fix: preserve < and > in note content so Mermaid arrows and HTML are not stripped (fixes #7)

< and > were in DANGEROUS_CHARS on the assumption they could trigger
shell redirection. However, shell redirection only applies at the
command level — inside double-quoted strings (which is how all values
are passed via formatParam) they are completely inert.

Removing them from DANGEROUS_CHARS and sanitizePath preserves:
- Mermaid diagram connectors: ->>, -->, <|, >>, etc.
- HTML tags in note content
- Any other angle-bracket syntax

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

src/validation/sanitizer.ts

@@ -13,10 +13,12 @@ import { logger } from '../utils/logger.js';
  * Note: Single & is safe in quoted args (filenames like "Research & Development.md")
  * Note: Backticks are safe because formatParam escapes them as \` inside double-quoted strings,
  *       preventing shell command substitution while preserving Markdown code fences (``` ```)
- * We only block: ; | $ < > (command separators, pipes, substitution, redirects)
+ * Note: < and > are safe inside double-quoted strings — shell redirection only applies at the
+ *       command level, not inside quotes. Stripping them breaks Mermaid arrows (->>, -->) and HTML.
+ * We only block: ; | $ (command separators, pipes, variable substitution)
  * Command injection patterns (&&, ||, etc.) are handled separately
  */
-const DANGEROUS_CHARS = /[;|$<>]/g;
+const DANGEROUS_CHARS = /[;|$]/g;
 const COMMAND_INJECTION_PATTERNS = [
   /\$\(/g,      // Command substitution $(...)
   /\|\|/g,      // OR operator
@@ -74,7 +76,8 @@ export function sanitizePath(path: string): string {
 
   // Remove dangerous characters but allow path separators
   // Note: Brackets, parentheses, braces, and single & are safe in paths (quoted args)
-  sanitized = sanitized.replace(/[;|`$<>]/g, '');
+  // Note: < and > are safe inside double-quoted strings (not shell redirects)
+  sanitized = sanitized.replace(/[;|`$]/g, '');
 
   return sanitized;
 }