$('#div1').text(data.div1);
This is not suceptible to XSS since you're changing the text of the element. This takes care of what you use htmlspecialchars
for.
$('#div2').html(data.div2);
This is, since you're changing the html and not the text, so if you don't know your response someone could put a <script>
tag there and run arbitrary code on your page.
$('#textarea').val(data.textarea);
Is also ok, since it changes the content of a text area.