Don’t try to sanitize input. Escape output. Why you should escape output correctly, but generally not sanitize user input.