Furthermore I'm not sure why HTTP responses aren't easily sanitized, such that fields which are not expected to hold multiple values are blocked/filtered before any further processing takes place.

For instance: Why should I even handle requests with multiple real_name ?

Hmm... odd thoughts