From 183dcf93a87065e976971d0d5c33565f7b7d2553 Mon Sep 17 00:00:00 2001
From: Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>
Date: Fri, 28 Apr 2023 12:03:03 +0200
Subject: [PATCH] General: Add support for unicode email addresses in is_email
 and sanitize_email
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This adds support for the unicode address extensions in RFC 6530-3 and
refactors the code so there are fewer long regexes and less duplication
between sanitize_email and is_email. A new class, WP_Email_Address,
provides the shared parts.

Opting out of unicode support is easy, default-filters.php adds
unicode support by adding filters, which can be removed.

sanitize_email no longer does major changes like removing an entire
subdomain from someone's address, it only cleans up things like soft
hyphens and whitespace — changes that happen when coping an email
address from text.

During testing, it became clear that antispambot() worked only for strings
using a single-byte encoding, while this uses UTF8. Fixed.

Fixes #31992.

Props SirLouen, dmsnell, tusharbharti,  mukeshpanchal27, akirk.
---
 src/wp-includes/class-wp-email-address.php    | 246 ++++++++++++++
 src/wp-includes/default-filters.php           |  11 +
 src/wp-includes/formatting.php                | 295 ++++++++---------
 src/wp-settings.php                           |   1 +
 tests/phpunit/tests/auth.php                  |   2 +-
 .../phpunit/tests/formatting/antispambot.php  |   3 +
 tests/phpunit/tests/formatting/isEmail.php    |   7 +-
 .../tests/formatting/sanitizeEmail.php        |  26 +-
 .../tests/privacy/wpCreateUserRequest.php     |   5 +-
 .../rest-api/rest-comments-controller.php     |   4 +-
 .../tests/wp-email-address/wpEmailAddress.php | 304 ++++++++++++++++++
 11 files changed, 726 insertions(+), 178 deletions(-)
 create mode 100644 src/wp-includes/class-wp-email-address.php
 create mode 100644 tests/phpunit/tests/wp-email-address/wpEmailAddress.php

