Yes; I had missed that part. So the function boils down to:

print "failure" and return 1 if contains _ or more than 16 alphanumeri
+cs
otherwise return alphanumerics.
[download]

I suspect the _ and return 1 parts are unintentional, and the function would be better as:

sub untaint_username
{
    my $tainted = shift;

    # remove non-alphanumerics
    $tainted =~ y/a-zA-Z0-9//cd;
    # or s/[\W_]//g

    # must be 1-16 characters
    return "$1" if $tainted =~ /\A(.{1,16})\z/;
    print "failure\n";
    return;
}
[download]