From 863579b72475df86d2403f684df7bda89eae1a8c Mon Sep 17 00:00:00 2001
From: Prateek Shourya <prateekshourya29@gmail.com>
Date: Mon, 12 Jan 2026 14:27:35 +0530
Subject: [PATCH 1/3] chore(security): implement input validation across
 authentication and workspace forms

  - Add OWASP-compliant autocomplete attributes to all auth input fields
  - Create centralized validation utilities blocking injection-risk characters
  - Apply validation to names, display names, workspace names, and slugs
  - Block special characters: < > ' " % # { } [ ] * ^ !
  - Secure sensitive input fields across admin, web, and space apps
---
 apps/admin/components/instance/setup-form.tsx |  30 ++-
 .../onboarding/create-workspace.tsx           |   7 +-
 .../components/onboarding/profile-setup.tsx   |  12 +-
 .../onboarding/steps/profile/root.tsx         |   7 +-
 .../onboarding/steps/workspace/create.tsx     |   8 +-
 .../profile/content/pages/general/form.tsx    |  22 +-
 .../workspace/create-workspace-form.tsx       |   7 +-
 packages/utils/src/index.ts                   |   1 +
 packages/utils/src/validation.ts              | 190 ++++++++++++++++++
 9 files changed, 249 insertions(+), 35 deletions(-)
 create mode 100644 packages/utils/src/validation.ts

diff --git a/apps/admin/components/instance/setup-form.tsx b/apps/admin/components/instance/setup-form.tsx
index e500a55e177..48bfe8fa2fc 100644
--- a/apps/admin/components/instance/setup-form.tsx
+++ b/apps/admin/components/instance/setup-form.tsx
@@ -13,7 +13,7 @@ import { API_BASE_URL, E_PASSWORD_STRENGTH } from "@plane/constants";
 import { Button } from "@plane/propel/button";
 import { AuthService } from "@plane/services";
 import { Checkbox, Input, PasswordStrengthIndicator, Spinner } from "@plane/ui";
-import { getPasswordStrength } from "@plane/utils";
+import { getPasswordStrength, validatePersonName, validateCompanyName } from "@plane/utils";
 // components
 import { AuthHeader } from "@/app/(all)/(home)/auth-header";
 import { Banner } from "../common/banner";
@@ -173,9 +173,15 @@ export function InstanceSetupForm() {
                   inputSize="md"
                   placeholder="Wilber"
                   value={formData.first_name}
-                  onChange={(e) => handleFormChange("first_name", e.target.value)}
-                  autoComplete="on"
+                  onChange={(e) => {
+                    const validation = validatePersonName(e.target.value);
+                    if (validation === true || e.target.value === "") {
+                      handleFormChange("first_name", e.target.value);
+                    }
+                  }}
+                  autoComplete="off"
                   autoFocus
+                  maxLength={50}
                 />
               </div>
               <div className="w-full space-y-1">
@@ -190,8 +196,14 @@ export function InstanceSetupForm() {
                   inputSize="md"
                   placeholder="Wright"
                   value={formData.last_name}
-                  onChange={(e) => handleFormChange("last_name", e.target.value)}
-                  autoComplete="on"
+                  onChange={(e) => {
+                    const validation = validatePersonName(e.target.value);
+                    if (validation === true || e.target.value === "") {
+                      handleFormChange("last_name", e.target.value);
+                    }
+                  }}
+                  autoComplete="off"
+                  maxLength={50}
                 />
               </div>
             </div>
@@ -229,7 +241,13 @@ export function InstanceSetupForm() {
                 inputSize="md"
                 placeholder="Company name"
                 value={formData.company_name}
-                onChange={(e) => handleFormChange("company_name", e.target.value)}
+                onChange={(e) => {
+                  const validation = validateCompanyName(e.target.value, false);
+                  if (validation === true || e.target.value === "") {
+                    handleFormChange("company_name", e.target.value);
+                  }
+                }}
+                maxLength={80}
               />
             </div>
 
