Found this:

The only way to be safe from XSS is to correctly escape every text string you interpolate into HTML, eg. using htmlspecialchars. CI’s xss_clean does a quite amazingly blunt and silly set of string mangling even by the very very low standards of “XSS Protection” tools; you should not use it under any circumstances.