Escaping
See the page on HTML-Escaping to learn how to guard against XSS attacks.
Code Injection
warning
Since Squirrelly compiles to pure JavaScript, you should never run untrusted templates on your server, unless you use a good sandboxed environment. Plans are in the works to create safe user-defined templates, but for now, they are unsafe.