If you’re using the Active Record class, you generally don’t need to escape anything you send to your database – it’s done automatically:

http://codeigniter.com/user_guide/database/active_record.html

"It also allows for safer queries, since the values are escaped automatically by the system."

Manual escaping seems to be becoming a thing of the past, as most people are using PDO now for database interactions, using paramterized queries with placeholders instead of mashing SQL strings together. CI still uses the mysql_* functions internally though.

CI’s xss_clean() is, in my opinion, more of a failsafe for those of us who don’t know how and when to escape data properly. You normally don’t need it. It’s been the target of criticism both for it’s slow, aggressive approach to sanitizing data, as well as for just "not being good enough".

For escaping HTML output, in most cases htmlspecialchars() is all you need, but you can use the xss_clean() function any time. I don’t suggest using it as a form validation rule because it will corrupt your input, inserting [removed] wherever it found something "naughty" in the original string. Instead, you can just call it manually to clean your output.

Summary:

• Database: CI will (usually) escape the strings you pass to the Active Record class.
  See the user guide for details: http://codeigniter.com/user_guide/database/queries.html

• HTML output: You need to escape HTML output yourself with htmlspecialchars() or use CI’s html_escape() function (as of 2.1.0). This is not done automatically because there’s no way to know the context in which you are using the data.

• xss_clean() – If you know what you’re doing, you shouldn’t need it. Better to use on output than input.