The general rule, at least as espoused by Mark Jaquith, is sanitize on input, escape on output (the corollary to this rule being sanitize early, escape late).
So: use sanitization filters (such as the kses()
family) when storing untrusted data in the database, and use escaping filters (i.e. the esc_*()
family) when outputting untrusted data in the template.