Domain aliases are not sanitized and it is possible to inject arbitrary vhost configuration via aliases textarea

The _hosting_valid_fqdn() regex allows this probably to still accepts simple localname install, so you don't need to use the dot in the name, yet, then it is no longer FQDN check, I agree.

Also, current regex allows you to use IP address as a site name and you can enter the dot at the end (which is wrong).

In my setup I don't allow IP addresses and the domain should start with a letter (probably too restrictive these days, but it is per RFC1035):

function _hosting_valid_fqdn($fqdn) {
  # regex is an implementation of RFC1035
  # original: return preg_match("/^([a-z0-9]([a-z0-9-]*[a-z0-9])?\.?)+$/i", $fqdn);
  #
  # We don't allow using IPs as a site name.
  # The domain name should start with a letter
  # and end with a-z0-9 only - dot is not allowed.
  #
  return preg_match("/^([a-z]+([a-z0-9-]*[a-z0-9])?\.?)+[a-z0-9]+$/i", $fqdn);
}