diff --git a/apps/web/core/components/onboarding/create-workspace.tsx b/apps/web/core/components/onboarding/create-workspace.tsx
index 1cf5d087cc3..85a45d2e394 100644
--- a/apps/web/core/components/onboarding/create-workspace.tsx
+++ b/apps/web/core/components/onboarding/create-workspace.tsx
@@ -16,6 +16,7 @@ import { TOAST_TYPE, setToast } from "@plane/propel/toast";
 import type { IUser, IWorkspace, TOnboardingSteps } from "@plane/types";
 // ui
 import { CustomSelect, Input, Spinner } from "@plane/ui";
+import { validateWorkspaceName, validateSlug } from "@plane/utils";
 // hooks
 import { useWorkspace } from "@/hooks/store/use-workspace";
 import { useUserProfile, useUserSettings } from "@/hooks/store/user";
@@ -138,8 +139,7 @@ export const CreateWorkspace = observer(function CreateWorkspace(props: Props) {
             name="name"
             rules={{
               required: t("common.errors.required"),
-              validate: (value) =>
-                /^[\w\s-]*$/.test(value) || t("workspace_creation.errors.validation.name_alphanumeric"),
+              validate: (value) => validateWorkspaceName(value, true),
               maxLength: {
                 value: 80,
                 message: t("workspace_creation.errors.validation.name_length"),
@@ -200,7 +200,8 @@ export const CreateWorkspace = observer(function CreateWorkspace(props: Props) {
                   type="text"
                   value={value.toLocaleLowerCase().trim().replace(/ /g, "-")}
                   onChange={(e) => {
-                    if (/^[a-zA-Z0-9_-]+$/.test(e.target.value)) setInvalidSlug(false);
+                    const validation = validateSlug(e.target.value);
+                    if (validation === true) setInvalidSlug(false);
                     else setInvalidSlug(true);
                     onChange(e.target.value.toLowerCase());
                   }}
diff --git a/apps/web/core/components/onboarding/profile-setup.tsx b/apps/web/core/components/onboarding/profile-setup.tsx
index 41e384b21f0..0f8be9482ad 100644
--- a/apps/web/core/components/onboarding/profile-setup.tsx
+++ b/apps/web/core/components/onboarding/profile-setup.tsx
@@ -17,7 +17,7 @@ import type { IUser, TUserProfile, TOnboardingSteps } from "@plane/types";
 // ui
 import { Input, PasswordStrengthIndicator, Spinner } from "@plane/ui";
 // components
-import { cn, getFileURL, getPasswordStrength } from "@plane/utils";
+import { cn, getFileURL, getPasswordStrength, validatePersonName } from "@plane/utils";
 import { UserImageUploadModal } from "@/components/core/modals/user-image-upload-modal";
 // hooks
 import { useUser, useUserProfile } from "@/hooks/store/user";
@@ -303,9 +303,10 @@ export const ProfileSetup = observer(function ProfileSetup(props: Props) {
                     name="first_name"
                     rules={{
                       required: "First name is required",
+                      validate: validatePersonName,
                       maxLength: {
-                        value: 24,
-                        message: "First name must be within 24 characters.",
+                        value: 50,
+                        message: "First name must be within 50 characters.",
                       },
                     }}
                     render={({ field: { value, onChange, ref } }) => (
@@ -340,9 +341,10 @@ export const ProfileSetup = observer(function ProfileSetup(props: Props) {
                     name="last_name"
                     rules={{
                       required: "Last name is required",
+                      validate: validatePersonName,
                       maxLength: {
-                        value: 24,
-                        message: "Last name must be within 24 characters.",
+                        value: 50,
+                        message: "Last name must be within 50 characters.",
                       },
                     }}
                     render={({ field: { value, onChange, ref } }) => (
diff --git a/apps/web/core/components/onboarding/steps/profile/root.tsx b/apps/web/core/components/onboarding/steps/profile/root.tsx
index 788e3896691..ca8a648b92b 100644
--- a/apps/web/core/components/onboarding/steps/profile/root.tsx
+++ b/apps/web/core/components/onboarding/steps/profile/root.tsx
@@ -14,7 +14,7 @@ import { Button } from "@plane/propel/button";
 import { TOAST_TYPE, setToast } from "@plane/propel/toast";
 import type { IUser } from "@plane/types";
 import { EOnboardingSteps } from "@plane/types";
-import { cn, getFileURL, getPasswordStrength } from "@plane/utils";
+import { cn, getFileURL, getPasswordStrength, validatePersonName } from "@plane/utils";
 // components
 import { UserImageUploadModal } from "@/components/core/modals/user-image-upload-modal";
 // hooks
@@ -208,9 +208,10 @@ export const ProfileSetupStep = observer(function ProfileSetupStep({ handleStepC
             name="first_name"
             rules={{
               required: "Name is required",
+              validate: validatePersonName,
               maxLength: {
-                value: 24,
-                message: "Name must be within 24 characters.",
+                value: 50,
+                message: "Name must be within 50 characters.",
               },
             }}
             render={({ field: { value, onChange, ref } }) => (
diff --git a/apps/web/core/components/onboarding/steps/workspace/create.tsx b/apps/web/core/components/onboarding/steps/workspace/create.tsx
index 6b5eccf264c..371c4532ab0 100644
--- a/apps/web/core/components/onboarding/steps/workspace/create.tsx
+++ b/apps/web/core/components/onboarding/steps/workspace/create.tsx
@@ -15,7 +15,7 @@ import { Button } from "@plane/propel/button";
 import { TOAST_TYPE, setToast } from "@plane/propel/toast";
 import type { IUser, IWorkspace } from "@plane/types";
 import { Spinner } from "@plane/ui";
-import { cn } from "@plane/utils";
+import { cn, validateWorkspaceName, validateSlug } from "@plane/utils";
 // hooks
 import { useInstance } from "@/hooks/store/use-instance";
 import { useWorkspace } from "@/hooks/store/use-workspace";
@@ -146,8 +146,7 @@ export const WorkspaceCreateStep = observer(function WorkspaceCreateStep({
             name="name"
             rules={{
               required: t("common.errors.required"),
-              validate: (value) =>
-                /^[\w\s-]*$/.test(value) || t("workspace_creation.errors.validation.name_alphanumeric"),
+              validate: (value) => validateWorkspaceName(value, true),
               maxLength: {
                 value: 80,
                 message: t("workspace_creation.errors.validation.name_length"),
@@ -220,7 +219,8 @@ export const WorkspaceCreateStep = observer(function WorkspaceCreateStep({
                   type="text"
                   value={value.toLocaleLowerCase().trim().replace(/ /g, "-")}
                   onChange={(e) => {
-                    if (/^[a-zA-Z0-9_-]+$/.test(e.target.value)) setInvalidSlug(false);
+                    const validation = validateSlug(e.target.value);
+                    if (validation === true) setInvalidSlug(false);
                     else setInvalidSlug(true);
                     onChange(e.target.value.toLowerCase());
                   }}
diff --git a/apps/web/core/components/settings/profile/content/pages/general/form.tsx b/apps/web/core/components/settings/profile/content/pages/general/form.tsx
index b92388e1d38..f4f67e5b3ad 100644
--- a/apps/web/core/components/settings/profile/content/pages/general/form.tsx
+++ b/apps/web/core/components/settings/profile/content/pages/general/form.tsx
@@ -28,6 +28,8 @@ import { handleCoverImageChange } from "@/helpers/cover-image.helper";
 // hooks
 import { useInstance } from "@/hooks/store/use-instance";
 import { useUser, useUserProfile } from "@/hooks/store/user";
+// utils
+import { validatePersonName, validateDisplayName } from "@plane/utils";
 
