diff --git a/src/Utilities.ts b/src/Utilities.ts
index ee6532b..9f1dacf 100644
--- a/src/Utilities.ts
+++ b/src/Utilities.ts
@@ -28,6 +28,8 @@ export const FileListSchema = avsc.Type.forSchema({
   },
 });
 
+const bannedCharacters = /[&<>\"'\r\n]/g;
+
 export class Utilities {
     public static isRunningInDocker(): boolean {
         return process.env.IS_IN_DOCKER === 'true';
@@ -548,4 +550,13 @@ export class Utilities {
                 return new Date(Date.now() + after * 365 * 24 * 60 * 60 * 1000);
         }
     }
+
+    public static checkName(name: string | null): boolean {
+        if (!name) return true;
+        return !bannedCharacters.test(name);
+    };
+    
+    public static checkNameRule(name: string): boolean | string {
+        return bannedCharacters.test(name) ? '名称不能包含特殊字符' : true;
+    }
 }
\ No newline at end of file
diff --git a/src/routes/ApiClusters.ts b/src/routes/ApiClusters.ts
index cecf977..145b689 100644
--- a/src/routes/ApiClusters.ts
+++ b/src/routes/ApiClusters.ts
@@ -85,9 +85,15 @@ export class ApiClusters {
             const bandwidth = Number(req.body.bandwidth || 0);
             if (Number.isNaN(bandwidth) || bandwidth <= 10 || bandwidth > 500) {
                 res.status(400).json({ error: "Invalid bandwidth" });
+                return;
             }
             if (name.length < 1 || name.length > 20 || name === "") {
                 res.status(400).json({ error: "Invalid name" });
+                return;
+            }
+            if (!Utilities.checkName(name)) {
+                res.status(400).json({ error: "Name cannot contain special characters" });
+                return;
             }
 
             let cluster = new ClusterEntity();
@@ -129,6 +135,11 @@ export class ApiClusters {
             const isProxy = Boolean(req.body.isProxy) || false;
             const isMasterStats = Boolean(req.body.isMasterStats) || false;
 
+            if (!Utilities.checkName(clusterName) || !Utilities.checkName(sponsor) || !Utilities.checkName(sponsorUrl) || !Utilities.checkName(sponsorBanner)) {
+                res.status(400).json({ error: "Cannot contain special characters" });
+                return;
+            }
+
             const cluster = inst.clusters.find(c => c.clusterId === clusterId);
             if (!cluster) {
                 res.status(404).send(); // 集群不存在
diff --git a/src/routes/ApiUser.ts b/src/routes/ApiUser.ts
index 9ea50e0..e6a84d9 100644
--- a/src/routes/ApiUser.ts
+++ b/src/routes/ApiUser.ts
@@ -126,6 +126,11 @@ export class ApiUser {
             const sponsorUrl = req.body.sponsorUrl as string || null;
             const sponsorBanner = req.body.sponsorBanner as string || null;
 
+            if (!Utilities.checkName(name) || !Utilities.checkName(sponsor) || !Utilities.checkName(sponsorUrl) || !Utilities.checkName(sponsorBanner)) {
+                res.status(400).json({ error: "Cannot contain special characters" });
+                return;
+            }
+
             if (bandwidth !== null && (Number.isNaN(bandwidth) || bandwidth < 10 || bandwidth > 500)) {
                 res.status(400).send({ message: 'Invalid bandwidth' });
                 return;