How to do it?

Hunt for snippets, use the book. Test everywhere! Imagine there's no standard.

Links

http://www.crockford.com/javascript/remedial.html

esc

function esc( format, val ) {
   switch (format) 
   {
      case 'url':
      case 'uri':
            return esc_uri(val);
       case 'xml':
       case 'html':
           return esc_html(val);
      default:
            return val;
   }
}

function esc_html(val) {
   val=val.replace(/&/g,'&');
   val=val.replace(/</g,'<');
   val=val.replace(/>/g,'>');
   return val;    
}

function esc_uri(val){
 if(encodeURI) {
   return encodeURI(val);
 }
 if(encodeURIComponent) {
   return encodeURIComponent(val);
 }
 if(escape) {
   return escape(val);
 }
}

obstaja tudi encodeURI: The encodeURI method returns an encoded URI. If you pass the result to decodeURI, the original string is returned. The encodeURI method does not encode the following characters: ":", "/", ";", and "?". Use encodeURIComponent to encode these characters.

old escape(): encode in page's charset, then %hh

new escape(): %hh, %uhhhh for everything over unicode 256.

encodeURIComponent(): encode in UTF-8, then %hh

For chrome, which is interpreted as UTF-8, the switch from escape() to encodeURIComponent is necessary and correct. For Mozilla-specific web sites that relied on Mozilla's quirky escape() behavior, the answer is not clear. For English-only sites, escape() is better until Netscape 4 finishes dying.

Btw, encodeURIComponent rocks. I used in the "Blogidate XML Well-formedness" bookmarklet to create the body of "data:text/xml;charset=UTF-8," URLs, allowing the bookmarklet to work with XHTML that contains Japanese text.

Go read about encodeURIComponent here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/js56jsmthencodeuricomponent.asp