No, JavaScript lives in the Unicode world so encoding issues are generally invisible to it. escapeHtml
in the linked question is fine.
The only place I can think of where JavaScript gets to see bytes would be data:
URLs (typically hidden beneath base64). So this:
var markup = '<p>Hello, '+escapeHtml(user_supplied_data);
var url = 'data:text/html;base64,'+btoa(markup);
iframe.src = url;
is in principle a bad thing. Although I don't know of any browsers that will guess UTF-7 in this situation, a charset=...
parameter should be supplied to ensure that the browser uses the appropriate encoding for the data. (btoa
uses ISO-8859-1, for what it's worth.)