in ms-edit.php, illegal_names gets updated without the slightest validation

[Denis-de-Bernardy]

it just goes:

		$illegal_names = split( ' ', $_POST['illegal_names'] );
		foreach( (array) $illegal_names as $name ) {
			$name = trim( $name );
			if( $name != '' )
				$names[] = trim( $name );
		}
		update_site_option( "illegal_names", $names );

aren't we missing at least some sanitization here?

also, $names should be initialized to array()

[Denis-de-Bernardy]

the same holds for limited_email_domains

[Denis-de-Bernardy]

and banned_email_domains, and default_user_role, etc.

default_user_role should additionally check that the default role doesn't have exotic caps (see #6566)

[wpmuguru]

(In [13447]) sanitize domains in ms-options, fixes #11775

[mdawaffe]

This change breaks is_email_address_unsafe()'s ability to handle domains specified via regex.

Previously, you could add a banned domain like:

/^bar[.]com$/

so that email addresses from foobar.com wouldn't get blacklisted. Now, that domain is treated as illegal input and is stripped.

Sanitizing regex is a pain. Suggested solution at #21570.