makeplane · sangeethailango · Jan 12, 2026 · Jan 12, 2026 · Jan 12, 2026 · Jan 12, 2026
diff --git a/apps/api/plane/api/serializers/project.py b/apps/api/plane/api/serializers/project.py
@@ -2,6 +2,10 @@
 import random
 from rest_framework import serializers
 
+
+# Python imports
+import re
+
 # Module imports
 from plane.db.models import Project, ProjectIdentifier, WorkspaceMember, State, Estimate
 
@@ -97,6 +101,15 @@ class Meta:
         ]
 
     def validate(self, data):
+        project_name = data.get("name", None)
+        project_identifier = data.get("identifier", None)
+
+        if project_name is not None and re.match(Project.FORBIDDEN_IDENTIFIER_CHARS_PATTERN, project_name):
+            raise serializers.ValidationError("Project name cannot contain special characters.")
+
+        if project_identifier is not None and re.match(Project.FORBIDDEN_IDENTIFIER_CHARS_PATTERN, project_identifier):
+            raise serializers.ValidationError("Project identifier cannot contain special characters.")
+
         if data.get("project_lead", None) is not None:
             # Check if the project lead is a member of the workspace
             if not WorkspaceMember.objects.filter(
@@ -156,6 +169,15 @@ class Meta(ProjectCreateSerializer.Meta):
         read_only_fields = ProjectCreateSerializer.Meta.read_only_fields
 
     def update(self, instance, validated_data):
+        project_name = validated_data.get("name", None)
+        project_identifier = validated_data.get("identifier", None)
+
+        if project_name is not None and re.match(Project.FORBIDDEN_IDENTIFIER_CHARS_PATTERN, project_name):
+            raise serializers.ValidationError("Project name cannot contain special characters.")
+
+        if project_identifier is not None and re.match(Project.FORBIDDEN_IDENTIFIER_CHARS_PATTERN, project_identifier):
+            raise serializers.ValidationError("Project identifier cannot contain special characters.")
+
         """Update a project"""
         if (
             validated_data.get("default_state", None) is not None
@@ -206,6 +228,15 @@ class Meta:
         ]
 
     def validate(self, data):
+        project_name = data.get("name", None)
+        project_identifier = data.get("identifier", None)
+
+        if project_name is not None and re.match(Project.FORBIDDEN_IDENTIFIER_CHARS_PATTERN, project_name):
+            raise serializers.ValidationError("Project name cannot contain special characters.")
+
+        if project_identifier is not None and re.match(Project.FORBIDDEN_IDENTIFIER_CHARS_PATTERN, project_identifier):
+            raise serializers.ValidationError("Project identifier cannot contain special characters.")
+
         # Check project lead should be a member of the workspace
         if (
             data.get("project_lead", None) is not None

diff --git a/apps/api/plane/app/serializers/project.py b/apps/api/plane/app/serializers/project.py
@@ -1,6 +1,9 @@
 # Third party imports
 from rest_framework import serializers
 
+# Python imports
+import re
+
 # Module imports
 from .base import BaseSerializer, DynamicBaseSerializer
 from django.db.models import Max
@@ -33,6 +36,9 @@ def validate_name(self, name):
         project_id = self.instance.id if self.instance else None
         workspace_id = self.context["workspace_id"]
 
+        if re.match(Project.FORBIDDEN_IDENTIFIER_CHARS_PATTERN, name):
+            raise serializers.ValidationError(detail="PROJECT_NAME_CANNOT_CONTAIN_SPECIAL_CHARACTERS")
+
         project = Project.objects.filter(name=name, workspace_id=workspace_id)
 
         if project_id:
@@ -49,6 +55,9 @@ def validate_identifier(self, identifier):
         project_id = self.instance.id if self.instance else None
         workspace_id = self.context["workspace_id"]
 
+        if re.match(Project.FORBIDDEN_IDENTIFIER_CHARS_PATTERN, identifier):
+            raise serializers.ValidationError(detail="PROJECT_IDENTIFIER_CANNOT_CONTAIN_SPECIAL_CHARACTERS")
+
         project = Project.objects.filter(identifier=identifier, workspace_id=workspace_id)
 
         if project_id:

diff --git a/apps/api/plane/db/models/project.py b/apps/api/plane/db/models/project.py
@@ -136,6 +136,8 @@ def __str__(self):
         """Return name of the project"""
         return f"{self.name} <{self.workspace.name}>"
 
+    FORBIDDEN_IDENTIFIER_CHARS_PATTERN = r"^.*[&+,:;$^}{*=?@#|'<>.()%!-].*$"
+
     class Meta:
         unique_together = [
             ["identifier", "workspace", "deleted_at"],