diff --git a/daemon.py b/daemon.py
index da7d5648e..e2be1e3cf 100644
--- a/daemon.py
+++ b/daemon.py
@@ -7599,6 +7599,11 @@ class PubServer(BaseHTTPRequestHandler):
                 petname = optionsConfirmParams.split('optionpetname=')[1]
                 if '&' in petname:
                     petname = petname.split('&')[0]
+                # Limit the length of the petname
+                if len(petname) > 20 or \
+                   ' ' in petname or '/' in petname or \
+                   '?' in petname or '#' in petname:
+                    petname = None
 
             optionsNickname = getNicknameFromActor(optionsActor)
             if not optionsNickname: