diff --git a/app/forms/concerns/decidim/friendly_signup/registration_form_override.rb b/app/forms/concerns/decidim/friendly_signup/registration_form_override.rb
new file mode 100644
index 0000000..6f40707
--- /dev/null
+++ b/app/forms/concerns/decidim/friendly_signup/registration_form_override.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Decidim
+  module FriendlySignup
+    class RegistrationFormOverride < Decidim::RegistrationForm
+      validate :no_special_characters_in_email
+
+      private
+
+      EMAIL_REGEX = /\A[^<>"']+@[a-zA-Z0-9\-.]+\.[a-zA-Z]{2,}/
+
+      def no_special_characters_in_email
+        errors.add(:email, :invalid) if email =~ EMAIL_REGEX
+      end
+    end
+  end
+end
diff --git a/spec/forms/registration_form_spec.rb b/spec/forms/registration_form_spec.rb
index b720bd7..7e04b20 100644
--- a/spec/forms/registration_form_spec.rb
+++ b/spec/forms/registration_form_spec.rb
@@ -74,5 +74,17 @@ module Decidim
         end
       end
     end
+
+    context "when email contains a script tag" do
+      let(:email) { "<script>alert('XSS')</script>@example.org" }
+
+      it { is_expected.to be_invalid }
+
+      context "when email contains invalid characters" do
+        let(:email) { 'user"@example.org' }
+
+        it { is_expected.to be_invalid }
+      end
+    end
   end
 end