 type TUserProfileForm = {
   avatar_url: string;
@@ -260,6 +262,7 @@ export const GeneralProfileSettingsForm = observer(function GeneralProfileSettin
                   name="first_name"
                   rules={{
                     required: "Please enter first name",
+                    validate: validatePersonName,
                   }}
                   render={({ field: { value, onChange, ref } }) => (
                     <Input
@@ -272,7 +275,7 @@ export const GeneralProfileSettingsForm = observer(function GeneralProfileSettin
                       hasError={Boolean(errors.first_name)}
                       placeholder="Enter your first name"
                       className={`w-full rounded-md ${errors.first_name ? "border-danger-strong" : ""}`}
-                      maxLength={24}
+                      maxLength={50}
                       autoComplete="on"
                     />
                   )}
@@ -284,6 +287,9 @@ export const GeneralProfileSettingsForm = observer(function GeneralProfileSettin
                 <Controller
                   control={control}
                   name="last_name"
+                  rules={{
+                    validate: validatePersonName,
+                  }}
                   render={({ field: { value, onChange, ref } }) => (
                     <Input
                       id="last_name"
@@ -295,11 +301,12 @@ export const GeneralProfileSettingsForm = observer(function GeneralProfileSettin
                       hasError={Boolean(errors.last_name)}
                       placeholder="Enter your last name"
                       className="w-full rounded-md"
-                      maxLength={24}
+                      maxLength={50}
                       autoComplete="on"
                     />
                   )}
                 />
+                {errors.last_name && <span className="text-11 text-danger-primary">{errors.last_name.message}</span>}
               </div>
               <div className="flex flex-col gap-1">
                 <h4 className="text-13 font-medium text-secondary">
@@ -311,14 +318,7 @@ export const GeneralProfileSettingsForm = observer(function GeneralProfileSettin
                   name="display_name"
                   rules={{
                     required: "Display name is required.",
-                    validate: (value) => {
-                      if (value.trim().length < 1) return "Display name can't be empty.";
-                      if (value.split("  ").length > 1) return "Display name can't have two consecutive spaces.";
-                      if (value.replace(/\s/g, "").length < 1) return "Display name must be at least 1 character long.";
-                      if (value.replace(/\s/g, "").length > 20)
-                        return "Display name must be less than 20 characters long.";
-                      return true;
-                    },
+                    validate: validateDisplayName,
                   }}
                   render={({ field: { value, onChange, ref } }) => (
                     <Input
@@ -331,7 +331,7 @@ export const GeneralProfileSettingsForm = observer(function GeneralProfileSettin
                       hasError={Boolean(errors?.display_name)}
                       placeholder="Enter your display name"
                       className={`w-full ${errors?.display_name ? "border-danger-strong" : ""}`}
-                      maxLength={24}
+                      maxLength={50}
                     />
                   )}
                 />
diff --git a/apps/web/core/components/workspace/create-workspace-form.tsx b/apps/web/core/components/workspace/create-workspace-form.tsx
index c1d7e983aa6..c8ea50dbdbd 100644
--- a/apps/web/core/components/workspace/create-workspace-form.tsx
+++ b/apps/web/core/components/workspace/create-workspace-form.tsx
@@ -15,6 +15,7 @@ import { TOAST_TYPE, setToast } from "@plane/propel/toast";
 import type { IWorkspace } from "@plane/types";
 // ui
 import { CustomSelect, Input } from "@plane/ui";
+import { validateWorkspaceName, validateSlug } from "@plane/utils";
 // hooks
 import { useWorkspace } from "@/hooks/store/use-workspace";
 import { useAppRouter } from "@/hooks/use-app-router";
@@ -126,8 +127,7 @@ export const CreateWorkspaceForm = observer(function CreateWorkspaceForm(props:
