diff --git a/app/models/user.rb b/app/models/user.rb
index c75911ceeba..7ef61bf64e8 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -99,7 +99,7 @@ class User < ApplicationRecord
   accepts_nested_attributes_for :invite_request, reject_if: ->(attributes) { attributes['text'].blank? && !Setting.require_invite_text }
   validates :invite_request, presence: true, on: :create, if: :invite_text_required?
 
-  validates :email, presence: true, email_address: true
+  validates :email, presence: true, email_address: true, length: { maximum: 320 }
 
   validates_with UserEmailValidator, if: -> { ENV['EMAIL_DOMAIN_LISTS_APPLY_AFTER_CONFIRMATION'] == 'true' || !confirmed? }
   validates_with EmailMxValidator, if: :validate_email_dns?
diff --git a/app/validators/email_address_validator.rb b/app/validators/email_address_validator.rb
index ed0bb116524..7cc303a6369 100644
--- a/app/validators/email_address_validator.rb
+++ b/app/validators/email_address_validator.rb
@@ -11,8 +11,14 @@ class EmailAddressValidator < ActiveModel::EachValidator
     value = value.strip
 
     address = Mail::Address.new(value)
-    record.errors.add(attribute, :invalid) if address.address != value
+    record.errors.add(attribute, :invalid) if address.address != value || contains_disallowed_characters?(value)
   rescue Mail::Field::FieldError
     record.errors.add(attribute, :invalid)
   end
+
+  private
+
+  def contains_disallowed_characters?(value)
+    value.include?('%') || value.include?(',') || value.include?('"')
+  end
 end