We've explored both HTML and HTML attribute encoding, but user input may appear in other contexts too, such as in a piece of JavaScript code. While embedding user input in JavaScript is highly recommended against if there ever is cause we should escape untrusted input in JavaScript with Unicode escapes.
We can use jsesc to do this, see https://github.com/mathiasbynens/jsesc for details.
OWASP Output encodings
For a full list of encoding formats for various scenarios see https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Output_Encoding_Rules_Summary.
For a full list of encoding formats for various scenarios see https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Output_Encoding_Rules_Summary.