diff --git a/Scripts/GitScript.php b/Scripts/GitScript.php
index 4daf3bf..466eea4 100644
--- a/Scripts/GitScript.php
+++ b/Scripts/GitScript.php
@@ -16,14 +16,24 @@ public static function setGerritPushUrl(Event $event)
     {
         $arguments = self::getArguments($event->getArguments());
 
+        // Validate username
+        $validator = function ($value) {
+            if (!preg_match('/^[a-zA-Z0-9_-]*$/', trim($value))) {
+                throw new \UnexpectedValueException('Invalid username "' . $value . '"');
+            }
+
+            return trim($value)."\n";
+        };
+
         if ($arguments['username'] ?? false) {
             $typo3AccountUsername = $arguments['username'];
+            $validator($typo3AccountUsername);
         } else {
-            $typo3AccountUsername = $event->getIO()->askAndValidate('What is your TYPO3/Gerrit Account Username? ', '', 2);
+            $typo3AccountUsername = $event->getIO()->askAndValidate('What is your TYPO3/Gerrit Account Username? ', $validator, 2);
         }
 
         if (!empty($typo3AccountUsername)) {
-            $pushUrl = '"ssh://' . $typo3AccountUsername . '@review.typo3.org:29418/Packages/TYPO3.CMS.git"';
+            $pushUrl = '"ssh://' . trim($typo3AccountUsername) . '@review.typo3.org:29418/Packages/TYPO3.CMS.git"';
             $process = new ProcessExecutor();
             $command = 'git config remote.origin.pushurl ' . $pushUrl;
             $status = $process->execute($command, $output, self::$coreDevFolder);
diff --git a/Scripts/InitializeScript.php b/Scripts/InitializeScript.php
index 79f5b9c..034ddc3 100644
--- a/Scripts/InitializeScript.php
+++ b/Scripts/InitializeScript.php
@@ -101,7 +101,16 @@ public static function createDdevConfig(Event $event)
             $answer = $event->getIO()->askConfirmation('Create a basic ddev config? [y/<fg=cyan;options=bold>n</>] ', false);
 
             if ($answer) {
-                $ddevProjectName = $event->getIO()->askAndValidate('What should be the ddev projects name? ', '', 2);
+                // Validate ddev project name
+                $validator = function ($value) {
+                    if (!preg_match('/^[a-zA-Z0-9_-]*$/', trim($value))) {
+                        throw new \UnexpectedValueException('Invalid ddev project name "' . $value . '"');
+                    }
+
+                    return trim($value)."\n";
+                };
+
+                $ddevProjectName = $event->getIO()->askAndValidate('What should be the ddev projects name? ', $validator, 2);
 
                 if (!empty($ddevProjectName)) {
                     $configYaml = <<<EOF