Remove use of innerHTML

[erikvold]

We were rejected because of this:

"Your add-on creates DOM nodes from HTML strings containing unsanitized data, by assigning to innerHTML or through similar means. Aside from being inefficient, this is a major security risk. For more information, see https://developer.mozilla.org/en/XUL_School/DOM_Building_and_HTML_Insertion

This includes the use of <%= escapes in your underscore templates."

So we need to replace the current template system.

[erikvold]

I have a tiny, non-innerHTML js template library that we could use instead, called html

[clarkbw]

We can start by using the escaped version, <%- %> we should have been doing that from the beginning and underscore actually has some of the best escaping. We could also do some escaping when we retrieve the meta data to prevent from gathering it at all. Again I'm worried doing jQuery style DOM creation is going to make it harder for others to contribute.