You can use PHP's built-in addslashes to escape illegal characters before they get passed to the tinymce box. You will need to do this to the $content var before passing it to the JS script.
Try a combination of decoded HTML and addSlashes like this:
<?php // Code to create $content var here // $content = addSlashes($content); ?> <script> <![CDATA[ addBox('<?php echo $content; ?>'); ]]> </script>
<![CDATA]>, then you'll get errors if angle'd brackets are found, because it'll be interpreted as the start of an HTML tag.
Hope this helps!