How do I escape an ampersand in a javascript string so that the page will validate strict?

Try putting your javascript inside a CDATA block like this:

<script type="text/javascript">
<![CDATA[
// content of your Javascript goes here
]]>
</script> 

which should make it pass validation. To be extra safe you can add Javascript comments around the CDATA tags to hide them from older browsers who don't understand the CDATA tag:

<script type="text/javascript">
/* <![CDATA[ */
// content of your Javascript goes here
/* ]]> */
</script> 

"\u0026" works!

Note: before one goes blindly wrapping text in CDATA blocks, be aware that CDATA's purpose is NOT for making invalid characters valid.

See: http://www.flightlab.com/~joe/sgml/cdata.html

Sometimes \u0026, &#38, %26, &amp, or <![CDATA[ ... ]]> work for ampersands in script blocks in xhtml.
I would like to ask why we should want that kind of a restriction (blink loyalty to the errors in the design of SGML) which also prevents &nbsp, mathml, target, and nested xml from working.
Why can't we simply say that in a script block no tags or other SGML stuff gets recognized? Why can't xhtml let targets work?
I don't see an advantage to SGML that outweigh the disadvantages. Right now, even though html5 is somewhat available, xhtml is the validator that catches the most developer errors. Let's fix xml without historical regard to its origins.