diff --git a/website/web/__init__.py b/website/web/__init__.py
index 28eb6c9..3168003 100644
--- a/website/web/__init__.py
+++ b/website/web/__init__.py
@@ -53,7 +53,7 @@ else:
     all_timezones_set = available_timezones()
 
 from .genericapi import api as generic_api
-from .helpers import (User, build_users_table, get_secret_key,
+from .helpers import (User, valid_username, build_users_table, get_secret_key,
                       load_user_from_request, src_request_ip, sri_load,
                       get_lookyloo_instance)
 from .proxied import ReverseProxied
@@ -107,6 +107,9 @@ def login() -> WerkzeugResponse | str | Response:
                '''
 
     username = request.form['username']
+    if not valid_username(username):
+        flash('User is not permitted.', 'error')
+        return redirect(url_for('login'))
     users_table = build_users_table()
     if username in users_table and check_password_hash(users_table[username]['password'], request.form['password']):
         user = User()
@@ -1636,14 +1639,13 @@ def capture_web() -> str | Response | WerkzeugResponse:
 @app.route('/simple_capture', methods=['GET','POST'])
 @flask_login.login_required  # type: ignore[misc]
 def simple_capture() -> str | Response | WerkzeugResponse:
-    if flask_login.current_user.is_authenticated:
-        user = flask_login.current_user.get_id()
-    else:
-        user = src_request_ip(request)
+    user = flask_login.current_user.get_id()
+    if not re.match("^[A-Za-z0-9]+$", user):
+        # Username has been manipulated
+        flash('User is not permitted.', 'error')
+        return redirect(url_for('submit_capture'))
+      
     if request.method == 'POST':
-        if not re.match("^[A-Za-z]+$", user):
-            flash('User is not permitted.', 'error')
-            return redirect(url_for('simple_capture'))
         if not (request.form.get('url') or request.form.get('urls')):
             flash('Invalid submission: please submit at least a URL.', 'error')
             return render_template('simple_capture.html')
diff --git a/website/web/helpers.py b/website/web/helpers.py
index 4a107a8..3a49fd1 100644
--- a/website/web/helpers.py
+++ b/website/web/helpers.py
@@ -49,6 +49,8 @@ def load_user_from_request(request: Request) -> User | None:
         return user
     return None
 
+def valid_username(username: str) -> bool:
+  return re.match("^[A-Za-z0-9]+$", username)
 
 @lru_cache(64)
 def build_keys_table() -> dict[str, str]: