Xss Not Working

i am beginner in adonis
i have enabled xss in config/shield.js
and also followed docs to set up middleware stuff
but in my controller in there is method called updateProfile which will update profile details in database
as per shield will remove script tags from user input but it does not worked in my case
Below is the code snippet and example post data (from postman)

async updateProfile({ request, response, auth }) {
    let userData = await auth.getUser()
    //data validations
    const rules = {
      email: `required|email|unique:tbl_user,_email,_key,${userData._key}`,
      password: 'required|min:6',
      first_name: 'required'
    }
    const validation = await validateAll(request.all(), rules)
    if (validation.fails()) {
      response.json({
        status: false,
        type: 'validation',
        error: validation.messages()
      })
    } else {
      const existingUser = await User.findBy('_key', userData._key);
      const safePassword = await request.input('password')
      existingUser._email = request.input('email')
      existingUser._password = safePassword
      existingUser._first_name = request.input('first_name')
      await existingUser.save();
      let payload = await User.findBy('_key', userData._key);
      response.json({
        status: true,
        msg: 'Profile details updated',
        payload: payload
      })
    }
  }

Post Data

email:vishnu@gmail.com
password:123456
first_name:<script>alert(0);</script>

Hello,

you should use sanitization instead,
https://adonisjs.com/docs/4.1/validator#_sanitizing_user_input
see more docs:
https://indicative-v5.adonisjs.com/docs/escape

xss option as defined in docs is about stoping IE from executing unsolicited scripts in the context of your web page:

Malware protection helps in protecting your website from XSS attacks, unwanted iframe embeds , content-type sniffing and stopping IE from executing unsolicited scripts in the context of your web page.

https://adonisjs.com/docs/4.1/shield#_malware_protection