diff --git a/src/wp-includes/class-wp-email-address.php b/src/wp-includes/class-wp-email-address.php
new file mode 100644
index 0000000000000..5c46a53b5f3aa
--- /dev/null
+++ b/src/wp-includes/class-wp-email-address.php
@@ -0,0 +1,246 @@
+<?php
+/**
+ * Class 'WP_Email_Address'.
+ *
+ * @package WordPress
+ * @since 7.0.0
+ */
+
+/**
+ * Represents a validated email address. The address may or may not be deliverable.
+ *
+ * Use the static factory method {@see WP_Email_Address::from_string()} to create instances
+ * of this class rather than the constructor, which is private.
+ *
+ * @since 7.0.0
+ */
+final class WP_Email_Address {
+
+	/**
+	 * Regex for the local part when Unicode is not enabled.
+	 *
+	 * Matches the character set from the WHATWG email specification:
+	 * https://html.spec.whatwg.org/multipage/input.html#email-state-(type=email)
+	 *
+	 * @since 7.0.0
+	 * @var string
+	 */
+	const LOCAL_PART_ASCII_REGEX = '/^[a-zA-Z0-9.!#$%&\'*+\/=?^_`{|}~-]+$/';
+
+	/**
+	 * Regex for the local part when Unicode is enabled.
+	 *
+	 * Extends the WHATWG character set to allow Unicode letters and numbers,
+	 * and applies the same grapheme-cluster structure used for domain labels:
+	 * each cluster must open with a non-combining character.
+	 *
+	 * @since 7.0.0
+	 * @var string
+	 */
+	const LOCAL_PART_UNICODE_REGEX = '/^([\p{L}\p{N}.!#$%&\'*+\/=?^_`{|}~-]\p{M}*)+$/u';
+
+	/**
+	 * Pattern for a single ASCII domain label (no dot).
+	 *
+	 * Matches a label from the WHATWG email specification: starts and ends with
+	 * a letter or digit; internal characters may include hyphens.
+	 *
+	 * @since 7.0.0
+	 * @var string
+	 */
+	const DOMAIN_LABEL_ASCII = '[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?';
+
+	/**
+	 * Pattern for a single Unicode domain label (no dot).
+	 *
+	 * Extends the ASCII label pattern to allow Unicode letters and numbers,
+	 * with grapheme-cluster structure: each cluster must open with a letter or
+	 * digit (not a combining mark), followed by zero or more combining marks.
+	 *
+	 * @since 7.0.0
+	 * @var string
+	 */
+	const DOMAIN_LABEL_UNICODE = '[\p{L}\p{N}]\p{M}*(?:(?:[\p{L}\p{N}-]\p{M}*)*[\p{L}\p{N}]\p{M}*)?';
+
+	/**
+	 * Regex for the domain when Unicode is not enabled.
+	 *
+	 * Assembled from {@see self::DOMAIN_LABEL_ASCII}: one label, then zero or
+	 * more dot-separated labels.
+	 *
+	 * @since 7.0.0
+	 * @var string
+	 */
+	const DOMAIN_ASCII_REGEX = '/^' . self::DOMAIN_LABEL_ASCII . '(?:\.' . self::DOMAIN_LABEL_ASCII . ')*$/';
+
+	/**
+	 * Regex for the domain when Unicode is enabled.
+	 *
+	 * Assembled from {@see self::DOMAIN_LABEL_UNICODE}: one label, then zero or
+	 * more dot-prefixed labels.
+	 *
+	 * @since 7.0.0
+	 * @var string
+	 */
+	const DOMAIN_UNICODE_REGEX = '/^' . self::DOMAIN_LABEL_UNICODE . '(?:\.' . self::DOMAIN_LABEL_UNICODE . ')*$/u';
+
+	/**
+	 * The local part of the email address (the portion before the '@').
+	 *
+	 * @since 7.0.0
+	 * @var string
+	 */
+	private $localpart;
+
+	/**
+	 * The domain part of the email address (the portion after the '@').
+	 *
+	 * @since 7.0.0
+	 * @var string
+	 */
+	private $domain;
+
+	/**
+	 * Private constructor. Use {@see WP_Email_Address::from_string()} to create instances.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param string $localpart The local part of the email address.
+	 * @param string $domain    The domain part of the email address.
+	 */
+	private function __construct( string $localpart, string $domain ) {
+		$this->localpart = $localpart;
+		$this->domain    = $domain;
+	}
+
+	/**
+	 * Creates a WP_Email_Address from a string.
+	 *
+	 * This method is intended to accept all strings that are considered valid email
+	 * addresses by the WHATWG HTML specification for the email input type:
+	 *
+	 *     https://html.spec.whatwg.org/multipage/input.html#email-state-(type=email)
+	 *
+	 * and some additional addresses, while rejecting strings that
+	 * are more likely to be typos, mispastes, or attacks. This class
+	 * may reject a few address that are valid according to RFC 5322,
+	 * but it always accepts an address if it's valid according to
+	 * WHATWG. Put differently: If users can type an address into
+	 * the major browsers of 2026, this class accepts them, if
+	 * they can't (in 2026), this class may or may not. (Note that
+	 * "<iframe src=...>"@example.com is valid according to the RFC.)
+	 *
+	 * @since 7.0.0
+	 *
+	 * @param string $input   The email address string to parse.
+	 * @param bool   $unicode Whether to allow Unicode characters in the address.
+	 * @return WP_Email_Address|false A WP_Email_Address instance, or false if the input is invalid.
+	 */
+	public static function from_string( string $input, bool $unicode ) {
+		// There must be exactly one '@' sign.
+		$at_pos = strpos( $input, '@' );
+		if ( false === $at_pos || strrpos( $input, '@' ) !== $at_pos ) {
+			return false;
+		}
+
+		$localpart = substr( $input, 0, $at_pos );
+		$domain    = substr( $input, $at_pos + 1 );
+
+		foreach ( explode( '.', $domain ) as $label ) {
+			// DNS limits each label to 63 octets.
+			if ( strlen( $label ) > 63 ) {
+				return false;
+			}
+		}
+
+		if ( $unicode && function_exists( 'idn_to_utf8' ) ) {
+			// Validate each domain label, decode any punycode to UTF-8, and
+			// reassemble the decoded labels into the local $domain variable.
+			$decoded_labels = array();
+			foreach ( explode( '.', $domain ) as $label ) {
+				// Decode punycode labels to their Unicode form for further validation.
+				if ( str_starts_with( $label, 'xn--' ) ) {
+					$label = idn_to_utf8( $label, IDNA_DEFAULT, INTL_IDNA_VARIANT_UTS46 );
+					if ( false === $label ) {
+						return false;
+					}
+				}
+				// Reject labels with a reserved ACE-like prefix (two chars followed by '--').
+				if ( preg_match( '/^..--/u', $label ) ) {
+					return false;
+				}
+				$decoded_labels[] = $label;
+			}
+			$domain = implode( '.', $decoded_labels );
+		} else {
+			// Without Unicode support, reject any non-ASCII byte in either part.
+			if ( preg_match( '/[\x80-\xff]/', $input ) ) {
+				return false;
+			}
+		}
+
+		// Both parts must be valid UTF-8, regardless of whether Unicode is requested. (A valid ASCII string is also valid UTF-8.)
+		if ( ! wp_is_valid_utf8( $localpart ) || ! wp_is_valid_utf8( $domain ) ) {
+			return false;
+		}
+
+		// Validate the local part against the allowed character set.
+		if ( ! preg_match( $unicode ? self::LOCAL_PART_UNICODE_REGEX : self::LOCAL_PART_ASCII_REGEX, $localpart ) ) {
+			/** This filter is documented in wp-includes/formatting.php */
+			if ( ! apply_filters( 'is_email', false, $input, 'local_invalid_chars' ) ) {
+				return false;
+			}
+		}
+
+		// The domain must contain at least one dot.
+		if ( ! str_contains( $domain, '.' ) ) {
+			/** This filter is documented in wp-includes/formatting.php */
+			if ( ! apply_filters( 'is_email', false, $input, 'domain_no_periods' ) ) {
+				return false;
+			}
+		}
+
+		// Validate the domain against the allowed structure.
+		if ( ! preg_match( $unicode ? self::DOMAIN_UNICODE_REGEX : self::DOMAIN_ASCII_REGEX, $domain ) ) {
+			return false;
+		}
+
+		return new self( $localpart, $domain );
+	}
+
+	/**
+	 * Returns the local part of the email address (the portion before the '@').
+	 *
+	 * @since 7.0.0
+	 *
+	 * @return string The local part of the email address.
+	 */
+	public function get_localpart(): string {
+		return $this->localpart;
+	}
+
+	/**
+	 * Returns the domain part of the email address (the portion after the '@').
+	 *
+	 * @since 7.0.0
+	 *
+	 * @return string The domain part of the email address.
+	 */
+	public function get_domain(): string {
+		return $this->domain;
+	}
+
+	/**
+	 * Returns the complete email address as a string.
+	 *
+	 * The returned value can always be passed to {@see WP_Email_Address::from_string()}
+	 * and will produce an equivalent WP_Email_Address instance.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @return string The complete email address.
+	 */
+	public function get_address(): string {
+		return $this->localpart . '@' . $this->domain;
+	}
+}
diff --git a/src/wp-includes/default-filters.php b/src/wp-includes/default-filters.php
index 4b6d9de25fa11..db3cb423daf23 100644
--- a/src/wp-includes/default-filters.php
+++ b/src/wp-includes/default-filters.php
@@ -87,6 +87,17 @@
 	add_filter( $filter, 'wp_filter_kses' );
 }
 
