All output that is not passed through one of the core helpers or foreign helpers that are known to take care of it should be passed through the h() method in the views.
echo h($model['Model']['name']);
If you want to do it in the model the Model::afterFind() callback is the right place to modify the data. But I would not recommend to sanitize everything there because there are cases like editing the data or exposing the same data to an API or as JSON that might require no or a different sanitization.
See HtmlPurifier and HtmlPurifier for CakePHP as well. It is a strong filter and sanitation lib.