I'd like to allow the user to supply a password as input to some PBKDF, which I will use to construct a key for file encryption (currently using aes-256-ctr. It may change as I learn more).
I am considering using scrypt. Do I need to do any escaping, sanitization, or other checks on the user input I will pass to scrypt?
More generally, do PBKDF's in general require any safety checks on user supplied input to them?
No, you do not need to do escaping or sanitization on data that you pass in as the user input to these functions. They accept arbitrary byte sequences, so any arbitrary byte sequence you pass is acceptable, and there should be no security risks as a consequence of it. In general, cryptographic algorithms operate on arbitrary byte sequences (possibly of specific sizes) and don't require standard escaping or sanitization for security (although they may require padding, range, or other types of checks) and systems that use the data may require this.
However, if you are accepting passwords that contain non-ASCII characters, you probably want to do some sort of Unicode normalization on the string (probably NFC), since there are often multiple ways to express the same logical character. For example, you could express "é" as a single code point (U+00E9) or as two code points (U+0065 U+0301), and normalization will rewrite these to the same string. Again, there are no security issues with this, but because users will think of these two passwords as the same when they have different byte sequences, performing normalization allows your system to think of them as the same password as well.
This will depend on the specific implementation of the KDF that you're using. I'm not aware of any known issues with scrypt (although that doesn't meant there aren't any), but there have certainly been issues with the PHP implementation of Bcrypt where the presence of null bytes in the input would cause problems.
