The application in question allows users to define their own messages (mainly for customization and/or localization purposes) in plain-text configuration file, which are passed to printf-style functions at runtime. If the user-defined formatting string is faulty, a whole lot of bad things can happen.
What is the best way to sanitize such user-inputted formatting strings? Or should I drop this approach entirely and use another method to let users safely customize the messages?
Solution must be somehow portable (Windows, Linux, BSD, x86, x86-64).
Define your own formatting language, which your code translates into a valid format string, thereby restricting what trouble the user can get into (for example, not allowing % at all, and defining your own symbol/marker to use to indicate a % should appear in the output).