It seems to be a popular approach in other web applications to process/filter the user input in the name of security. Historically, Drupal has preserved user input as is, and filter it on output only. This is occasionally debated within the Drupal community.

Before you proceed, please read Steven Wittens' excellent article Safe string theory for the web before continuing.

Now, we see that acting on input is quite problematic because you can not know what characters are forbidden without knowing the context where they will appear.

To make things even worse, a certain string could appear in more than one context, for example, as HTML text and as an HTML attribute too like <a title="$node->title">$node->title</a> for a quick example. So if you want to strip all characters, your system will be crippled because you need to strip so many characters, if you try to encode, you can not know how to encode. Encoding has another problem, processing escaped text is very cumbersome (try to extract a teaser from HTML escaped node body).

We do not have any other chance but to store the user input unchanged and do the proper escaping on output.