XSS when data is passed on to the web application via an API

[Sidtheasskicker]

So here's the scenario:

1. I have a web application which runs totally on codeignitor and filters all the inputs properly without any issues when everything is inside the web application.
2. I have an API configured and there is a feature to add a user through the API and all users are displayed onto the web application along with all their details.
3. When I send a html tag or a proper xss payload through the name field while registering a User, those things aren't filtered out and the frontend is being displayed as it is without removing those and then the payload gets triggered as well.

Just wanted to know if this is an accepted risk by default and I have to fix myself or I should send Proof Of Concepts to help you out.

[kenjis]

It is just a big bug in your application. So you should fix it.
See https://codeigniter.com/user_guide/concepts/security.html#a3-cross-site-scripting-xss

[Sidtheasskicker]

Thanks for the reply !

[kenjis]

The document is for CI4, but CI3 also has similar functionality.
https://codeigniter.com/userguide3/general/common_functions.html#html_escape
https://codeigniter.com/userguide3/libraries/form_validation.html

But CI3 does not have Content Security Policy feature.