diff --git a/src/validation/sanitizer.ts b/src/validation/sanitizer.ts
index 3c38636..c1034dc 100644
--- a/src/validation/sanitizer.ts
+++ b/src/validation/sanitizer.ts
@@ -13,10 +13,12 @@ import { logger } from '../utils/logger.js';
  * Note: Single & is safe in quoted args (filenames like "Research & Development.md")
  * Note: Backticks are safe because formatParam escapes them as \` inside double-quoted strings,
  *       preventing shell command substitution while preserving Markdown code fences (``` ```)
- * We only block: ; | $ < > (command separators, pipes, substitution, redirects)
+ * Note: < and > are safe inside double-quoted strings — shell redirection only applies at the
+ *       command level, not inside quotes. Stripping them breaks Mermaid arrows (->>, -->) and HTML.
+ * We only block: ; | $ (command separators, pipes, variable substitution)
  * Command injection patterns (&&, ||, etc.) are handled separately
  */
-const DANGEROUS_CHARS = /[;|$<>]/g;
+const DANGEROUS_CHARS = /[;|$]/g;
 const COMMAND_INJECTION_PATTERNS = [
   /\$\(/g,      // Command substitution $(...)
   /\|\|/g,      // OR operator
@@ -74,7 +76,8 @@ export function sanitizePath(path: string): string {
 
   // Remove dangerous characters but allow path separators
   // Note: Brackets, parentheses, braces, and single & are safe in paths (quoted args)
-  sanitized = sanitized.replace(/[;|`$<>]/g, '');
+  // Note: < and > are safe inside double-quoted strings (not shell redirects)
+  sanitized = sanitized.replace(/[;|`$]/g, '');
 
   return sanitized;
 }