From 96b44ac97f84dfa39f23934989f6cfd2706da00c Mon Sep 17 00:00:00 2001 From: "Peter.Morton" Date: Tue, 28 Apr 2026 12:21:24 -0500 Subject: [PATCH] fix: preserve < and > in note content so Mermaid arrows and HTML are not stripped (fixes #7) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit < and > were in DANGEROUS_CHARS on the assumption they could trigger shell redirection. However, shell redirection only applies at the command level — inside double-quoted strings (which is how all values are passed via formatParam) they are completely inert. Removing them from DANGEROUS_CHARS and sanitizePath preserves: - Mermaid diagram connectors: ->>, -->, <|, >>, etc. - HTML tags in note content - Any other angle-bracket syntax Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- src/validation/sanitizer.ts | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/validation/sanitizer.ts b/src/validation/sanitizer.ts index 3c38636..c1034dc 100644 --- a/src/validation/sanitizer.ts +++ b/src/validation/sanitizer.ts @@ -13,10 +13,12 @@ import { logger } from '../utils/logger.js'; * Note: Single & is safe in quoted args (filenames like "Research & Development.md") * Note: Backticks are safe because formatParam escapes them as \` inside double-quoted strings, * preventing shell command substitution while preserving Markdown code fences (``` ```) - * We only block: ; | $ < > (command separators, pipes, substitution, redirects) + * Note: < and > are safe inside double-quoted strings — shell redirection only applies at the + * command level, not inside quotes. Stripping them breaks Mermaid arrows (->>, -->) and HTML. + * We only block: ; | $ (command separators, pipes, variable substitution) * Command injection patterns (&&, ||, etc.) are handled separately */ -const DANGEROUS_CHARS = /[;|$<>]/g; +const DANGEROUS_CHARS = /[;|$]/g; const COMMAND_INJECTION_PATTERNS = [ /\$\(/g, // Command substitution $(...) /\|\|/g, // OR operator @@ -74,7 +76,8 @@ export function sanitizePath(path: string): string { // Remove dangerous characters but allow path separators // Note: Brackets, parentheses, braces, and single & are safe in paths (quoted args) - sanitized = sanitized.replace(/[;|`$<>]/g, ''); + // Note: < and > are safe inside double-quoted strings (not shell redirects) + sanitized = sanitized.replace(/[;|`$]/g, ''); return sanitized; }