Cross Site Scripting (XSS) Prevention - Best Practices.

Another basic strategy that I have seen, and that is easy to implement, uses the Regular Expression-based string replacement functions to expressly remove any "HTML-tag-like" string from the text other than a very short list of permissible candidates.  All string-escapes and meta characters are also removed.

You can also snarf good ideas from other languages, like Perl.  (Of course... )  The camels have come up with many tools such as HTML::Scrubber and HTML::Defang and String::Clean::XSS, all of which represent ... while not "directly usable code" in a ColdFusion context ... "a source of excellent ideas."

There are, of course, many examples of shared-code library sources, including ones for ColdFusion of various vintages and flavors.  Even if the code that you examine from such sources may be at-first unfamiliar, ColdFusion actually provides more-or-less the same capabilities, and so ideas can be "cabbaged" easily from one environment to another.  Anyway, it is much wiser to examine what other people (including CF's own implementation team) have done, than to "guess" what might work and how to build it.

Jason Dean has blogged quite a bit about XSS and other security best practice info with CF.

http://www.12robots.com/index.cfm/2008/8/4/Persistent-XSS-Attacks-and-countermeausures-in-ColdFusion

do a search on his blog for XSS for more.