you can use a template engine that escapes all variables by default. in either case, it's just about coding defensively and being secure by default

Then why is parameter query safer? And not just escapes variables? Escaping is hard, as shown in the article

generating html using find and replace/regex safely is hard. escaping is easy. and the solution is to just not generate html using find and replace. You'll run into the exact same problem trying to do a bbcode/markdown/whatever parser using javascript