               name="name"
               rules={{
                 required: t("common.errors.required"),
-                validate: (value) =>
-                  /^[\w\s-]*$/.test(value) || t("workspace_creation.errors.validation.name_alphanumeric"),
+                validate: (value) => validateWorkspaceName(value, true),
                 maxLength: {
                   value: 80,
                   message: t("workspace_creation.errors.validation.name_length"),
@@ -178,7 +178,8 @@ export const CreateWorkspaceForm = observer(function CreateWorkspaceForm(props:
                   type="text"
                   value={value.toLocaleLowerCase().trim().replace(/ /g, "-")}
                   onChange={(e) => {
-                    if (/^[a-zA-Z0-9_-]+$/.test(e.target.value)) setInvalidSlug(false);
+                    const validation = validateSlug(e.target.value);
+                    if (validation === true) setInvalidSlug(false);
                     else setInvalidSlug(true);
                     onChange(e.target.value.toLowerCase());
                   }}
diff --git a/packages/utils/src/index.ts b/packages/utils/src/index.ts
index e59acc58196..450acb4b275 100644
--- a/packages/utils/src/index.ts
+++ b/packages/utils/src/index.ts
@@ -36,6 +36,7 @@ export * from "./tab-indices";
 export * from "./theme";
 export { resolveGeneralTheme } from "./theme-legacy";
 export * from "./url";
+export * from "./validation";
 export * from "./work-item-filters";
 export * from "./work-item";
 export * from "./workspace";
diff --git a/packages/utils/src/validation.ts b/packages/utils/src/validation.ts
new file mode 100644
index 00000000000..273dbb573c5
--- /dev/null
+++ b/packages/utils/src/validation.ts
@@ -0,0 +1,190 @@
+/**
+ * Input Validation Utilities
+ * Following OWASP Input Validation best practices using allowlist approach
+ *
+ * Security: Blocks injection-risk characters: < > ' " % # { } [ ] * ^ !
+ * These patterns are designed to prevent XSS, SQL injection, template injection,
+ * and other security vulnerabilities while maintaining good UX
+ */
+
+// =============================================================================
+// VALIDATION REGEX PATTERNS
+// =============================================================================
+
+/**
+ * Person Name Pattern (for first_name, last_name)
+ * Allows: Letters (a-zA-Z), spaces, hyphens, apostrophes
+ * Use case: Accommodates names like "O'Brien", "Jean-Paul", "Mary Ann"
+ * Blocks: All special characters including injection-risk chars
+ */
+export const PERSON_NAME_REGEX = /^[a-zA-Z\s'-]+$/;
+
+/**
+ * Display Name Pattern (for display_name, usernames)
+ * Allows: Alphanumeric, underscore, period, hyphen
+ * Use case: Standard across GitHub, Slack, Twitter, etc.
+ * Blocks: Spaces and all special characters including injection-risk chars
+ */
+export const DISPLAY_NAME_REGEX = /^[a-zA-Z0-9_.-]+$/;
+
+/**
+ * Company/Organization Name Pattern (for company_name, workspace names)
+ * Allows: Alphanumeric, spaces, underscores, hyphens
+ * Use case: Business names that may include spaces and basic punctuation
+ * Blocks: Special punctuation and injection-risk chars
+ */
+export const COMPANY_NAME_REGEX = /^[a-zA-Z0-9\s_-]+$/;
+
+/**
+ * URL Slug Pattern (for workspace slugs, URL-safe identifiers)
+ * Allows: Alphanumeric, underscores, hyphens only
+ * Use case: URL-safe identifiers without spaces
+ * Blocks: Spaces and all special characters
+ */
+export const SLUG_REGEX = /^[a-zA-Z0-9_-]+$/;
+
+// =============================================================================
+// VALIDATION FUNCTIONS
+// =============================================================================
+
+/**
+ * @description Validates person names (first name, last name)
+ * @param {string} name - Name to validate
+ * @returns {boolean | string} true if valid, error message if invalid
+ * @example
+ * validatePersonName("John") // returns true
+ * validatePersonName("O'Brien") // returns true
+ * validatePersonName("Jean-Paul") // returns true
+ * validatePersonName("John<script>") // returns error message
+ */
+export const validatePersonName = (name: string): boolean | string => {
+  if (!name || name.trim() === "") {
+    return "Name is required";
+  }
+
