You should use html_escape() or xss_clean() when you print strings that are not XSS safe. Personally I use html_escape() as I don't want anything to have the slightest chance on slipping thru.
PHP Code:
<?php echo html_escape($this>session->flashdata('error')); ?>
It's deprecated from input validation, as you should filter your data. Do you only want numbers? Check that it's not a letter etc.