From fc2c99bcb4fbb355c9b1547dbdd777ad54927e6b Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 29 May 2018 16:16:52 +0200
Subject: [PATCH] Limit the username to letters and digits only

---
 .../src/main/java/org/owasp/webgoat/users/UserForm.java         | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
index afcbd0615..c9e3b7d70 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
@@ -4,6 +4,7 @@ import lombok.Getter;
 import lombok.Setter;
 
 import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
 import javax.validation.constraints.Size;
 
 /**
@@ -16,6 +17,7 @@ public class UserForm {
 
     @NotNull
     @Size(min=6, max=20)
+    @Pattern(regexp = "[a-zA-Z0-9]*", message = "can only contain letters and digits")
     private String username;
     @NotNull
     @Size(min=6, max=10)