Is it really insecure to build HTML strings in Javascript?

Question

The company who hosts our site reviews our code before deploying - they\'ve recently told us this:

HTML strings should never be directly manipulated,

Answer 1

This should be just as secure, without compromising too much on readability:

var link = $('Click to play');
link.data("src", this.au);

The point is to avoid doing string operations to build HTML strings. Note that in above, I used $() only to parse a constant string, which parses to a well known result. In this example, only the this.au part is dangerous because it may contain dynamically calculated values.