Is there any way to prevent a XSS attacks in cold fusion in already established project?
I used encodeForHTML(url.NewValue) for an input but applying this to every input of Form of all the pages in the project won't be possible.
Is there a way to do this from single location without affecting rest of the code in project?
Nope. Not that I am aware of.
Which version of CF?
There are a number of settings in the CF Administrator that prevent XSS out of the box. Enable Global Script Protection under Server Settings > Settings is a good starting point.
using version 11.
Used it, but doesn't work for user input in a Form.
Thought of replacing CFSET with a Custom tag to provide some degree of protection. But variable name in custom tag does not support complex name using (.) operator. eg <cf_myset url.value="123">
You mention forms but are using the url scope. Is this as an example? Why are you using url scope with form posts?