security of views loaded by ajax

[eluser]pickupman[/eluser]
As long as you are using .load for a url coming from CI, all functionality is still there. You don't need to call get_instance as it already loaded for the controller class. By $_REQUEST, you will bypass any sanitation from the input class. I would suggest much how TinyMCE does, and allow only as set of html elements. You will likely need to write quick helper to do this for you.