diff --git a/www/common/common-hash.js b/www/common/common-hash.js
index afdecbf57..cf3ca76a4 100644
--- a/www/common/common-hash.js
+++ b/www/common/common-hash.js
@@ -644,6 +644,10 @@ Version 4: Data URL when not a realtime link yet (new pad or "static" app)
             '/' + curvePublic.replace(/\//g, '-') + '/';
     };
 
+    Hash.isValidChannel = function (channelId) {
+        return /^[a-zA-Z0-9]{32,48}$/.test(channelId);
+    };
+
     Hash.isValidHref = function (href) {
         // Non-empty href?
         if (!href) { return; }
diff --git a/www/common/outer/async-store.js b/www/common/outer/async-store.js
index 629b10bc0..8ca1e741c 100644
--- a/www/common/outer/async-store.js
+++ b/www/common/outer/async-store.js
@@ -1661,6 +1661,9 @@ define([
             if (data.versionHash) {
                 return void getVersionHash(clientId, data);
             }
+            if (!Hash.isValidChannel(data.channel)) {
+                return void postMessage(clientId, "PAD_ERROR", 'INVALID_CHAN');
+            }
             var isNew = typeof channels[data.channel] === "undefined";
             var channel = channels[data.channel] = channels[data.channel] || {
                 queue: [],
@@ -2043,6 +2046,10 @@ define([
             if (store.offline || !store.anon_rpc) { return void cb({ error: 'OFFLINE' }); }
             if (!data.channel) { return void cb({ error: 'ENOTFOUND'}); }
             if (data.channel.length !== 32) { return void cb({ error: 'EINVAL'}); }
+            if (!Hash.isValidChannel(data.channel)) {
+                Feedback.send('METADATA_INVALID_CHAN');
+                return void cb({ error: 'EINVAL' });
+            }
             store.anon_rpc.send('GET_METADATA', data.channel, function (err, obj) {
                 if (err) { return void cb({error: err}); }
                 var metadata = (obj && obj[0]) || {};
diff --git a/www/common/outer/userObject.js b/www/common/outer/userObject.js
index 3bd016585..b1d92b54c 100644
--- a/www/common/outer/userObject.js
+++ b/www/common/outer/userObject.js
@@ -829,6 +829,11 @@ define([
                             console.error(e);
                         }
                     }
+                    if (!Hash.isValidChannel(el.channel)) {
+                        // XXX delete channel?
+                        console.error('Remove invalid channel', el.channel, el);
+                        // toClean.push(id);
+                    }
 
                     if ((loggedIn || config.testMode) && rootFiles.indexOf(id) === -1) {
                         debug("An element in filesData was not in ROOT, TEMPLATE or TRASH.", id, el);