+// Email addresses: Allow unicode if and only if as the database can
+// store them. This affects all addresses, including those entered
+// into contact forms.
+if ( 'utf8mb4' === $wpdb->charset ) {
+	add_filter( 'is_email', 'wp_is_unicode_email', 10, 3 );
+	add_filter( 'sanitize_email', 'wp_sanitize_unicode_email', 10, 3 );
+} else {
+	add_filter( 'is_email', 'wp_is_ascii_email', 10, 3 );
+	add_filter( 'sanitize_email', 'wp_sanitize_ascii_email', 10, 3 );
+}
+
 // Display URL.
 foreach ( array( 'user_url', 'link_url', 'link_image', 'link_rss', 'comment_url', 'post_guid' ) as $filter ) {
 	if ( is_admin() ) {
diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
index 498d676f5c20f..03bb0a135e759 100644
--- a/src/wp-includes/formatting.php
+++ b/src/wp-includes/formatting.php
@@ -2176,6 +2176,7 @@ function sanitize_user( $username, $strict = false ) {
 	return apply_filters( 'sanitize_user', $username, $raw_username, $strict );
 }
 
+
 /**
  * Sanitizes a string key.
  *
@@ -2915,7 +2916,9 @@ function antispambot( $email_address, $hex_encoding = 0 ) {
 	for ( $i = 0, $len = strlen( $email_address ); $i < $len; $i++ ) {
 		$j = rand( 0, 1 + $hex_encoding );
 
-		if ( 0 === $j ) {
+		if ( ord( $email_address[ $i ] ) > 127 ) {
+			$email_no_spam_address .= $email_address[ $i ];
+		} elseif ( 0 === $j ) {
 			$email_no_spam_address .= '&#' . ord( $email_address[ $i ] ) . ';';
 		} elseif ( 1 === $j ) {
 			$email_no_spam_address .= $email_address[ $i ];
@@ -3531,7 +3534,14 @@ function convert_smilies( $text ) {
 /**
  * Verifies that an email is valid.
  *
- * Does not grok i18n domains. Not RFC compliant.
+ * This accepts the addresses that matches the WHATWG specifications,
+ * ie. what browsers use for <input type=email>. It also accepts some
+ * additional addresses.
+ *
+ * By default this accepts addresses like info@grå.org (also accepted
+ * by Firefox' <input type=email>. You can disable unicode support by
+ * using the wp_is_ascii_email filter instead of wp_is_unicode_email,
+ * which is the default.
  *
  * @since 0.71
  *
@@ -3544,84 +3554,63 @@ function is_email( $email, $deprecated = false ) {
 		_deprecated_argument( __FUNCTION__, '3.0.0' );
 	}
 
-	// Test for the minimum length the email can be.
-	if ( strlen( $email ) < 6 ) {
-		/**
-		 * Filters whether an email address is valid.
-		 *
-		 * This filter is evaluated under several different contexts, such as 'email_too_short',
-		 * 'email_no_at', 'local_invalid_chars', 'domain_period_sequence', 'domain_period_limits',
-		 * 'domain_no_periods', 'sub_hyphen_limits', 'sub_invalid_chars', or no specific context.
-		 *
-		 * @since 2.8.0
-		 *
-		 * @param string|false $is_email The email address if successfully passed the is_email() checks, false otherwise.
-		 * @param string       $email    The email address being checked.
-		 * @param string       $context  Context under which the email was tested.
-		 */
-		return apply_filters( 'is_email', false, $email, 'email_too_short' );
-	}
-
-	// Test for an @ character after the first position.
-	if ( false === strpos( $email, '@', 1 ) ) {
-		/** This filter is documented in wp-includes/formatting.php */
-		return apply_filters( 'is_email', false, $email, 'email_no_at' );
-	}
-
-	// Split out the local and domain parts.
-	list( $local, $domain ) = explode( '@', $email, 2 );
-
-	/*
-	 * LOCAL PART
-	 * Test for invalid characters.
-	 */
-	if ( ! preg_match( '/^[a-zA-Z0-9!#$%&\'*+\/=?^_`{|}~\.-]+$/', $local ) ) {
-		/** This filter is documented in wp-includes/formatting.php */
-		return apply_filters( 'is_email', false, $email, 'local_invalid_chars' );
-	}
-
-	/*
-	 * DOMAIN PART
-	 * Test for sequences of periods.
+	/**
+	 * Filters whether an email address is valid.
+	 *
+	 * This filter is evaluated under several different contexts, such as
+	 * 'local_invalid_chars', 'domain_no_periods', or no specific context.
+	 * Filters registered on this hook perform the actual validation; the
+	 * default filter is registered in default-filters.php.
+	 *
+	 * @since 2.8.0
+	 *
+	 * @param string|false $is_email The email address if successfully passed the is_email() checks, false otherwise.
+	 * @param string       $email    The email address being checked.
+	 * @param string|null  $context  Context under which the email was tested, or null for the initial call.
 	 */
-	if ( preg_match( '/\.{2,}/', $domain ) ) {
-		/** This filter is documented in wp-includes/formatting.php */
-		return apply_filters( 'is_email', false, $email, 'domain_period_sequence' );
-	}
-
-	// Test for leading and trailing periods and whitespace.
-	if ( trim( $domain, " \t\n\r\0\x0B." ) !== $domain ) {
-		/** This filter is documented in wp-includes/formatting.php */
-		return apply_filters( 'is_email', false, $email, 'domain_period_limits' );
-	}
-
-	// Split the domain into subs.
-	$subs = explode( '.', $domain );
+	return apply_filters( 'is_email', false, $email, null );
+}
 
