diff --git a/server.js b/server.js
index 4cfd23a..703489a 100644
--- a/server.js
+++ b/server.js
@@ -220,6 +220,9 @@ function validateExportRequest(body) {
 
     // Validate individual comments
     for (const [file, comment] of Object.entries(comments)) {
+      if (!DiffService.isValidFilePath(file)) {
+        return { valid: false, error: 'Invalid file path in comments' };
+      }
       if (typeof comment !== 'string' || comment.length > 10000) {
         return { valid: false, error: 'Comment too long (max 10,000 characters)' };
       }
@@ -247,7 +250,7 @@ function validateExportRequest(body) {
       return { valid: false, error: 'Too many excluded files (max 1000)' };
     }
 
-    if (!excludedFiles.every(f => typeof f === 'string' && f.length < 500)) {
+    if (!excludedFiles.every(f => typeof f === 'string' && f.length < 500 && DiffService.isValidFilePath(f))) {
       return { valid: false, error: 'Invalid excluded file entries' };
     }
   }
diff --git a/services/diffService.js b/services/diffService.js
index effb256..718254c 100644
--- a/services/diffService.js
+++ b/services/diffService.js
@@ -133,7 +133,7 @@ class DiffService {
     }
 
     // Prevent dangerous characters that could be used for command injection
-    const dangerousChars = /[;&|`$(){}[\]<>]/;
+    const dangerousChars = /[;&|`$(){}[\]<>'"]/;
     if (dangerousChars.test(filePath)) {
       return false;
     }
diff --git a/src/utils/validation.js b/src/utils/validation.js
index 21d9d3b..d37960e 100644
--- a/src/utils/validation.js
+++ b/src/utils/validation.js
@@ -75,6 +75,9 @@ function validateExportRequest(body) {
     }
 
     for (const [file, comment] of Object.entries(comments)) {
+      if (file.includes('..') || file.startsWith('/') || file.includes('\\') || /[;&|`$(){}[\]<>'"]/.test(file)) {
+        return { valid: false, error: 'Invalid file path in comments' };
+      }
       if (typeof comment !== 'string' || comment.length > 10000) {
         return { valid: false, error: 'Comment too long (max 10,000 characters)' };
       }
@@ -102,7 +105,7 @@ function validateExportRequest(body) {
       return { valid: false, error: 'Too many excluded files (max 1000)' };
     }
 
-    if (!excludedFiles.every(f => typeof f === 'string' && f.length < 500)) {
+    if (!excludedFiles.every(f => typeof f === 'string' && f.length < 500 && !(f.includes('..') || f.startsWith('/') || f.includes('\\') || /[;&|`$(){}[\]<>'"]/.test(f)))) {
       return { valid: false, error: 'Invalid excluded file entries' };
     }
   }