diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
index 5a15d5729..276a3e716 100644
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@@ -19,7 +19,11 @@ class Users::SessionsController < Devise::SessionsController
   end
 
   def link_sent
-    @email = params[:email]
+    if Devise.email_regexp.match?(params[:email])
+      @email = params[:email]
+    else
+      redirect_to root_path
+    end
   end
 
   # DELETE /resource/sign_out
diff --git a/spec/controllers/users/sessions_controller_spec.rb b/spec/controllers/users/sessions_controller_spec.rb
index e9ca9fcee..f1ddc88d5 100644
--- a/spec/controllers/users/sessions_controller_spec.rb
+++ b/spec/controllers/users/sessions_controller_spec.rb
@@ -221,4 +221,22 @@ describe Users::SessionsController, type: :controller do
       it { is_expected.to be true }
     end
   end
+
+  describe '#link_sent' do
+    render_views
+
+    before { get :link_sent, params: { email: link_email } }
+
+    context 'when the email is legit' do
+      let(:link_email) { 'a@a.com' }
+
+      it { expect(response.body).to include(link_email) }
+    end
+
+    context 'when the email is evil' do
+      let(:link_email) { 'Hello, I am an evil email' }
+
+      it { expect(response).to redirect_to(root_path) }
+    end
+  end
 end