Shell script is not a language that was designed with the security of untrusted input in mind, and because shell scripting interpreters are generally used for situations in which a user is at least partly already trusted to run processes on the box, they do not heavily prioritize security or security audits.
When you give a user a system shell account on your server, even if you don't give them root privileges, you are trusting them to some extent not to abuse the system or damage it. Executing code using the same tools from someone on the internet that you don't trust is a recipe for disaster!
Highly publicized vulnerabilities, such as 2014's "ShellShock," resulted largely from abuse of the Bash shell as part of generating responses to requests from the internet. Bash is a system-command interpreter, and was never designed to be used in this way – it was created years before the World Wide Web even existed. It takes significant effort and expertise to make a task using shell scripting languages safe to run with data from the web; there are just too many ways to allow arbitrary code-execution in the language.
Therefore, at least until you are a shell script expert and familiar with all of these dark corners, don't attempt to sanitize untrusted data from the internet with Bash. Your author has studied shell scripting for many years, and still wouldn't do it. Use a web-based programming language instead, where security – while never perfect – is both important and emphasized, and frequently reviewed. PHP or Python are both good starting points.