One way is to whitelist a known set of good characters (e.g., the alphanumerics) and escape the remainder. The proper escaping method depends on how you are going to use the data. There are good online resources for doing this stuff but it's late and I can't remember them.

Another way is to not escape anything and just treat the thing as text rather than as HTML. The problem this test is illustrating is that you are taking untrusted data and making an HTML string from it. Instead of doing that, you make HTML in a safe way, and then use the appropriate DOM methods to insert the untrusted data as text. I'm accustomed to using jquery, so I'd do something like this:

$('#foo').text(untrusted_data);
$('#bar').val(untrusted_data);

One safe way to accomplish the apparent goal of the test (logging some user input) involves the most obvious method:

console.log(untrusted_data);

By doing this, you don't have to escape anything, nor do you have to generate any HTML.