encodeForJavaScript

Encodes the input string for safe output within JavaScript code. The encoding in meant to mitigate Cross Site Scripting (XSS) attacks. This function can provide more protection from XSS than JSStringFormat does.

encodeForJavaScript(string [, canonicalize]) → returns string

Argument Reference

string string
Required

A string to encode.

canonicalize boolean

When true runs the canonicalize function against the input before encoding.

canonicalize boolean
Default: `false`

If set to true, canonicalization happens before encoding. If set to false, the given input string will just be encoded.
When this parameter is not specified, canonicalization will not happen. By default, when canonicalization is performed, both mixed and multiple encodings will be allowed.
To use any other combinations you should canonicalize using canonicalize method and then do encoding.

Links more information about encodeForJavaScript

How to call encodeFor functions in CF8 and CF9 - Fully patched CF8 and CF9 servers include the OWASP ESAPI encoder jar.
OWASP Cross Site Scripting Guide - Learn more about XSS

Examples
Sample code invoking the encodeForJavaScript function

Simple encodeForJavaScript Example

encodeForJavaScript("foo()")

Expected Result: foo\x28\x29

Signup for cfbreak to stay updated on the latest news from the ColdFusion / CFML community. One email, every friday.

Fork me on GitHub