Is it possible to filter allowed chars in request body, query params.

For many of our API endpoints, the input is echoed unmodified in the application's response. Using this behavior, someone can send arbitrary Javascript in the request which will be echoed in the response, and the browser try to execute it. 

How do I have Apigee filter for allowed chars in the request body so malicious scripts cannot be passed in the request?