Example of an HTTP response from google.com, which sets a cookie with attributes.
Beside the name/value pair, a cookie may also contain an expiration date, a path, a domain name, and whether the cookie is intended only for encrypted connections. RFC 2965 also specifies that cookies must have a mandatory version number, but this is usually omitted. These pieces of data follow the name=newvalue pair and are separated by semicolons. For example, a cookie can be created by the server by sending a line Set-Cookie: name=newvalue; expires=date; path=/; domain=.example.org.
Shouldn't your serverside validation catch that before it goes into the database?
Also you probably would be better off using encodeURIComponent and not escape.