+  if (name.length > 50) {
+    return "Name must be 50 characters or less";
+  }
+
+  if (!PERSON_NAME_REGEX.test(name)) {
+    return "Names can only contain letters, spaces, hyphens, and apostrophes";
+  }
+
+  return true;
+};
+
+/**
+ * @description Validates display names and usernames
+ * @param {string} displayName - Display name to validate
+ * @returns {boolean | string} true if valid, error message if invalid
+ * @example
+ * validateDisplayName("john_doe") // returns true
+ * validateDisplayName("john.doe-123") // returns true
+ * validateDisplayName("john doe") // returns error message (spaces not allowed)
+ * validateDisplayName("john<>doe") // returns error message
+ */
+export const validateDisplayName = (displayName: string): boolean | string => {
+  if (!displayName || displayName.trim() === "") {
+    return true; // Display name is optional in most cases
+  }
+
+  if (displayName.length > 50) {
+    return "Display name must be 50 characters or less";
+  }
+
+  if (!DISPLAY_NAME_REGEX.test(displayName)) {
+    return "Display name can only contain letters, numbers, periods, hyphens, and underscores";
+  }
+
+  return true;
+};
+
+/**
+ * @description Validates company and organization names
+ * @param {string} companyName - Company name to validate
+ * @param {boolean} required - Whether the field is required
+ * @returns {boolean | string} true if valid, error message if invalid
+ * @example
+ * validateCompanyName("Acme Corp") // returns true
+ * validateCompanyName("Acme_Corp-123") // returns true
+ * validateCompanyName("Acme{Corp}") // returns error message
+ */
+export const validateCompanyName = (companyName: string, required: boolean = false): boolean | string => {
+  if (!companyName || companyName.trim() === "") {
+    return required ? "Company name is required" : true;
+  }
+
+  if (companyName.length > 80) {
+    return "Company name must be 80 characters or less";
+  }
+
+  if (!COMPANY_NAME_REGEX.test(companyName)) {
+    return "Company name can only contain letters, numbers, spaces, hyphens, and underscores";
+  }
+
+  return true;
+};
+
+/**
+ * @description Validates company and organization names
+ * @param {string} workspaceName - Workspace name to validate
+ * @param {boolean} required - Whether the field is required
+ * @returns {boolean | string} true if valid, error message if invalid
+ * @example
+ * validateWorkspaceName("Acme Corp") // returns true
+ * validateWorkspaceName("Acme_Corp-123") // returns true
+ * validateWorkspaceName("Acme{Corp}") // returns error message
+ */
+export const validateWorkspaceName = (workspaceName: string, required: boolean = false): boolean | string => {
+  if (!workspaceName || workspaceName.trim() === "") {
+    return required ? "Workspace name is required" : true;
+  }
+
+  if (workspaceName.length > 80) {
+    return "Workspace name must be 80 characters or less";
+  }
+
+  if (!COMPANY_NAME_REGEX.test(workspaceName)) {
+    return "Workspace name can only contain letters, numbers, spaces, hyphens, and underscores";
+  }
+
+  return true;
+};
+
+/**
+ * @description Validates URL slugs and identifiers
+ * @param {string} slug - Slug to validate
+ * @returns {boolean | string} true if valid, error message if invalid
+ * @example
+ * validateSlug("my-workspace") // returns true
+ * validateSlug("my_workspace_123") // returns true
+ * validateSlug("my workspace") // returns error message (spaces not allowed)
+ */
+export const validateSlug = (slug: string): boolean | string => {
+  if (!slug || slug.trim() === "") {
+    return "Slug is required";
+  }
+
+  if (slug.length > 48) {
+    return "Slug must be 48 characters or less";
+  }
+
+  if (!SLUG_REGEX.test(slug)) {
+    return "Slug can only contain letters, numbers, hyphens, and underscores";
+  }
+
+  return true;
+};
+
+/**
+ * @description Checks if a string contains any injection-risk characters
+ * @param {string} input - String to check
+ * @returns {boolean} true if injection-risk characters found
+ * @example
+ * hasInjectionRiskChars("Hello World") // returns false
+ * hasInjectionRiskChars("Hello<script>") // returns true
+ */
+export const hasInjectionRiskChars = (input: string): boolean => {
+  const injectionRiskPattern = /[<>'"{}[\]*^!#%]/;
+  return injectionRiskPattern.test(input);
+};

