In Visualforce, the platform has three main encoding functions that developers can use to neutralize potential XSS threats: HTMLENCODE, JSENCODE, and JSINHTMLENCODE. To choose which encoding to use, consider how your browser is parsing the output.

* If the value is going to be parsed by the JavaScript parser, use JSENCODE().
* If the value is going to be parsed by the HTML parser, use HTMLENCODE().
* If it’s a combination of both …
    * Use JSENCODE(HTMLENCODE())
    * Or JSINHTMLENCODE().

Cheers!!!