-	// Assume the domain will have at least two subs.
-	if ( 2 > count( $subs ) ) {
-		/** This filter is documented in wp-includes/formatting.php */
-		return apply_filters( 'is_email', false, $email, 'domain_no_periods' );
+/**
+ * Default is_email filter for databases that support Unicode (db charset is utf8mb4).
+ *
+ * Validates the email address using {@see WP_Email_Address::from_string()} with Unicode enabled.
+ * Only acts when $context is null (which it is in the initial validation call); later rescue-context calls are passed through.
+ *
+ * @since 7.0.0
+ *
+ * @param string|false $value   The current filter value.
+ * @param string       $email   The email address being checked.
+ * @param string|null  $context Validation context, or null for the initial call.
+ * @return string|false The email address if valid, false otherwise.
+ */
+function wp_is_unicode_email( $value, $email, $context ) {
+	if ( null !== $context ) {
+		return $value;
 	}
+	$result = WP_Email_Address::from_string( $email, true );
+	return $result ? $result->get_address() : false;
+}
 
-	// Loop through each sub.
-	foreach ( $subs as $sub ) {
-		// Test for leading and trailing hyphens and whitespace.
-		if ( trim( $sub, " \t\n\r\0\x0B-" ) !== $sub ) {
-			/** This filter is documented in wp-includes/formatting.php */
-			return apply_filters( 'is_email', false, $email, 'sub_hyphen_limits' );
-		}
-
-		// Test for invalid characters.
-		if ( ! preg_match( '/^[a-z0-9-]+$/i', $sub ) ) {
-			/** This filter is documented in wp-includes/formatting.php */
-			return apply_filters( 'is_email', false, $email, 'sub_invalid_chars' );
-		}
+/**
+ * Default is_email filter for databases that do not support Unicode (db charset is not utf8mb4).
+ *
+ * Validates the email address using {@see WP_Email_Address::from_string()} with Unicode disabled.
+ * Only acts when $context is null (which it is in the initial validation call); later rescue-context calls are passed through.
+ *
+ * @since 7.0.0
+ *
+ * @param string|false $value   The current filter value.
+ * @param string       $email   The email address being checked.
+ * @param string|null  $context Validation context, or null for the initial call.
+ * @return string|false The email address if valid, false otherwise.
+ */
+function wp_is_ascii_email( $value, $email, $context ) {
+	if ( null !== $context ) {
+		return $value;
 	}
-
-	// Congratulations, your email made it!
-	/** This filter is documented in wp-includes/formatting.php */
-	return apply_filters( 'is_email', $email, $email, null );
+	$result = WP_Email_Address::from_string( $email, false );
+	return $result ? $result->get_address() : false;
 }
 
 /**
@@ -3750,109 +3739,87 @@ function iso8601_to_datetime( $date_string, $timezone = 'user' ) {
 }
 
 /**
- * Strips out all characters that are not allowable in an email.
+ * Sanitizes an email address.
+ *
+ * Strips stray whitespace from the input, then strips trailing dots from the domain. This is designed to recover from cut/paste mistakes without any risk of transforming the input into a different address than the user intended.
+ *
+ * Validation and final form are determined by the 'sanitize_email' filter; the default filter is registered in default-filters.php and delegates to {@see WP_Email_Address::from_string()}.
  *
  * @since 1.5.0
  *
- * @param string $email Email address to filter.
- * @return string Filtered email address.
+ * @param string $email Email address to sanitize.
+ * @return string The sanitized email address, or an empty string if invalid.
  */
 function sanitize_email( $email ) {
-	// Test for the minimum length the email can be.
-	if ( strlen( $email ) < 6 ) {
-		/**
-		 * Filters a sanitized email address.
-		 *
-		 * This filter is evaluated under several contexts, including 'email_too_short',
-		 * 'email_no_at', 'local_invalid_chars', 'domain_period_sequence', 'domain_period_limits',
-		 * 'domain_no_periods', 'domain_no_valid_subs', or no context.
-		 *
-		 * @since 2.8.0
-		 *
-		 * @param string $sanitized_email The sanitized email address.
-		 * @param string $email           The email address, as provided to sanitize_email().
-		 * @param string|null $message    A message to pass to the user. null if email is sanitized.
-		 */
-		return apply_filters( 'sanitize_email', '', $email, 'email_too_short' );
-	}
+	// Strip surrounding whitespace.
+	$email = trim( $email );
 
-	// Test for an @ character after the first position.
-	if ( false === strpos( $email, '@', 1 ) ) {
-		/** This filter is documented in wp-includes/formatting.php */
-		return apply_filters( 'sanitize_email', '', $email, 'email_no_at' );
+	// Extract the address from "Display Name <address>" format.
+	if ( preg_match( '/<([^>]+)>/', $email, $matches ) ) {
+		$email = $matches[1];
 	}
 
-	// Split out the local and domain parts.
-	list( $local, $domain ) = explode( '@', $email, 2 );
+	// Strip soft hyphens and whitespace adjacent to structural separators (dots and @),
+	// e.g. copy-paste artifacts like "info@example\u{00AD}.com" or "info@example .com".
+	$email = preg_replace( '/[\x{00AD}\s]*([.@])[\x{00AD}\s]*/u', '$1', $email ) ?? $email;
 
-	/*
-	 * LOCAL PART
-	 * Test for invalid characters.
-	 */
-	$local = preg_replace( '/[^a-zA-Z0-9!#$%&\'*+\/=?^_`{|}~\.-]/', '', $local );
-	if ( '' === $local ) {
-		/** This filter is documented in wp-includes/formatting.php */
-		return apply_filters( 'sanitize_email', '', $email, 'local_invalid_chars' );
+	// Strip a trailing dot from the domain (e.g. if pasted from the end of a sentence).
+	if ( false !== strpos( $email, '@' ) ) {
+		list( $local, $domain ) = explode( '@', $email, 2 );
+		$domain                 = rtrim( $domain, '.' );
+		$email                  = $local . '@' . $domain;
 	}
 
