Which one's correct?
<img src="#encodeForHTMLAttribute(FORM.path)#">
or
<img src="#encodeForURL(FORM.path)#">
or
<img src="#encodeForHTMLAttribute(encodeForURL(FORM.path))#">
?
Use the method(s) which match the context of where you are inserting the text that needs encoding.
encodeForUrl is for placing dynamic text into a URL - so it will replace / with %2F (and so on), and if you apply it to an entire URL, you will have an encoded URL (which is therefore broken for use in a src attribute).
If you are allowing users to supply a partial URL, you would need to split on / (and any other relevant delimiters), apply encodeForUrl on each part, then join back together again.
Note: encodeForUrl appears to pass its string straight to Java, which means backslashes are treated as escape characters - \b\n encodes to %08%0A instead of %5Cb%5Cn - this behaviour is not part of standard URL encoding (nor CF strings in general). To avoid this use the function UrlEncodedFormat instead.
encodeForHTMLAttribute is for placing dynamic text into a HTML attribute - it's purpose is to ensure the contents are treated as text (not parsed as HTML) - it doesn't know/care whether its contents is a URL or something else.
In summary, you probably want encodeForHtmlAttribute( UrlEncodedFormat( Form.Path ) ) for this situation.