You're probably already familiar with the old saying "Never trust your users input", if not, you're now.
Sadly, that often worries developers so much that they will sanitize every single user input before storing it. That's, to our eyes, a bad practice. You shouldn't trust your users, but that should never lead you to break data integrity.
Instead of sanitize before store, you should validate if the input makes sense, and tell your client if it isn't.
If a user inputs a string containing HTML tags, you shouldn't strip them out
before storing. Depending on the context, you should sanitize it before
outputting. For that you can call
optionally you can send a second argument specifying tags to maintain