-	/*
-	 * DOMAIN PART
-	 * Test for sequences of periods.
+	/**
+	 * Filters a sanitized email address.
+	 *
+	 * Filters registered on this hook perform the actual validation and return
+	 * the canonical email string on success or an empty string on failure.
+	 * The default filter is registered in default-filters.php.
+	 *
+	 * @since 2.8.0
+	 *
+	 * @param string      $sanitized_email The sanitized email address, or empty string.
+	 * @param string      $email           The email address as provided to sanitize_email().
+	 * @param string|null $context         Validation context, or null for the initial call.
 	 */
-	$domain = preg_replace( '/\.{2,}/', '', $domain );
-	if ( '' === $domain ) {
-		/** This filter is documented in wp-includes/formatting.php */
-		return apply_filters( 'sanitize_email', '', $email, 'domain_period_sequence' );
-	}
-
-	// Test for leading and trailing periods and whitespace.
-	$domain = trim( $domain, " \t\n\r\0\x0B." );
-	if ( '' === $domain ) {
-		/** This filter is documented in wp-includes/formatting.php */
-		return apply_filters( 'sanitize_email', '', $email, 'domain_period_limits' );
-	}
-
-	// Split the domain into subs.
-	$subs = explode( '.', $domain );
-
-	// Assume the domain will have at least two subs.
-	if ( 2 > count( $subs ) ) {
-		/** This filter is documented in wp-includes/formatting.php */
-		return apply_filters( 'sanitize_email', '', $email, 'domain_no_periods' );
-	}
-
-	// Create an array that will contain valid subs.
-	$new_subs = array();
-
-	// Loop through each sub.
-	foreach ( $subs as $sub ) {
-		// Test for leading and trailing hyphens.
-		$sub = trim( $sub, " \t\n\r\0\x0B-" );
-
-		// Test for invalid characters.
-		$sub = preg_replace( '/[^a-z0-9-]+/i', '', $sub );
-
-		// If there's anything left, add it to the valid subs.
-		if ( '' !== $sub ) {
-			$new_subs[] = $sub;
-		}
-	}
-
-	// If there aren't 2 or more valid subs.
-	if ( 2 > count( $new_subs ) ) {
-		/** This filter is documented in wp-includes/formatting.php */
-		return apply_filters( 'sanitize_email', '', $email, 'domain_no_valid_subs' );
-	}
-
-	// Join valid subs into the new domain.
-	$domain = implode( '.', $new_subs );
+	return apply_filters( 'sanitize_email', '', $email, null );
+}
 
-	// Put the email back together.
-	$sanitized_email = $local . '@' . $domain;
+/**
+ * Default sanitize_email filter for databases that support Unicode (db charset is utf8mb4).
+ *
+ * Returns the canonical address from {@see WP_Email_Address::from_string()} with Unicode
+ * enabled, or an empty string if the address is invalid.
+ *
+ * @since 7.0.0
+ *
+ * @param string      $value   The current filter value.
+ * @param string      $email   The email address being sanitized.
+ * @param string|null $context Sanitization context, always null.
+ * @return string The canonical email address if valid, empty string otherwise.
+ */
+function wp_sanitize_unicode_email( $value, $email, $context ) {
+	$result = WP_Email_Address::from_string( $email, true );
+	return $result ? $result->get_address() : '';
+}
 
-	// Congratulations, your email made it!
-	/** This filter is documented in wp-includes/formatting.php */
-	return apply_filters( 'sanitize_email', $sanitized_email, $email, null );
+/**
+ * Default sanitize_email filter for databases that do not support Unicode (db charset is not utf8mb4).
+ *
+ * Returns the canonical address from {@see WP_Email_Address::from_string()} with Unicode
+ * disabled, or an empty string if the address is invalid.
+ *
+ * @since 7.0.0
+ *
+ * @param string      $value   The current filter value.
+ * @param string      $email   The email address being sanitized.
+ * @param string|null $context Sanitization context, always null.
+ * @return string The canonical email address if valid, empty string otherwise.
+ */
+function wp_sanitize_ascii_email( $value, $email, $context ) {
+	$result = WP_Email_Address::from_string( $email, false );
+	return $result ? $result->get_address() : '';
 }
 
 /**
diff --git a/src/wp-settings.php b/src/wp-settings.php
index dab1d8fd4c0de..4c80e70ad029e 100644
--- a/src/wp-settings.php
+++ b/src/wp-settings.php
@@ -112,6 +112,7 @@
 require ABSPATH . WPINC . '/class-wp-list-util.php';
 require ABSPATH . WPINC . '/class-wp-token-map.php';
 require ABSPATH . WPINC . '/utf8.php';
+require ABSPATH . WPINC . '/class-wp-email-address.php';
 require ABSPATH . WPINC . '/formatting.php';
 require ABSPATH . WPINC . '/meta.php';
 require ABSPATH . WPINC . '/functions.php';
diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
index a290d11e118e6..d4ac1e94c9472 100644
--- a/tests/phpunit/tests/auth.php
+++ b/tests/phpunit/tests/auth.php
@@ -1520,7 +1520,7 @@ public function test_wp_authenticate_cookie_with_invalid_cookie() {
 	 */
 	public function test_wp_signon_using_email_with_an_apostrophe() {
 		$user_args = array(
-			'user_email' => "mail\'@example.com",
+			'user_email' => "mail'@example.com",
 			'user_pass'  => 'password',
 		);
 		self::factory()->user->create( $user_args );
diff --git a/tests/phpunit/tests/formatting/antispambot.php b/tests/phpunit/tests/formatting/antispambot.php
index 159d907ada9b0..e2fc4d6bca821 100644
--- a/tests/phpunit/tests/formatting/antispambot.php
+++ b/tests/phpunit/tests/formatting/antispambot.php
@@ -34,6 +34,9 @@ public function data_returns_valid_utf8() {
 			'plain with ip'        => array( 'ace@204.32.222.14' ),
 			'deep subdomain'       => array( 'kevin@many.subdomains.make.a.happy.man.edu' ),
 			'short address'        => array( 'a@b.co' ),
+			'ascii@nonascii'       => array( 'info@grå.org' ),
+			'nonascii@nonascii'    => array( 'grå@grå.org' ),
+			'decomposed unicode'   => array( 'gr\u{0061}\u{030a}blå@grå.org' ),
 			'weird but legal dots' => array( '..@example.com' ),
 		);
 	}
diff --git a/tests/phpunit/tests/formatting/isEmail.php b/tests/phpunit/tests/formatting/isEmail.php
index d79647885ceba..2c71c910dd6f8 100644
--- a/tests/phpunit/tests/formatting/isEmail.php
+++ b/tests/phpunit/tests/formatting/isEmail.php
@@ -37,7 +37,11 @@ public static function data_valid_email_provider() {
 			'ace@204.32.222.14',
 			'kevin@many.subdomains.make.a.happy.man.edu',
 			'a@b.co',
+			'a@b.c',
 			'bill+ted@example.com',
+			'info@grå.org',
+			'grå@grå.org',
+			"gr\u{0061}\u{030a}blå@grå.org",
 			'..@example.com',
 		);
 
