chore: bump version to 1.1.5 and update CHANGELOG

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

CHANGELOG.md

@@ -73,6 +73,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Comprehensive input schema definitions
 - Security audit of parameter handling
 
+## [1.1.5] - 2026-04-28
+
+### Fixed
+- **Mermaid Arrows and HTML Preserved**: Fixed issue #7 where `<` and `>` were being stripped from note content, breaking Mermaid diagram connectors (`->>`, `-->`, `<|`, `>>`) and HTML tags
+  - `<` and `>` are only meaningful as shell redirects at the command level — inside double-quoted strings (how all values are passed) they are completely inert
+  - Removed from `DANGEROUS_CHARS` in both `sanitizeString` and `sanitizePath`
+
+## [1.1.4] - 2026-04-28
+
+### Fixed
+- **Markdown Code Fence Preservation**: Fixed issue #6 where backticks were being stripped from note content, destroying Markdown code fences (` ``` `)
+  - Backticks are now escaped as `` \` `` inside double-quoted CLI parameter strings instead of being removed
+  - This preserves code fences and inline code in note content while still preventing shell command substitution via backticks
+  - Affects all tools that pass content: create, append, prepend, etc.
+
 ## [1.1.3] - 2026-04-17
 
 ### Fixed
@@ -128,6 +143,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Version History
 
+- **1.1.5** - Bug fix release: Preserve `<` and `>` in note content for Mermaid/HTML (fixes #7)
+- **1.1.4** - Bug fix release: Preserve Markdown code fences (fixes #6)
 - **1.1.3** - Bug fix release: Large file chunking for obsidian_read_note; docs clarification for Obsidian must be running (fixes #4, #5)
 - **1.1.2** - Bug fix release: Ampersand support in filenames (fixes #2)
 - **1.1.1** - Bug fix release: Quote escaping in note content
@@ -137,6 +154,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Search & Discovery (12 tools)
   - Task & Property Management (8 tools)
 
+[1.1.5]: https://git.mortons.site/Peter.Morton/obsidian-mcp/releases/tag/v1.1.5
+[1.1.4]: https://git.mortons.site/Peter.Morton/obsidian-mcp/releases/tag/v1.1.4
 [1.1.3]: https://git.mortons.site/Peter.Morton/obsidian-mcp/releases/tag/v1.1.3
 [1.1.2]: https://git.mortons.site/Peter.Morton/obsidian-mcp/releases/tag/v1.1.2
 [1.1.1]: https://git.mortons.site/Peter.Morton/obsidian-mcp/releases/tag/v1.1.1

manifest.json

@@ -1,7 +1,7 @@
 {
   "manifest_version": "0.3",
   "name": "obsidian-mcp",
-  "version": "1.1.3",
+  "version": "1.1.5",
   "display_name": "Obsidian CLI Bundle",
   "description": "MCP Bundle for Obsidian CLI - Enable AI assistants to manage Obsidian vaults through conversational interface",
   "long_description": "This MCP bundle provides a comprehensive set of tools for AI assistants to interact with and manage Obsidian vaults. It includes capabilities for creating, reading, updating, and deleting notes, managing links and tags, handling tasks, and more. With this bundle, AI assistants can seamlessly integrate with Obsidian to help users organize their knowledge and workflows.",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "obsidian-mcp",
-  "version": "1.1.3",
+  "version": "1.1.5",
   "description": "MCP Bundle for Obsidian CLI - Enable AI assistants to manage Obsidian vaults through Model Context Protocol",
   "type": "module",
   "main": "dist/index.js",

src/utils/cli-helpers.ts

@@ -14,9 +14,12 @@ export function formatParam(key: string, value: string | number): string {
   // Always quote string values to handle spaces and special characters safely
   // Note: Obsidian CLI docs say: "Quote values with spaces: name="My Note""
   
-  // Escape any double quotes in the value to prevent shell interpretation issues
+  // Escape double quotes and backticks to prevent shell interpretation inside double-quoted strings.
-  // This prevents truncation when content contains quotes like "Bot QM"
+  // In bash double-quoted strings: \" prevents quote termination, \` prevents command substitution.
-  const escapedValue = String(value).replace(/"/g, '\\"');
+  // This preserves Markdown code fences (``` ` ```) while blocking injection via backticks.
+  const escapedValue = String(value)
+    .replace(/"/g, '\\"')
+    .replace(/`/g, '\\`');
   
   return `${key}="${escapedValue}"`;
 }

src/validation/sanitizer.ts

@@ -11,13 +11,16 @@ import { logger } from '../utils/logger.js';
  * Note: Brackets [], parentheses (), and braces {} are safe because values are quoted and passed as array args
  * They're essential for Obsidian markdown (wikilinks [[link]], tasks - [ ] Task, templates {{...}}, etc.)
  * Note: Single & is safe in quoted args (filenames like "Research & Development.md")
- * We only block: ; | ` $ < > (command separators, pipes, substitution, redirects)
+ * Note: Backticks are safe because formatParam escapes them as \` inside double-quoted strings,
+ *       preventing shell command substitution while preserving Markdown code fences (``` ```)
+ * Note: < and > are safe inside double-quoted strings — shell redirection only applies at the
+ *       command level, not inside quotes. Stripping them breaks Mermaid arrows (->>, -->) and HTML.
+ * We only block: ; | $ (command separators, pipes, variable substitution)
  * Command injection patterns (&&, ||, etc.) are handled separately
  */
-const DANGEROUS_CHARS = /[;|`$<>]/g;
+const DANGEROUS_CHARS = /[;|$]/g;
 const COMMAND_INJECTION_PATTERNS = [
   /\$\(/g,      // Command substitution $(...)
-  /`[^`]*`/g,   // Command substitution `...`
   /\|\|/g,      // OR operator
   /&&/g,        // AND operator
   /;/g,         // Command separator
@@ -73,7 +76,8 @@ export function sanitizePath(path: string): string {
 
   // Remove dangerous characters but allow path separators
   // Note: Brackets, parentheses, braces, and single & are safe in paths (quoted args)
-  sanitized = sanitized.replace(/[;|`$<>]/g, '');
+  // Note: < and > are safe inside double-quoted strings (not shell redirects)
+  sanitized = sanitized.replace(/[;|`$]/g, '');
 
   return sanitized;
 }