From 9f4ce048baf0fb44d741163b031aeec7f3bdb80b Mon Sep 17 00:00:00 2001
From: Prateek Shourya <prateekshourya29@gmail.com>
Date: Mon, 12 Jan 2026 19:50:58 +0530
Subject: [PATCH 2/3] chore: add missing workspace name validation to settings
 and admin forms

---
 .../(all)/(dashboard)/workspace/create/form.tsx  | 16 +++-------------
 .../workspace/settings/workspace-details.tsx     |  9 +++------
 packages/utils/src/validation.ts                 |  6 ++++++
 3 files changed, 12 insertions(+), 19 deletions(-)

diff --git a/apps/admin/app/(all)/(dashboard)/workspace/create/form.tsx b/apps/admin/app/(all)/(dashboard)/workspace/create/form.tsx
index c9e0704306d..46238940d65 100644
--- a/apps/admin/app/(all)/(dashboard)/workspace/create/form.tsx
+++ b/apps/admin/app/(all)/(dashboard)/workspace/create/form.tsx
@@ -14,6 +14,7 @@ import { Button, getButtonStyling } from "@plane/propel/button";
 import { TOAST_TYPE, setToast } from "@plane/propel/toast";
 import { InstanceWorkspaceService } from "@plane/services";
 import type { IWorkspace } from "@plane/types";
+import { validateSlug, validateWorkspaceName } from "@plane/utils";
 // components
 import { CustomSelect, Input } from "@plane/ui";
 // hooks
@@ -96,14 +97,7 @@ export function WorkspaceCreateForm() {
               control={control}
               name="name"
               rules={{
-                required: "This is a required field.",
-                validate: (value) =>
-                  /^[\w\s-]*$/.test(value) ||
-                  `Workspaces names can contain only (" "), ( - ), ( _ ) and alphanumeric characters.`,
-                maxLength: {
-                  value: 80,
-                  message: "Limit your name to 80 characters.",
-                },
+                validate: (value) => validateWorkspaceName(value, true),
               }}
               render={({ field: { value, ref, onChange } }) => (
                 <Input
@@ -135,11 +129,7 @@ export function WorkspaceCreateForm() {
               control={control}
               name="slug"
               rules={{
-                required: "The URL is a required field.",
-                maxLength: {
-                  value: 48,
-                  message: "Limit your URL to 48 characters.",
-                },
+                validate: (value) => validateSlug(value),
               }}
               render={({ field: { onChange, value, ref } }) => (
                 <Input
diff --git a/apps/web/core/components/workspace/settings/workspace-details.tsx b/apps/web/core/components/workspace/settings/workspace-details.tsx
index eec1dda17f5..42522cd19e8 100644
--- a/apps/web/core/components/workspace/settings/workspace-details.tsx
+++ b/apps/web/core/components/workspace/settings/workspace-details.tsx
@@ -15,7 +15,7 @@ import { EditIcon } from "@plane/propel/icons";
 import { TOAST_TYPE, setToast } from "@plane/propel/toast";
 import type { IWorkspace } from "@plane/types";
 import { CustomSelect, Input } from "@plane/ui";
-import { cn, copyUrlToClipboard, getFileURL } from "@plane/utils";
+import { cn, copyUrlToClipboard, getFileURL, validateWorkspaceName } from "@plane/utils";
 // components
 import { WorkspaceImageUploadModal } from "@/components/core/modals/workspace-image-upload-modal";
 import { TimezoneSelect } from "@/components/global/timezone-select";
@@ -195,11 +195,7 @@ export const WorkspaceDetails = observer(function WorkspaceDetails() {
                 control={control}
                 name="name"
                 rules={{
-                  required: t("workspace_settings.settings.general.errors.name.required"),
-                  maxLength: {
-                    value: 80,
-                    message: t("workspace_settings.settings.general.errors.name.max_length"),
-                  },
+                  validate: (value) => validateWorkspaceName(value, true),
                 }}
                 render={({ field: { value, onChange, ref } }) => (
                   <Input
@@ -216,6 +212,7 @@ export const WorkspaceDetails = observer(function WorkspaceDetails() {
                   />
                 )}
               />
+              {errors.name && <p className="text-caption-sm-regular text-danger-primary">{errors.name.message}</p>}
             </div>
             <div className="flex flex-col gap-2">
               <h4 className="text-body-sm-medium text-tertiary">
diff --git a/packages/utils/src/validation.ts b/packages/utils/src/validation.ts
index 273dbb573c5..cbfcfb16a5e 100644
--- a/packages/utils/src/validation.ts
+++ b/packages/utils/src/validation.ts
@@ -1,3 +1,9 @@
+/**
+ * Copyright (c) 2023-present Plane Software, Inc. and contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ * See the LICENSE file for details.
+ */
+
 /**
  * Input Validation Utilities
  * Following OWASP Input Validation best practices using allowlist approach

