validating the whole app against dangerous characters

Isn't this not covered by the 'h()' method? Which scrubs exploit code
like XSS & SQL injection from your inputs?

And shouldn't this really be done in the view not the model?

Good question, and I don't know the answer to it. I see where you are
coming from all right - you want the _default_ behaviour to remove, or
generate an error on detection of dangerous characters.

However in addition to model-based validation, look into view validation
using the h() method (which purges everything silently). You wouldn't
want to use it everywhere - like for instance in your signup code you
definately want to be messaging to the user that their login name is