diff --git a/inc/auth/plain.class.php b/inc/auth/plain.class.php
index d3df1c0ddab1531938e98a3f7c36b7b4c67a227e..87b423b1608526bd6e5bdae0d4d03bfb1a457869 100644
--- a/inc/auth/plain.class.php
+++ b/inc/auth/plain.class.php
@@ -17,6 +17,10 @@ if(isset($_REQUEST['u']))
   $_REQUEST['u'] = cleanID($_REQUEST['u']);
 if(isset($_REQUEST['acl_user']))
   $_REQUEST['acl_user'] = cleanID($_REQUEST['acl_user']);
+// the same goes for password reset requests
+if(isset($_POST['login'])){
+  $_POST['login'] = cleanID($_POST['login']);
+}
 
 class auth_plain extends auth_basic {