Whether you're dealing with a web application or some other application, all user input should always be considered "hostile" and "dangerous", but you should not just universally sanitize user input.