Do you prep data in your controllers or models?

[eluser]sorenchr[/eluser]
XSS cleaning, escaping characters etc. do you do it in the controller and then pass it to the model, or is your controller passive and lets the models handle the job?

I'm thinking in terms of code usability here, which method do you prefer?

[eluser]Buso[/eluser]
XSS during the form validation, escaping in the model (active record auto-escapes everything)