2 changed files with 3 additions and 1 deletions
--- a/morsel_login.py
+++ b/morsel_login.py
@ -34,7 +34,8 @@ def logout():
 def register():
  error = None
  if request.method == 'POST':
-    if (not uexist(request.form['username'])) and len(request.form['password']) >= 8 and request.form['username'].strip() != "":
+    if ((not uexist(request.form['username'])) and len(request.form['password']) >= 8
+      and request.form['username'].strip() != "" and not any(illegal_character in request.form['username'] for illegal_character in "%&.+?;")):
      newuser(request.form['username'], request.form['password'])
      return redirect('/login?success', 303)
    elif len(request.form['password']) < 8:
--- a/templates/register.html
+++ b/templates/register.html
@ -17,6 +17,7 @@
      <form action="/reg" method="POST">
        <ul>
          <li>Password must be at least 8 characters long.</li>
+          <li>Username must not contain any of the following characters: %&.+?;</li>
          <li>Username may not contain offensive content.</li>
          <li>Your username cannot be changed later.</li>
        </ul>