Fix issues with xss linters

Improve accuracy of javascript-escape linter: Previously this would
match on FOOescape() and FOO.escape calls, but neither are the global
escape function we are worried about.

The regex probably isn't 100% accurate; there may be still false
positives (javascript allows a large range of characters in identifiers,
some of which may not be covered by [\w.$]). The main thing is to avoid
false negatives here though - this will definitely catch any use of
`escape()` or `window.escape()`.

Also remove javascript-interpolate lint - this was deemed unecessary.
StringUtils.interpolate is not in fact safe (it does no html escaping),
so the results of this lint are misleading.

scripts/xsslint_thresholds.json

@@ -2,7 +2,6 @@
     "rules": {
         "javascript-concat-html": 142,
         "javascript-escape": 7,
-        "javascript-interpolate": 23,
         "javascript-jquery-append": 68,
         "javascript-jquery-html": 146,
         "javascript-jquery-insert-into-target": 18,