What to escape? If you have a variable that may include any of the following chars (>, <, &, or ") you have to escape it unless the variable contains well-formed and trusted HTML. Escaping works by piping the variable through the |e filter: {{ user.username|e }}.
Note: Google+ text should be "trusted HTML", as they only allow flat text, and do the URL recognition themselves.
From the Jinja2 docs:
Note: Google+ text should be "trusted HTML", as they only allow flat text, and do the URL recognition themselves.