diff --git a/lib/sanitize.js b/lib/sanitize.js
new file mode 100644
index 0000000000000000000000000000000000000000..dd02b5d22324f62862bb8a29016c6287531f5789
--- /dev/null
+++ b/lib/sanitize.js
@@ -0,0 +1,36 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// a teensy tinsy module to do parameter sanitization.  A good candiate for future
+// librification.
+//
+// usage:
+//
+//   const sanitize = require('sanitize');
+//
+//   sanitize(value).isEmail();
+//   sanitize(value).isDomain();
+
+// XXX - should review these simple regexps
+
+var logger = require('./logging.js').logger;
+
+module.exports = function (value) {
+  var isEmail = function() {
+    
+    if (!value.toLowerCase().match(/^[\w.!#$%&'*+\-/=?\^`{|}~]+@[a-z\d-]+(\.[a-z\d-]+)+$/i))
+      throw "not a valid email";
+  };
+
+  var isDomain = function() {
+    if (!value.match(/^[a-z\d-]+(\.[a-z\d-]+)+$/i)) {
+      throw "not a valid domain";      
+    }
+  };
+  
+  return {
+    isEmail: isEmail,
+    isDomain: isDomain
+  };
+};
diff --git a/lib/wsapi/stage_email.js b/lib/wsapi/stage_email.js
index 8acda357269408aacc0fb5741172dd9015c4709c..7d59d4924ae4e0d1f85df9add857454337e083aa 100644
--- a/lib/wsapi/stage_email.js
+++ b/lib/wsapi/stage_email.js
@@ -7,7 +7,8 @@ db = require('../db.js'),
 wsapi = require('../wsapi.js'),
 httputils = require('../httputils'),
 logger = require('../logging.js').logger,
-email = require('../email.js');
+email = require('../email.js'),
+sanitize = require('../sanitize');
 
 /* First half of account creation.  Stages a user account for creation.
  * this involves creating a secret url that must be delivered to the
@@ -22,6 +23,11 @@ exports.args = ['email','site'];
 exports.i18n = true;
 
 exports.process = function(req, res) {
+  // validate
+  // should do this one but it's failing for some reason
+  sanitize(req.body.email).isEmail();
+  sanitize(req.body.site).isDomain();
+  
   db.lastStaged(req.body.email, function (err, last) {
     if (err) return wsapi.databaseDown(res, err);
 
diff --git a/lib/wsapi/stage_user.js b/lib/wsapi/stage_user.js
index 14bb947e148a270e4f5b25c7714a1d24f94114fd..7ff035f29d6f251fece35d7e303dea52b4093a6a 100644
--- a/lib/wsapi/stage_user.js
+++ b/lib/wsapi/stage_user.js
@@ -7,7 +7,8 @@ db = require('../db.js'),
 wsapi = require('../wsapi.js'),
 httputils = require('../httputils'),
 logger = require('../logging.js').logger,
-email = require('../email.js');
+email = require('../email.js'),
+sanitize = require('../sanitize');
 
 /* First half of account creation.  Stages a user account for creation.
  * this involves creating a secret url that must be delivered to the
@@ -27,6 +28,10 @@ exports.process = function(req, resp) {
   // staging a user logs you out.
   wsapi.clearAuthenticatedUser(req.session);
 
+  // validate
+  sanitize(req.body.email).isEmail();
+  sanitize(req.body.site).isDomain();
+
   db.lastStaged(req.body.email, function (err, last) {
     if (err) return wsapi.databaseDown(resp, err);
 
diff --git a/tests/add-email-with-assertion-test.js b/tests/add-email-with-assertion-test.js
index 900e5d4a6139957188a2312060bd46d356f65bc2..ce85baeabde4cf334338b44641b073885cfc091a 100755
--- a/tests/add-email-with-assertion-test.js
+++ b/tests/add-email-with-assertion-test.js
@@ -31,7 +31,7 @@ start_stop.addStartupBatches(suite);
 const TEST_DOMAIN = 'example.domain',
       TEST_EMAIL = 'testuser@' + TEST_DOMAIN,
       TEST_ORIGIN = 'http://127.0.0.1:10002',
-      TEST_FIRST_ACCT = 'testuser@fake.domain';
+      TEST_FIRST_ACCT = 'test.user+folder@fake.domain';
 
 // This test will excercise the ability to add an email to an
 // account using an assertion from a primary