It looks like those are 3 separate third-party libraries (Mocha, Mustache, and Backbone), so each doing HTML escaping a bit differently shouldn't be too surprising.

The first one doesn't escape single quotes or slash, but I have no idea how to get any HTML parser to treat just those as anything but text. Underscore's implementation will be correct, I'm sure.

Slash doesn't need to be encoded. Only 5 characters that have special meaning have to be encoded (&, <, >, " and ').

Which raises the best question: how would you exploit someone not escaping single quotes? I do not know. Perhaps it isn't possible.

I think escaping quotes only matters for attributes (which can use ' or "). Example:

    <img src="$url">

Exploit:

    foo.jpg" onload="alert('pwned')

Heh, found the exact bug on a live bbcode parser some 5 years ago.

It was probably written using regexps? One should make full syntax analysis instead of writing regexp hacks.