This plugin provides an object like a Java StringBuilder for concatenating HTML and also escaping it to avoid XSS bugs

Any text that is constant HTML strings should be added to the buffer with the html() method, similar to jQuerys' html() method.

Any untrusted values from JavaScript objects should be added with the text() method similar to jQuerys text() method.

Be careful, writing html(obj.value) is still possible, and introduces XSS risks, just as it does with jQuery.

var html = new $.htmlBuffer();
This class only escapes the following characters & < > " ' Which means the page should be UTF-8 to be able to represent a full characterset. For example the € sign could be escaped as &euro; but it is not, if you want support for non UTF-8 JavaScript and HTML pages you need to put a lot more replacements into the toHtml() method.