Fix tests, let templating handle html escaping

Note: as a Chrome app, we're also protected from xss by the content
security policy.

// FREEBIE

background.html

@@ -65,7 +65,7 @@
       {{> avatar }}
       <div class="bubble">
           <div class='attachments'></div>
-          <p class="content">{{& message }}</p>
+          <p class="content">{{ message }}</p>
           <div class='meta'>
             <span class='timestamp'>{{ timestamp }}</span>
             <span class='checkmark hide'>✓</span>