From 588779ec348181b4f06dc9b7f436bbb08ec4178f Mon Sep 17 00:00:00 2001
From: Prateek Shourya <prateekshourya29@gmail.com>
Date: Tue, 3 Feb 2026 13:20:59 +0530
Subject: [PATCH 3/3] feat: enhance validation regex for international names
 and usernames

- Updated regex patterns to support Unicode characters for person names, display names, company names, and slugs.
- Improved validation functions to block injection-risk characters in names and slugs.
---
 packages/utils/src/validation.ts | 50 ++++++++++++++++++++++----------
 1 file changed, 35 insertions(+), 15 deletions(-)

diff --git a/packages/utils/src/validation.ts b/packages/utils/src/validation.ts
index cbfcfb16a5e..41c52aaa133 100644
--- a/packages/utils/src/validation.ts
+++ b/packages/utils/src/validation.ts
@@ -19,35 +19,35 @@
 
 /**
  * Person Name Pattern (for first_name, last_name)
- * Allows: Letters (a-zA-Z), spaces, hyphens, apostrophes
- * Use case: Accommodates names like "O'Brien", "Jean-Paul", "Mary Ann"
- * Blocks: All special characters including injection-risk chars
+ * Allows: Unicode letters (\p{L}), spaces, hyphens, apostrophes
+ * Use case: Accommodates international names like "José", "李明", "محمد", "Müller"
+ * Blocks: Injection-risk characters and special symbols
  */
-export const PERSON_NAME_REGEX = /^[a-zA-Z\s'-]+$/;
+export const PERSON_NAME_REGEX = /^[\p{L}\s'-]+$/u;
 
