I'm wondering if one should really bother about sanitizing the inputs from the contact us form? Looking at XenForo's actionContact(), it doesn't seem to check if the input contains anything malicious. Since the stuff is directly being passed to the mail handler, is it really worth sanitizing the contact us form?
If yes, what inbuilt functions / methods are employed to ensure inputs are all safe?
By filter and sanitize do you mean remove code, like: <script> blah blah blah</script>? If so, then it doesn't for the contact us form. Which should not be a concern as email clients won't process this in the body anyways.
IMO, it is not worth sanitizing as I want to see what malicious code someone is trying to send, and then why.
@TheBigK The template engine takes care of escaping all HTML. If you escape it first, then it's going to get double-escaped, and you'll have emails that look like <span class="banana">this<span>.