When to use the XSS filter?

[...] However I just can't seem to shift my own mind-set that I do not want untrusted data in my database! I also find that filtering on input only need happen in the few places input is accepted, but the data might be output in lots and lots of places. [...]

PPS On rereading the post from mwhitney above, I definitely forget about those other forms of output. Thank you for that post. I bet you get fed up explaining that again and again.

It's no problem, and almost every time I post something on the subject I go out and search to try to find better examples or something that might make it easier to explain.

I tend to write models which allow me to change the data source relatively easily without modifying the controller, so I can sometimes be a little paranoid about the assumptions people make about their underlying data. In most of my controllers there's no way of telling the whether data came from a database, a file, or a 3rd-party API, and the data source could change tomorrow. Because the security requirements can sometimes be specific to the model, I will generally supply some rudimentary functionality to secure the data for output in common formats (or formats specific to the way that specific model is being used in the system), but I generally leave it up to the controller to apply those methods to the data where appropriate, and take additional precautions on its own.

Bonfire

Practical CodeIgniter 3
CodeIgniter Testing Guide