diff --git a/src/client/hooks/useSession.ts b/src/client/hooks/useSession.ts
index 68f5b92..08e7e9b 100644
--- a/src/client/hooks/useSession.ts
+++ b/src/client/hooks/useSession.ts
@@ -42,7 +42,7 @@ export function useSession(): SessionState {
     setSessionLoading(true);
     setSessionError(null);
     try {
-      const res = await fetch(`/api/sessions/${id}`);
+      const res = await fetch(`/api/sessions/${encodeURIComponent(id)}`);
       if (!res.ok) throw new Error(`HTTP ${res.status}`);
       const data = await res.json();
       setCurrentSession(data);
diff --git a/src/server/routes/export.ts b/src/server/routes/export.ts
index 35c5379..791c338 100644
--- a/src/server/routes/export.ts
+++ b/src/server/routes/export.ts
@@ -10,7 +10,9 @@ exportRouter.post("/", async (req, res) => {
     if (
       !exportReq?.session?.messages ||
       !Array.isArray(exportReq.session.messages) ||
-      !Array.isArray(exportReq.visibleMessageUuids)
+      !Array.isArray(exportReq.visibleMessageUuids) ||
+      (exportReq.redactedMessageUuids !== undefined &&
+        !Array.isArray(exportReq.redactedMessageUuids))
     ) {
       res.status(400).json({ error: "Invalid export request: missing session, messages, or visibleMessageUuids" });
       return;