To be clear I was just looking at it from a general (non-security) perspective there.
I'm afraid I can't elaborate much beyond "escape() ... this function fails to handle non-ASCII characters correctly"

That should be highlighted just as much as "escape() will not encode: @*/+".

I'm just sticking to simple rules like "don't use any function that doesn't handle unicode" when developing insecure webapps.

RE: xkr.us / javascript / escape(), encodeURI(), encodeURIComponent()