diff --git a/docs/security/outputs.md b/docs/security/outputs.md
index ecc6858f11ae2f56f5eccd5fe0e41a55e2320ca3..0bfa7f0e8159bb1fe656d381709f253039b37a53 100644
--- a/docs/security/outputs.md
+++ b/docs/security/outputs.md
@@ -44,9 +44,21 @@ When placing data within attributes, always use Smarty's [escape](https://www.sm
 !!! note
     HTML output encoding *is always* necessary for attribute data (but *not* always necessary for data between tags) because of the intentionally incomplete [input encoding](/security/inputs.md#input-encoding) that CiviCRM performs. 
     
-## Javascript {:#in-javascript}
+### Javascript in Smarty {:#javascript-smarty}
 
-TODO
+If you have a PHP variable that you'd like to use in Javascript, you can assign it to a Javascript variable in a Smarty template as follows
+
+```html
+<div>...</div>
+{literal}
+<script type="text/javascript">
+  var data = {/literal}{$data|@json_encode}{literal};
+</script>
+{/literal}
+<div>...</div>
+```
+
+Notice the use of the `@json_encode` variable modifier. This provides output encoding for JSON which is important to prevent XSS. 
 
 ## AngularJS templates {:#angularjs}