It means that you don't need to do:
PHP Code:
echo form_input(array(
'name' => 'company_name',
'value' => set_value('company_name',html_escape($company->name)),
'class' => 'form-control'
));
And do it like this:
PHP Code:
echo form_input(array(
'name' => 'company_name',
'value' => set_value('company_name',$company->name),
'class' => 'form-control'
));
$this->input->post don't escape anything, that should only be done on output. So if you are displaying it directly after submit, you need to escape it. If you are using form_validation and put a field as required and not writing anything in it, but write text in all other fields. form_input() will keep your data intact and escape it for you.
You should not use html_escape on anything you store in your database, but you can validate it with form_validation if you only want numbers. You should however use html_escape when you are displaying it from your database. So you aren't vulnerable to XSS.
Hope this will clear things up for you!
