diff --git a/lib/wsapi/stage_email.js b/lib/wsapi/stage_email.js
index 76bca3b86b2e20b4268e2c53791db39c36228874..6ffe560eefd98102908f86946076a0643f99d083 100644
--- a/lib/wsapi/stage_email.js
+++ b/lib/wsapi/stage_email.js
@@ -24,10 +24,15 @@ exports.i18n = true;
 
 exports.process = function(req, res) {
   // validate
-  // should do this one but it's failing for some reason
-  sanitize(req.body.email).isEmail();
-  sanitize(req.body.site).isOrigin();
-  
+  try {
+    sanitize(req.body.email).isEmail();
+    sanitize(req.body.site).isOrigin();
+  } catch(e) {
+    var msg = "invalid arguments: " + e;
+    logger.warn("bad request received: " + msg);
+    return httputils.badRequest(resp, msg);
+  }
+
   db.lastStaged(req.body.email, function (err, last) {
     if (err) return wsapi.databaseDown(res, err);
 
diff --git a/lib/wsapi/stage_user.js b/lib/wsapi/stage_user.js
index ca1a3318c4eb194829e2a36fce08c628835be335..0408b7e76a53de41a380254feed56c9ae8282773 100644
--- a/lib/wsapi/stage_user.js
+++ b/lib/wsapi/stage_user.js
@@ -29,8 +29,14 @@ exports.process = function(req, resp) {
   wsapi.clearAuthenticatedUser(req.session);
 
   // validate
-  sanitize(req.body.email).isEmail();
-  sanitize(req.body.site).isOrigin();
+  try {
+    sanitize(req.body.email).isEmail();
+    sanitize(req.body.site).isOrigin();
+  } catch(e) {
+    var msg = "invalid arguments: " + e;
+    logger.warn("bad request received: " + msg);
+    return httputils.badRequest(resp, msg);
+  }
 
   db.lastStaged(req.body.email, function (err, last) {
     if (err) return wsapi.databaseDown(resp, err);