don't trust user input

That is absolutely correct. All the assumptions and conclusions you’re piling on top of it are not. <script src="//hax0r.cx/pwnd.js"></script> can sit as is in the database just fine, as can Tye');DROP TABLE Monks;-- and any other content treated properly going in and coming back out.