@@ -74,10 +78,7 @@ public static function data_invalid_email_provider() {
 			"sif i'd give u it, spamer!1",
 			'com.exampleNOSPAMbob',
 			'bob@your mom',
-			'a@b.c',
 			'" "@b.c',
-			'"@"@b.c',
-			'a@route.org@b.c',
 			'h(aj@couc.ou', // bad comment.
 			'hi@',
 			'hi@hi@couc.ou', // double @.
diff --git a/tests/phpunit/tests/formatting/sanitizeEmail.php b/tests/phpunit/tests/formatting/sanitizeEmail.php
index 6ca396f42dc26..1262e750eab09 100644
--- a/tests/phpunit/tests/formatting/sanitizeEmail.php
+++ b/tests/phpunit/tests/formatting/sanitizeEmail.php
@@ -31,12 +31,26 @@ public function test_returns_stripped_email_address( $address, $expected ) {
 	 */
 	public function data_sanitized_email_pairs() {
 		return array(
-			'shorter than 6 characters'      => array( 'a@b', '' ),
-			'contains no @'                  => array( 'ab', '' ),
-			'just a TLD'                     => array( 'abc@com', '' ),
-			'plain'                          => array( 'abc@example.com', 'abc@example.com' ),
-			'invalid utf8 subdomain dropped' => array( "abc@sub.\x80.org", 'abc@sub.org' ),
-			'all subdomains invalid utf8'    => array( "abc@\x80.org", '' ),
+			'shorter than 6 characters'        => array( 'a@b', '' ),
+			'contains no @'                    => array( 'ab', '' ),
+			'just a TLD'                       => array( 'abc@com', '' ),
+			'plain'                            => array( 'abc@example.com', 'abc@example.com' ),
+			'unicode domain'                   => array( 'abc@grå.org', 'abc@grå.org' ),
+			'unicode local part'               => array( 'grå@example.com', 'grå@example.com' ),
+			'unicode local and domain'         => array( 'grå@grå.org', 'grå@grå.org' ),
+			'invalid utf8 in local'            => array( "a\x80b@example.com", '' ),
+			'invalid utf8 subdomain'           => array( "abc@sub.\x80.org", '' ),
+			'all subdomains invalid utf8'      => array( "abc@\x80.org", '' ),
+			'soft hyphen before dot'           => array( "info@example\xC2\xAD.com", 'info@example.com' ),
+			'soft hyphen after dot'            => array( "info@example.\xC2\xADcom", 'info@example.com' ),
+			'space before dot'                 => array( 'info@example .com', 'info@example.com' ),
+			'space after dot'                  => array( 'info@example. com', 'info@example.com' ),
+			'soft hyphen and space around dot' => array( "info@example \xC2\xAD.com", 'info@example.com' ),
+			'space around at sign'             => array( 'info @ example.com', 'info@example.com' ),
+			'soft hyphen before at sign'       => array( "info\xC2\xAD@example.com", 'info@example.com' ),
+			'display name with angle brackets' => array( 'Alice Example <alice@example.com>', 'alice@example.com' ),
+			'angle brackets only'              => array( '<alice@example.com>', 'alice@example.com' ),
+			'angle brackets invalid address'   => array( 'Alice <not-an-email>', '' ),
 		);
 	}
 }
diff --git a/tests/phpunit/tests/privacy/wpCreateUserRequest.php b/tests/phpunit/tests/privacy/wpCreateUserRequest.php
index 55eb866722b77..0d44611945fc0 100644
--- a/tests/phpunit/tests/privacy/wpCreateUserRequest.php
+++ b/tests/phpunit/tests/privacy/wpCreateUserRequest.php
@@ -152,14 +152,15 @@ public function test_failure_due_to_incomplete_unregistered_user() {
 	 * @ticket 44707
 	 */
 	public function test_sanitized_email() {
-		$actual = wp_create_user_request( 'some(email<withinvalid\characters@local.test', 'export_personal_data' );
+		// Address supplied in "Display Name <address>" format should be extracted and accepted.
+		$actual = wp_create_user_request( 'Some User <sanitized@local.test>', 'export_personal_data' );
 
 		$this->assertNotWPError( $actual );
 
 		$post = get_post( $actual );
 
 		$this->assertSame( 'export_personal_data', $post->post_name );
-		$this->assertSame( 'someemailwithinvalidcharacters@local.test', $post->post_title );
+		$this->assertSame( 'sanitized@local.test', $post->post_title );
 	}
 
