diff --git a/server/helpers/security.js b/server/helpers/security.js
index bb73d2d8..c82b30ed 100644
--- a/server/helpers/security.js
+++ b/server/helpers/security.js
@@ -1,7 +1,15 @@
 'use strict'
 
+/* global appdata, appconfig */
+
+const _ = require('lodash')
+
 module.exports = {
   sanitizeCommitUser (user) {
-
+    let wlist = new RegExp('(?!([^a-zA-Z0-9-_.\',& ]|' + appdata.regex.cjk.source + '))', 'g')
+    return {
+      name: _.chain(user.name).replace(wlist, '').trim().value(),
+      email: appconfig.git.showUserEmail ? user.email : appconfig.git.serverEmail
+    }
   }
 }
diff --git a/server/libs/git.js b/server/libs/git.js
index 72223855..66809bcf 100644
--- a/server/libs/git.js
+++ b/server/libs/git.js
@@ -7,6 +7,8 @@ const fs = Promise.promisifyAll(require('fs'))
 const _ = require('lodash')
 const URL = require('url')
 
+const securityHelper = require('../helpers/security')
+
 /**
  * Git Model
  */
@@ -207,7 +209,8 @@ module.exports = {
       commitMsg = (isTracked) ? 'Updated ' + gitFilePath : 'Added ' + gitFilePath
       return self._git.add(gitFilePath)
     }).then(() => {
-      return self._git.exec('commit', ['-m', commitMsg, '--author="' + author.name + ' <' + author.email + '>"']).catch((err) => {
+      let commitUsr = securityHelper.sanitizeCommitUser(author)
+      return self._git.exec('commit', ['-m', commitMsg, '--author="' + commitUsr.name + ' <' + commitUsr.email + '>"']).catch((err) => {
         if (_.includes(err.stdout, 'nothing to commit')) { return true }
       })
     })