ < > (command separators, pipes, substitution, redirects)
+ * Command injection patterns (&&, ||, etc.) are handled separately
  */
-const DANGEROUS_CHARS = /[;&|`$(){}<>]/g;
+const DANGEROUS_CHARS = /[;|`$<>]/g;
 const COMMAND_INJECTION_PATTERNS = [
   /\$\(/g,      // Command substitution $(...)
   /`[^`]*`/g,   // Command substitution `...`
@@ -69,8 +72,8 @@ export function sanitizePath(path: string): string {
   sanitized = sanitized.replace(/^\/+|\/+$/g, '');
 
   // Remove dangerous characters but allow path separators
-  // Note: Square brackets are safe in paths (quoted args) but removed for consistency
-  sanitized = sanitized.replace(/[;&|`$(){}<>]/g, '');
+  // Note: Brackets, parentheses, braces, and single & are safe in paths (quoted args)
+  sanitized = sanitized.replace(/[;|`$<>]/g, '');
 
   return sanitized;
 }