 	/**
diff --git a/tests/phpunit/tests/rest-api/rest-comments-controller.php b/tests/phpunit/tests/rest-api/rest-comments-controller.php
index 8542bcd42af24..547757ae6042e 100644
--- a/tests/phpunit/tests/rest-api/rest-comments-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-comments-controller.php
@@ -2321,7 +2321,7 @@ public function test_create_comment_author_email_too_long() {
 		$params = array(
 			'post'         => self::$post_id,
 			'author_name'  => 'Bleeding Gums Murphy',
-			'author_email' => 'murphy@' . rand_long_str( 190 ) . '.com',
+			'author_email' => 'murphy@' . rand_long_str( 60 ) . '.' . rand_long_str( 60 ) . '.com',
 			'author_url'   => 'http://jazz.gingivitis.com',
 			'content'      => 'This isn\'t a saxophone. It\'s an umbrella.',
 			'date'         => '1995-04-30T10:22:00',
@@ -2954,7 +2954,7 @@ public function test_update_comment_author_email_too_long() {
 		wp_set_current_user( self::$admin_id );
 
 		$params = array(
-			'author_email' => 'murphy@' . rand_long_str( 190 ) . '.com',
+			'author_email' => 'murphy@' . rand_long_str( 60 ) . '.' . rand_long_str( 60 ) . '.com',
 			'content'      => 'This isn\'t a saxophone. It\'s an umbrella.',
 		);
 
