Vet the codes that we accept

I think we also need to more aggressively vet the codes that we accept, e.g.,

• link
  • regx: /^[a-z0-9]{4}(?::[a-z0-9]+|-[a-z0-9]{4})?$/
  • e.g., zbac, dlg1, zupn:wall_street_journal, r2dl-sga1
• inst=
  • regx: /^[a-z0-9]{4}$/
• password=
  • regx: /^[a-zA-Z0-9]+/