I know this question has been asked over and over again, but I still haven't found the perfect answer for my liking, so here it goes again...

I've been reading lots and lots polarizing comments about CI's xss_filter. Basically majority says that it's bad. Can someone elaborate how it's bad, or at least give 1 most probable scenario where it can be exploited? I've looked at the security class in CI 2.1 and I think it's pretty good as it doesn't allow malicious strings like document.cookie, document.write, etc.

If the site has basically non-html presentation, is it safe to use global xss_filter (or if it's REALLY affecting performance that much, use it on per form post basis) before inserting to database ? I've been reading about pros and cons about whether to escape on input/output with majority says that we should escape on output only. But then again, why allow strings like <a href="javascript:stealCookie()">Click Me</a> to be saved in the database at all?

The one thing I don't like is javascript: and such will be converted to [removed]. Can I extend the CI's security core $_never_allowed_str arrays so that the never allowed strings return empty rather than [removed].

The best reasonable wrongdoing example of this I've read is if a user has password of javascript:123 it will be cleaned into [removed]123 which means string like this document.write123 will also pass as the user's password. Then again, what is the odds of that to happen and even if it happens, I can't think of any real harm that can do to the site.

Thanks