[eluser]onejaguar[/eluser]
I agree, any user input which will be displayed elsewhere on your site should be put through xss_clean or something similar, but content which is validated in another way (eg. checked with ctype_digit, put through validation's alpha_numeric, valid_email, etc.) does not need to be cleaned; and any data which will not be re-displayed to other users (e.g. passwords) does not need to be cleaned.
Xss_clean is also very blunt in some cases, for instance in this forum typing
"Use this javascript{colon} "
or
"I made a funny facial expression (like I always do)"
gets turned into
"Use this [removed] "
and
"I made a funny facial [removed]like I always do)"
The worst part is, it doesn't show up in the preview so I don't see my post is mangled until after it is submitted.
Also, any HTML content will getting totally destroyed so WYSIWYG HTML editors need other forms of validation anyway.