The xss_clean() function does not remove all HTML, it removes / replaces certain things that are considered dangerous, for example, <script> tags.
http://codeigniter.com/user_guide/libraries/security.html
The XSS filter looks for common methods to run Javascript or other types of code that try to steal cookies or do other malicious things. If something is not allowed, it is safe by converting data into character objects.
Someone introducing a <p> to your page, or perhaps not desired, is actually not an effective attack. You will need to indicate what you want to do with it. In many cases, you will need the HTML output, which was xss_clean() ed.
It looks like you want either htmlspecialchars() or strip_tags() (note: these are two very different things). If you want to encode HTML, you can also use CI html_escape() :
echo html_escape($this->input->post('question'));
If you want to output HTML, not entities, just use the XSS filter yourself:
echo $this->input->post('question', TRUE); echo xss_clean($user_input);