The "How to use a Python variable in an external Javascript (Django)" examples are likely vulnerable to an XSS attack, when the variable contains user supplied content.
It's important to output-encode for the correct context. By default, Django encodes template variables for an HTML context, which can allow XSS when output inside a script tag or as a JavaScript file.
Out of curiosity I've started looking in Django docs (I'm more of a flask person myself), and they seems to confirm what you're saying. More to the point, the `strings` are the main issue. The default autoescape actually encodes ' and " as HTML entities, but doesn't encode a backslash, so leaving a \ at end of a ' or " string would escape the string ending - this would be exploitable if the attacker controls two strings of the same "type' in a row.
All JSON serializers worth their salt can serialize a single string to JSON, so the simplest way is to do json.dumps(the_string) and mark the string as safe so that it doesn't get escaped twice.
Thanks @GICodeWarrior for taking time commenting on the article. Shamefully, I can already imagine a scenario on how the attack could be carried out.
Fortunately, the vulnerability can be corrected by introducing escapejs template filter. Big thanks to @gynvael.
Encoding for each scenario can be quite complex unfortunately. Django does have some template filters to help.
I recommend following the documentation carefully, and using a JSON API or other similarly standard mechanism if the documented options are insufficient.
It's important to output-encode for the correct context. By default, Django encodes template variables for an HTML context, which can allow XSS when output inside a script tag or as a JavaScript file.