Disallow Registering with Reserved Characters

morsel_login.py

@@ -34,7 +34,8 @@ def logout():
 def register():
   error = None
   if request.method == 'POST':
-    if (not uexist(request.form['username'])) and len(request.form['password']) >= 8 and request.form['username'].strip() != "":
+    if ((not uexist(request.form['username'])) and len(request.form['password']) >= 8
+      and request.form['username'].strip() != "" and not any(illegal_character in request.form['username'] for illegal_character in "%&.+?;")):
       newuser(request.form['username'], request.form['password'])
       return redirect('/login?success', 303)
     elif len(request.form['password']) < 8: