diff --git src/wp-admin/includes/user.php src/wp-admin/includes/user.php
index b61cb7a..cb592c3 100644
--- src/wp-admin/includes/user.php
+++ src/wp-admin/includes/user.php
@@ -63,7 +63,7 @@ function edit_user( $user_id = 0 ) {
 	}
 
 	if ( isset( $_POST['email'] ))
-		$user->user_email = sanitize_text_field( $_POST['email'] );
+		$user->user_email = sanitize_text_field( stripslashes( $_POST['email'] ) );
 	if ( isset( $_POST['url'] ) ) {
 		if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) {
 			$user->user_url = '';
diff --git src/wp-admin/network/user-new.php src/wp-admin/network/user-new.php
index 0f3ad1f..821c110 100644
--- src/wp-admin/network/user-new.php
+++ src/wp-admin/network/user-new.php
@@ -38,14 +38,14 @@ if ( isset($_REQUEST['action']) && 'add-user' == $_REQUEST['action'] ) {
 	if ( ! is_array( $_POST['user'] ) )
 		wp_die( __( 'Cannot create an empty user.' ) );
 
-	$user = $_POST['user'];
+	$user = stripslashes_deep( $_POST['user'] );
 
 	$user_details = wpmu_validate_user_signup( $user['username'], $user['email'] );
 	if ( is_wp_error( $user_details[ 'errors' ] ) && ! empty( $user_details[ 'errors' ]->errors ) ) {
 		$add_user_errors = $user_details[ 'errors' ];
 	} else {
 		$password = wp_generate_password( 12, false);
-		$user_id = wpmu_create_user( esc_html( strtolower( $user['username'] ) ), $password, esc_html( $user['email'] ) );
+		$user_id = wpmu_create_user( esc_html( strtolower( $user['username'] ) ), $password, esc_email( $user['email'] ) );
 
 		if ( ! $user_id ) {
 	 		$add_user_errors = new WP_Error( 'add_user_fail', __( 'Cannot add user.' ) );
diff --git src/wp-admin/user-new.php src/wp-admin/user-new.php
index c544dd4..bd1c0fe 100644
--- src/wp-admin/user-new.php
+++ src/wp-admin/user-new.php
@@ -41,11 +41,12 @@ if ( isset($_REQUEST['action']) && 'adduser' == $_REQUEST['action'] ) {
 	check_admin_referer( 'add-user', '_wpnonce_add-user' );
 
 	$user_details = null;
-	if ( false !== strpos($_REQUEST[ 'email' ], '@') ) {
-		$user_details = get_user_by('email', $_REQUEST[ 'email' ]);
+	$user_email = stripslashes( $_REQUEST['email'] );
+	if ( false !== strpos( $user_email, '@' ) ) {
+		$user_details = get_user_by( 'email', $user_email );
 	} else {
 		if ( is_super_admin() ) {
-			$user_details = get_user_by('login', $_REQUEST[ 'email' ]);
+			$user_details = get_user_by( 'login', $user_email );
 		} else {
 			wp_redirect( add_query_arg( array('update' => 'enter_email'), 'user-new.php' ) );
 			die();
@@ -112,7 +113,8 @@ Please click the following link to confirm the invite:
 		}
 	} else {
 		// Adding a new user to this site
-		$user_details = wpmu_validate_user_signup( $_REQUEST[ 'user_login' ], $_REQUEST[ 'email' ] );
+		$new_user_email = stripslashes( $_REQUEST['email'] );
+		$user_details = wpmu_validate_user_signup( $_REQUEST[ 'user_login' ], $new_user_email );
 		if ( is_wp_error( $user_details[ 'errors' ] ) && !empty( $user_details[ 'errors' ]->errors ) ) {
 			$add_user_errors = $user_details[ 'errors' ];
 		} else {
@@ -127,9 +129,9 @@ Please click the following link to confirm the invite:
 			if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
 				add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email
 			}
-			wpmu_signup_user( $new_user_login, $_REQUEST[ 'email' ], array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) );
+			wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST[ 'role' ] ) );
 			if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
-				$key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $_REQUEST[ 'email' ] ) );
+				$key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) );
 				wpmu_activate_signup( $key );
 				$redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' );
 			} else {
diff --git src/wp-includes/formatting.php src/wp-includes/formatting.php
index 58b4f9d..f4055f6 100644
--- src/wp-includes/formatting.php
+++ src/wp-includes/formatting.php
@@ -2749,6 +2749,31 @@ function esc_textarea( $text ) {
 }
 
 /**
+ * Escape an email address
+ *
+ * This works just like esc_html(), except that single quotes are permitted
+ *
+ * @since 3.7.0
+ *
+ * @param string $email The email address to be escaped
+ * @return string The escaped email
+ */
+function esc_email( $email ) {
+	$safe_email = wp_check_invalid_utf8( $email );
+	$safe_email = _wp_specialchars( $safe_email, ENT_COMPAT );
+
+	/**
+	 * Filter an escaped email address.
+	 *
+	 * @since 3.7.0
+	 *
+	 * @param string $safe_email The email, as escaped by esc_email().
+	 * @param string $email The raw email, as passed to esc_email().
+	 */
+	return apply_filters( 'esc_email', $safe_email, $email );
+}
+
+/**
  * Escape an HTML tag name.
  *
  * @since 2.5.0
diff --git tests/phpunit/tests/formatting/EscEmail.php tests/phpunit/tests/formatting/EscEmail.php
new file mode 100644
index 0000000..9ab5d22
--- /dev/null
+++ tests/phpunit/tests/formatting/EscEmail.php
@@ -0,0 +1,11 @@
+<?php
+
+/**
+ * @group formatting
+ */
+class Tests_Formatting_EscEmail extends WP_UnitTestCase {
+	function test_esc_email_allows_apostrophes() {
+		$email = "foo'bar@baz.com";
+		$this->assertEquals( esc_email( $email ), $email );
+	}
+}