If your site ever displays text on the page that end users have control over, you should be concerned about XSS attacks. This could come in the form of user comments at the bottom of an article, user-generated content, or user profile information. In many instances, the user should never be entering any HTML and you might simply fully escape that text with HTMLEditFormat() or EncodeForHTML() as you output it.
What’s cool about AntiSamy is you can create different profiles that control what HTML is valid and what isn’t. This gives you complete control over what text you allow to be stored and output on your site. Instead of escaping forbidden tags and attributes, AntiSamy removes them entirely from the string.
ColdBox has an AntiSamy plugin to let you tap into this powerful library. In its simplest form, it looks like this:
More info here: http://wiki.coldbox.org/wiki/Plugins:AntiSamy.cfm
P.S. The ColdBox AntiSamy plugin ships with several policies such as ebay (default), myspace, slashdot, and tinymce stored as XML files in /coldbox/system/plugins/AntiSamy-lib/. If you want to roll up your sleeves, you can even supply a policy of your own making.
ColdBox Platform Evangelist
Ortus Solutions, Corp