CRV2 ContextEncJscriptParams

Untrusted data, if being placed inside a Javascript function/code requires validation. Unvalidated data may break out of the data context and wind up being executed in the code context on a users browser.

Examples of exploitation points (sinks) which are worth reviewing for:

var currentValue='UNTRUSTED DATA'; someFunction('UNTRUSTED DATA'); attack: ');/* BAD STUFF */

Potential solutions:

OWASP HTML sanatiser Project OWASP JSON Sanitizer Project