The xss_clean() function does not remove all HTML, it removes/replaces specific things that are considered dangerous, like <script> tags.
Someone injecting a <p> tag into your page, while maybe not desired, is not really an effective attack. You'll have to specify what you want to do with it. In many cases, you will want HTML output that has been xss_clean()ed.
It sounds like you want either htmlspecialchars() or strip_tags() (note: these two very different things). If you want to encode the HTML, you can also use CI's html_escape():
If you want HTML output and not entities, just use the XSS filter by itself:
echo $this->input->post('question', TRUE);
echo xss_clean($user_input); (edited)