I'm confused why everybody keeps talking about sanitization when all you have to do is escape a string properly whenever you inject it verbatim into a language, be it HTML or SQL or whatever.
Because they have not understood the core issue. It's impossible to store / sanitize data correctly, when this is absolutely context / output dependent.