Lessons from Log4j

The point is, essentially, that sanitizing data is something you do when you want to ensure that the data fits within sane expectations so that your software can you know, operate on it.

From the perspective of a logging system, the text being logged is not something that should be "operated upon". That should be explicitly avoided.

Sanitization is never anywhere near as safe as simply not processing the data computationally at all.

The only thing you usually want to do to "sanitize" data in a logging system is make some decisions about how to handle really unexpected cases, like requests to log giant things like hundreds of kilobytes of data. Most logging systems simply truncate these after any formatting, or try to be clever and avoid unnecessary format building if the result will be unnecessarily large. But this is really just a subset of the "formatting" task, ie, placing various data blobs into the logged item. It is by no means needed in any way to take the data blobs and perform any computational tasks beyond "turn into string.

In a sane logging system, and language "turn into string" is not something that can trigger unexpected call paths.