Sanitization and escaping is always heavily context-dependent and I’m not an expert in this field, anyway I did some ‘research’ myself recently so I’ll try to supply you with some general guidelines until someone with more insight will come and offer the ultimate in-depth answer (which I’ll be eager to read too.)
Codex article on Data Validation is a good starter. I believe esc_html() is the most used method for output.
There also seems to be a newcomer to WP escaping family in WordPress 3.1 – esc_textarea().
WordPress is trying to make your life easier as always – so be sure to check for existing context-specific functions like sanitize_title() or sanitize_user().
I recommend you do some source-diving and go thru functions in wp-includes/formatting.php to learn more about various methods and how they are constructed.
There has been a similar discussion on wp-hackers recently – definitely worth reading:
WP-HACKERS: Saving input from untrusted users. I will dare to quote Andrew Nacin’s input on this one:
Generalizing here: sanitization should
be done on save, and escaping on
display.So you’ll want to run kses,
absint, esc_url_raw, sanitize_text_field, what have you, on save. Then, use esc_url,
esc_html along with texturization or whatever else you need, what have you, on output.
There may be use cases for running
kses on display. We do it in some
instances. But as long as the data is
safe going in, it’s going to be safe coming out. (And if it isn’t, then
you have a larger problem.)
Still want more? 😉
The Code Cave: WordPress Security – a plugin done right
Smashing Magazine: Keeping Web Users Safe By Sanitizing Input Data
Have a nice and secure day.