The slash is needed to prevent browsers, particularly older ones, to erroneously interpret the forward slash as a closing JavaScript marker.

You don't need to escape / in a JavaScript string, just \, because if you don't, then the string yes\no will inadvertently be transformed into yes<newline>o. Escaping the \ will prevent that.

Also, if you don't escape & in a URL, then whatever comes after it will be considered a new parameter. For example, a=Q&A will mean "the parameter a has the value "Q" and there's also a parameter A" instead of "the parameter a has the value "Q&A"". The correct way of escaping that would be a=Q%26A.

What is the real reason that we must escape a forward slash in a JavaScript string

In an HTML 4 document, the sequence </ inside an element defined as containing CDATA (such as script) is an end tag and will end the element (with an error if it is not </script>.

As far as JS is concerned / and \/ are identical inside a string. As far as HTML is concerned </ starts an end tag but <\/ does not.

, and also why must we escape string/no string in XHTML.

XHTML doesn't provide a method of specifying that an element intrinsically contains CDATA, so you need to explicitly handle characters which would otherwise have special meaning (<, &, etc). Wrapping the contents of the element with CDATA markers is the easiest way to achieve this.