Even JavaScript needs to deal with escaping content for the web. The hard, but ideal, approach is to automatically escape data with the proper context. With that in mind I started reading about Secure Handlebars from Yahoo, which claims:
Automatic Contextual XSS Escaping made robust, easy, and fast
They support automatic escaping for HTML, HTML comments, HTML attributes, URI ( in HTML Attribute ), and CSS ( in HTML Attributes ) contexts.