 /**
  * Display Name Pattern (for display_name, usernames)
- * Allows: Alphanumeric, underscore, period, hyphen
- * Use case: Standard across GitHub, Slack, Twitter, etc.
- * Blocks: Spaces and all special characters including injection-risk chars
+ * Allows: Unicode letters (\p{L}), numbers (\p{N}), underscore, period, hyphen
+ * Use case: International usernames like "josé_123", "李明.dev", "müller-2024"
+ * Blocks: Spaces and injection-risk characters
  */
-export const DISPLAY_NAME_REGEX = /^[a-zA-Z0-9_.-]+$/;
+export const DISPLAY_NAME_REGEX = /^[\p{L}\p{N}_.-]+$/u;
 
 /**
  * Company/Organization Name Pattern (for company_name, workspace names)
- * Allows: Alphanumeric, spaces, underscores, hyphens
- * Use case: Business names that may include spaces and basic punctuation
+ * Allows: Unicode letters (\p{L}), numbers (\p{N}), spaces, underscores, hyphens
+ * Use case: International business names like "Société Générale", "株式会社", "Müller GmbH"
  * Blocks: Special punctuation and injection-risk chars
  */
-export const COMPANY_NAME_REGEX = /^[a-zA-Z0-9\s_-]+$/;
+export const COMPANY_NAME_REGEX = /^[\p{L}\p{N}\s_-]+$/u;
 
 /**
  * URL Slug Pattern (for workspace slugs, URL-safe identifiers)
- * Allows: Alphanumeric, underscores, hyphens only
- * Use case: URL-safe identifiers without spaces
- * Blocks: Spaces and all special characters
+ * Allows: Unicode letters (\p{L}), numbers (\p{N}), underscores, hyphens
+ * Use case: International URL-safe identifiers like "josé-workspace", "李明-project"
+ * Blocks: Spaces and special characters (URL encoding will handle Unicode in actual URLs)
  */
-export const SLUG_REGEX = /^[a-zA-Z0-9_-]+$/;
+export const SLUG_REGEX = /^[\p{L}\p{N}_-]+$/u;
 
 // =============================================================================
 // VALIDATION FUNCTIONS
@@ -72,6 +72,10 @@ export const validatePersonName = (name: string): boolean | string => {
     return "Name must be 50 characters or less";
   }
 
+  if (hasInjectionRiskChars(name)) {
+    return "Names cannot contain special characters like < > ' \" { } [ ] * ^ ! # %";
+  }
+
   if (!PERSON_NAME_REGEX.test(name)) {
     return "Names can only contain letters, spaces, hyphens, and apostrophes";
   }
@@ -98,6 +102,10 @@ export const validateDisplayName = (displayName: string): boolean | string => {
     return "Display name must be 50 characters or less";
   }
 
+  if (hasInjectionRiskChars(displayName)) {
+    return "Display name cannot contain special characters like < > ' \" { } [ ] * ^ ! # %";
+  }
+
   if (!DISPLAY_NAME_REGEX.test(displayName)) {
     return "Display name can only contain letters, numbers, periods, hyphens, and underscores";
   }
@@ -124,6 +132,10 @@ export const validateCompanyName = (companyName: string, required: boolean = fal
     return "Company name must be 80 characters or less";
   }
 
+  if (hasInjectionRiskChars(companyName)) {
+    return "Company name cannot contain special characters like < > ' \" { } [ ] * ^ ! # %";
+  }
+
   if (!COMPANY_NAME_REGEX.test(companyName)) {
     return "Company name can only contain letters, numbers, spaces, hyphens, and underscores";
   }
@@ -150,6 +162,10 @@ export const validateWorkspaceName = (workspaceName: string, required: boolean =
     return "Workspace name must be 80 characters or less";
   }
 
+  if (hasInjectionRiskChars(workspaceName)) {
+    return "Workspace name cannot contain special characters like < > ' \" { } [ ] * ^ ! # %";
+  }
+
   if (!COMPANY_NAME_REGEX.test(workspaceName)) {
     return "Workspace name can only contain letters, numbers, spaces, hyphens, and underscores";
   }
@@ -175,6 +191,10 @@ export const validateSlug = (slug: string): boolean | string => {
     return "Slug must be 48 characters or less";
   }
 
+  if (hasInjectionRiskChars(slug)) {
+    return "Slug cannot contain special characters like < > ' \" { } [ ] * ^ ! # %";
+  }
+
   if (!SLUG_REGEX.test(slug)) {
     return "Slug can only contain letters, numbers, hyphens, and underscores";
   }