pchuri · yaowei1980 · Apr 1, 2026
diff --git a/bin/confluence.js b/bin/confluence.js
@@ -548,8 +548,9 @@ program
         fs.mkdirSync(destDir, { recursive: true });
 
         const uniquePathFor = (dir, filename) => {
-          const parsed = path.parse(filename);
-          let attempt = path.join(dir, filename);
+          const safeFilename = sanitizeFilename(filename);
+          const parsed = path.parse(safeFilename);
+          let attempt = path.join(dir, safeFilename);
           let counter = 1;
           while (fs.existsSync(attempt)) {
             const suffix = ` (${counter})`;
@@ -1351,9 +1352,21 @@ function isExportDirectory(fs, path, dir) {
   return fs.existsSync(path.join(dir, EXPORT_MARKER));
 }
 
+function sanitizeFilename(filename) {
+  if (!filename || typeof filename !== 'string') {
+    return 'unnamed';
+  }
+  return filename
+    .replace(/\.\./g, '')
+    .replace(/[\\/:*?"<>|]/g, '_')
+    .replace(/^\.+/, '')
+    .trim() || 'unnamed';
+}
+
 function uniquePathFor(fs, path, dir, filename) {
-  const parsed = path.parse(filename);
-  let attempt = path.join(dir, filename);
+  const safeFilename = sanitizeFilename(filename);
+  const parsed = path.parse(safeFilename);
+  let attempt = path.join(dir, safeFilename);
   let counter = 1;
   while (fs.existsSync(attempt)) {
     const suffix = ` (${counter})`;
@@ -1553,7 +1566,11 @@ function sanitizeTitle(value) {
   if (!value || typeof value !== 'string') {
     return fallback;
   }
-  const cleaned = value.replace(/[\\/:*?"<>|]/g, ' ').trim();
+  const cleaned = value
+    .replace(/\.\./g, '')
+    .replace(/[\\/:*?"<>|]/g, '_')
+    .replace(/^\.+/, '')
+    .trim();
   return cleaned || fallback;
 }
 

diff --git a/lib/confluence-client.js b/lib/confluence-client.js
@@ -284,11 +284,29 @@ class ConfluenceClient {
     };
   }
 
+  /**
+   * Escape a string for safe use in CQL queries
+   * Handles special CQL characters: backslash, double quote, and wildcards
+   * @param {string} str - String to escape
+   * @returns {string} Escaped string
+   */
+  escapeCql(str) {
+    if (typeof str !== 'string') {
+      return '';
+    }
+    return str
+      .replace(/\\/g, '\\\\')  // Escape backslashes first
+      .replace(/"/g, '\\"')     // Escape double quotes
+      .replace(/\*/g, '\\*')     // Escape asterisk (wildcard)
+      .replace(/\?/g, '\\?')     // Escape question mark (single char wildcard)
+      .replace(/~/g, '\\~');     // Escape tilde (fuzzy match)
+  }
+
   /**
    * Search for pages
    */
   async search(query, limit = 10, rawCql = false) {
-    const cql = rawCql ? query : `text ~ "${String(query).replace(/"/g, '\\"')}"`;
+    const cql = rawCql ? query : `text ~ "${this.escapeCql(query)}"`;
     const response = await this.client.get('/search', {
       params: {
         cql,
@@ -1772,9 +1790,9 @@ class ConfluenceClient {
    * Search for a page by title and space
    */
   async findPageByTitle(title, spaceKey = null) {
-    let cql = `title = "${title}"`;
+    let cql = `title = "${this.escapeCql(title)}"`;
     if (spaceKey) {
-      cql += ` AND space = "${spaceKey}"`;
+      cql += ` AND space = "${this.escapeCql(spaceKey)}"`;
     }
 
     const response = await this.client.get('/search', {

diff --git a/package-lock.json b/package-lock.json