diff --git a/capsulflask/auth.py b/capsulflask/auth.py
index cda0942..53e31a6 100644
--- a/capsulflask/auth.py
+++ b/capsulflask/auth.py
@@ -71,6 +71,10 @@ def magiclink(token):
         session["account"] = email
         return redirect(url_for("console.index"))
     else:
+        # this is here to prevent xss
+        if not re.match(r"^[a-zA-Z0-9_-]+$", token):
+          token = '___________'
+
         abort(404, f"Token {token} doesn't exist or has already been used.")
 
 @bp.route("/logout")
diff --git a/capsulflask/console.py b/capsulflask/console.py
index 59797c0..5038ffb 100644
--- a/capsulflask/console.py
+++ b/capsulflask/console.py
@@ -45,6 +45,8 @@ def double_check_capsul_address(id, ipv4):
 def index():
   vms = get_vms()
   created = request.args.get('created')
+  
+  # this is here to prevent xss
   if not re.match(r"^(cvm|capsul)-[a-z0-9]{10}$", created):
     created = '___________'