diff --git a/tests/phpunit/tests/wp-email-address/wpEmailAddress.php b/tests/phpunit/tests/wp-email-address/wpEmailAddress.php
new file mode 100644
index 0000000000000..76560cc427a40
--- /dev/null
+++ b/tests/phpunit/tests/wp-email-address/wpEmailAddress.php
@@ -0,0 +1,304 @@
+<?php
+/**
+ * Unit tests covering WP_Email_Address functionality.
+ *
+ * @package WordPress
+ *
+ * @since 7.0.0
+ * @group email
+ *
+ * @coversDefaultClass WP_Email_Address
+ */
+class Tests_WpEmailAddress extends WP_UnitTestCase {
+
+	/**
+	 * Tests that from_string() returns a WP_Email_Address instance.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @dataProvider data_from_string
+	 * @covers WP_Email_Address::from_string
+	 *
+	 * @param string $address The email address to parse.
+	 */
+	public function test_from_string_returns_instance( $address ) {
+		$result = WP_Email_Address::from_string( $address, false );
+		$this->assertInstanceOf( WP_Email_Address::class, $result );
+	}
+
+	/**
+	 * Tests that get_address() returns a string that can be passed back to from_string().
+	 *
+	 * @since 7.0.0
+	 *
+	 * @dataProvider data_from_string
+	 * @covers WP_Email_Address::get_address
+	 *
+	 * @param string $address The email address to parse.
+	 */
+	public function test_get_address_is_roundtrippable( $address ) {
+		$instance  = WP_Email_Address::from_string( $address, false );
+		$roundtrip = WP_Email_Address::from_string( $instance->get_address(), false );
+		$this->assertInstanceOf( WP_Email_Address::class, $roundtrip );
+		$this->assertSame( $instance->get_address(), $roundtrip->get_address() );
+	}
+
+	/**
+	 * Tests that get_localpart() and get_domain() combine to form the full address.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @dataProvider data_from_string
+	 * @covers WP_Email_Address::get_localpart
+	 * @covers WP_Email_Address::get_domain
+	 *
+	 * @param string $address The email address to parse.
+	 */
+	public function test_localpart_and_domain_compose_address( $address ) {
+		$instance = WP_Email_Address::from_string( $address, false );
+		$this->assertSame(
+			$instance->get_localpart() . '@' . $instance->get_domain(),
+			$instance->get_address()
+		);
+	}
+
+	/**
+	 * Tests that from_string() accepts valid Unicode local parts when $unicode is true.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @dataProvider data_from_string_unicode
+	 * @covers WP_Email_Address::from_string
+	 *
+	 * @param string $address The email address to parse.
+	 */
+	public function test_from_string_unicode_returns_instance( $address ) {
+		$this->assertInstanceOf( WP_Email_Address::class, WP_Email_Address::from_string( $address, true ) );
+	}
+
+	/**
+	 * Data provider for valid addresses accepted only in Unicode mode.
+	 *
+	 * @return array[]
+	 */
+	public function data_from_string_unicode() {
+		return array(
+			'unicode letter in local part'        => array(
+				'address' => 'ıstanbul@example.com',
+			),
+			'CJK characters in local part'        => array(
+				'address' => '用户@example.com',
+			),
+			'letter with combining mark in local' => array(
+				'address' => "a\xCC\x81@example.com",
+			),
+			'latin unicode domain'                => array(
+				'address' => 'info@grå.org',
+			),
+			'han unicode domain'                  => array(
+				'address' => '阿Q@慕田峪长城.网址',
+			),
+		);
+	}
+
+	/**
+	 * Tests that an is_email filter returning true rescues a local_invalid_chars failure.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @covers WP_Email_Address::from_string
+	 */
+	public function test_local_invalid_chars_filter_can_rescue() {
+		$filter = static function ( $value, $email, $context ) {
+			return 'local_invalid_chars' === $context ? true : $value;
+		};
+		add_filter( 'is_email', $filter, 10, 3 );
+		// Quoted local part is valid per RFC 5321 but rejected by the WHATWG charset. WordPress agrees with the browsers.
+		$result = WP_Email_Address::from_string( '"quoted"@example.com', false );
+		remove_filter( 'is_email', $filter, 10 );
+		$this->assertInstanceOf( WP_Email_Address::class, $result );
+	}
+
+	/**
+	 * Tests that an is_email filter returning true rescues a domain_no_periods failure.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @covers WP_Email_Address::from_string
+	 */
+	public function test_domain_no_periods_filter_can_rescue() {
+		$filter = static function ( $value, $email, $context ) {
+			return 'domain_no_periods' === $context ? true : $value;
+		};
+		add_filter( 'is_email', $filter, 10, 3 );
+		// Single-label domain is used for intranet mail servers.
+		$result = WP_Email_Address::from_string( 'user@mailserver', false );
+		remove_filter( 'is_email', $filter, 10 );
+		$this->assertInstanceOf( WP_Email_Address::class, $result );
+	}
+
+	/**
+	 * Tests that rescuing local_invalid_chars does not bypass later checks.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @covers WP_Email_Address::from_string
+	 */
+	public function test_local_invalid_chars_rescue_does_not_bypass_domain_check() {
+		$filter = static function ( $value, $email, $context ) {
+			return 'local_invalid_chars' === $context ? true : $value;
+		};
+		add_filter( 'is_email', $filter, 10, 3 );
+		// Local part rescued, but domain has no dot — should still be rejected.
+		$result = WP_Email_Address::from_string( '"quoted"@nodots', false );
+		remove_filter( 'is_email', $filter, 10 );
+		$this->assertFalse( $result );
+	}
+
+	/**
+	 * Tests that from_string() returns false for invalid addresses.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @dataProvider data_invalid_addresses
+	 * @covers WP_Email_Address::from_string
+	 *
+	 * @param string $address The invalid email address string.
+	 */
+	public function test_from_string_rejects_invalid( $address ) {
+		$this->assertFalse( WP_Email_Address::from_string( $address, false ) );
+	}
+
+	/**
+	 * Data provider for invalid addresses.
+	 *
+	 * @return array[]
+	 */
+	public function data_invalid_addresses() {
+		return array(
+			'quoted local part with iframe' => array(
+				'address' => '"<iframe src=http://example.com>"@example.com',
+			),
+			'null byte'                     => array(
+				'address' => "user\x00name@example.com",
+			),
+			'very invalid UTF8'             => array(
+				'address' => "\x80\x20ouch@example.com",
+			),
+			'overlong encoding of space'    => array(
+				'address' => "us\xC0\xA0er@example.com",
+			),
+			// Domain without a dot is not a routable internet domain.
+			'domain without a dot'          => array(
+				'address' => 'com@com',
+			),
+		);
+	}
+
+	/**
+	 * Tests that from_string() returns false for invalid addresses when Unicode is enabled.
+	 *
+	 * @since 7.0.0
+	 *
+	 * @dataProvider data_invalid_unicode_addresses
+	 * @covers WP_Email_Address::from_string
+	 *
+	 * @param string $address The invalid email address string.
+	 */
+	public function test_from_string_rejects_invalid_unicode( $address ) {
+		$this->assertFalse( WP_Email_Address::from_string( $address, true ) );
+	}
+
+	/**
+	 * Data provider for addresses that are invalid specifically in Unicode mode.
+	 *
+	 * @return array[]
+	 */
+	public function data_invalid_unicode_addresses() {
+		return array(
+			'reserved ACE prefix in domain'       => array(
+				'address' => 'user@ab--reserved.com',
+			),
+			'combining mark as sole domain label' => array(
+				'address' => "user@\xCC\x81.example.com",
+			),
+			'combining mark as sole local part'   => array(
+				'address' => "\xCC\x81@example.com",
+			),
+		);
+	}
+
+	/**
+	 * Data provider for several tests.
+	 *
+	 * @return array[]
+	 */
+	public function data_from_string() {
+		return array(
+			'simple address'              => array(
+				'address' => 'example@example.com',
+			),
+			'dot in local part'           => array(
+				'address' => 'user.name@example.com',
+			),
+			'plus sign in local part'     => array(
+				'address' => 'user+tag@example.com',
+			),
+			'underscore in local part'    => array(
+				'address' => 'user_name@example.org',
+			),
+			'hyphen in local part'        => array(
+				'address' => 'user-name@example.net',
+			),
+			'apostrophe in local part'    => array(
+				'address' => "mail'@example.com",
+			),
+			'digits in local part'        => array(
+				'address' => 'user123@example.com',
+			),
+			'uppercase letters'           => array(
+				'address' => 'USER@EXAMPLE.COM',
+			),
+			'subdomain'                   => array(
+				'address' => 'user@mail.example.com',
+			),
+			'multiple subdomains'         => array(
+				'address' => 'user@a.b.c.example.com',
+			),
+			'hyphen in domain label'      => array(
+				'address' => 'user@my-domain.com',
+			),
+			'digits in domain'            => array(
+				'address' => 'user@123.example.com',
+			),
+			'short but valid'             => array(
+				'address' => 'a@l.is',
+			),
+			'special chars in local part' => array(
+				'address' => 'a.!#$%*+/=?^_{|}~-@example.com',
+			),
+			'local part is all digits'    => array(
+				'address' => '1234567890@example.com',
+			),
+			'long local part'             => array(
+				'address' => 'abcdefghijklmnopqrstuvwxyz0123456789@example.com',
+			),
+			'long domain'                 => array(
+				'address' => 'user@abcdefghijklmnopqrstuvwxyz0123456789.example.com',
+			),
+			'country-code TLD'            => array(
+				'address' => 'user@example.co.uk',
+			),
+			'long TLD'                    => array(
+				'address' => 'user@example.engineering',
+			),
+			// xn-- labels: grå.org and 慕田峪长城.网址 (https://慕田峪长城.网址).
+			'latin punycode domain'       => array(
+				'address' => 'user@xn--gr-zia.org',
+			),
+			'han punycode domain'         => array(
+				'address' => 'ahq@xn--uist2j67d64zv30b.xn--ses554g',
+			),
+		);
+	}
+}