diff --git a/acrobat/blocks/unity/unity.js b/acrobat/blocks/unity/unity.js
index 43e0edbb7..e8e67690e 100644
--- a/acrobat/blocks/unity/unity.js
+++ b/acrobat/blocks/unity/unity.js
@@ -98,6 +98,7 @@ function getUnityLibs(prodLibs = '/unitylibs') {
   if (!/\.hlx\.|\.aem\.|local|stage/.test(hostname)) return prodLibs;
   // eslint-disable-next-line compat/compat
   const branch = new URLSearchParams(search).get('unitylibs') || 'main';
+  if (!/^[a-zA-Z0-9_-]+$/.test(branch)) throw new Error('Invalid branch name.');
   if (branch === 'main' && hostname === 'www.stage.adobe.com') return prodLibs;
   const env = hostname.includes('.aem.') ? 'aem' : 'hlx';
   return `https://${branch}${branch.includes('--') ? '' : '--unity--adobecom'}.${env}.live/unitylibs`;
diff --git a/acrobat/scripts/scripts.js b/acrobat/scripts/scripts.js
index 766dac357..5ace6402d 100644
--- a/acrobat/scripts/scripts.js
+++ b/acrobat/scripts/scripts.js
@@ -26,6 +26,7 @@ const setLibs = (prodLibs, location = window.location) => {
   if (!/\.hlx\.|\.aem\.|local|stage/.test(hostname)) return prodLibs;
   // eslint-disable-next-line compat/compat
   const branch = new URLSearchParams(search).get('milolibs') || 'main';
+  if (!/^[a-zA-Z0-9_-]+$/.test(branch)) throw new Error('Invalid branch name.');
   if (branch === 'main' && hostname === 'www.stage.adobe.com') return '/libs';
   if (branch === 'local') return 'http://localhost:6456/libs';
   return `https://${branch}${branch.includes('--') ? '' : '--milo--adobecom'}.aem.live/libs`;
diff --git a/acrobat/scripts/utils.js b/acrobat/scripts/utils.js
index 5fd6692b5..21103791e 100644
--- a/acrobat/scripts/utils.js
+++ b/acrobat/scripts/utils.js
@@ -28,6 +28,7 @@ export const [setLibs, getLibs] = (() => {
         if (!/\.hlx\.|\.aem\.|local|stage/.test(hostname)) return prodLibs;
         // eslint-disable-next-line compat/compat
         const branch = new URLSearchParams(search).get('milolibs') || 'main';
+        if (!/^[a-zA-Z0-9_-]+$/.test(branch)) throw new Error('Invalid branch name.');
         if (branch === 'main' && hostname === 'www.stage.adobe.com') return '/libs';
         if (branch === 'local') return 'http://localhost:6456/libs';
         return `https://${branch}${branch.includes('--') ? '' : '--milo--adobecom'}.aem.live/libs`;
diff --git a/head.html b/head.html
index 6318176a3..682c2bb2c 100644
--- a/head.html
+++ b/head.html
@@ -9,6 +9,7 @@
     const { hostname, search } = location;
     if (!/\.hlx\.|\.aem\.|local|stage/.test(hostname)) return prodLibs;
     const branch = new URLSearchParams(search).get('milolibs') || 'main';
+    if (!/^[a-zA-Z0-9_-]+$/.test(branch)) throw new Error('Invalid branch name.');
     if (branch === 'main' && hostname === 'www.stage.adobe.com') return '/libs';
     if (branch === 'local') return 'http://localhost:6456/libs';
     const env = hostname.includes('.hlx.') ? 'hlx' : 'aem';
@@ -19,6 +20,7 @@
     const { hostname, search } = window.location;
     if (!/\.hlx\.|\.aem\.|local|stage/.test(hostname)) return prodLibs;
     const branch = new URLSearchParams(search).get('unitylibs') || 'main';
+    if (!/^[a-zA-Z0-9_-]+$/.test(branch)) throw new Error('Invalid branch name.');
     if (branch === 'main' && hostname === 'www.stage.adobe.com') return prodLibs;
     const env = hostname.includes('.hlx.') ? 'hlx' : 'aem';
     return `https://${branch}${branch.includes('--')? '' : '--unity--adobecom'}.${env}.live/unitylibs`;