If your site ever displays text on the page that end users have control over, you should be concerned about XSS attacks.  This could come in the form of user comments at the bottom of an article, user-generated content, or user profile information.  In many instances, the user should never be entering any HTML and you might simply fully escape that text with HTMLEditFormat() or EncodeForHTML() as you output it.

Other times you may be dealing with a forum or message board that allows some limited markup like bold or underline, but not script or object tags, etc.  There is a very nice Java library from OWASP called AntiSamy that does just that.  AntiSamy is named after the first wide-scale XSS worm ever developed; called Samy.  This worm used malicious JavaScript embeded in MySpace profiles and to infect over 1 million accounts in a single day.

What's cool about AntiSamy is you can create different profiles that control what HTML is valid and what isn't.  This gives you complete control over what text you allow to be stored and output on your site.  Instead of escaping forbidden tags and attributes, AntiSamy removes them entirely from the string.

ColdBox has an AntiSamy plugin to let you tap into this powerful library.  In its simplest form, it looks like this:

#getPlugin("antisamy").clean("<b>Hello <script language='javascript'>alert('haxor!');</script> World</b>")#

Despite the JavaScript block in the middle of the string, the output is "<b>Hello World</b>".  As you can see, the  bold tag is benign and is left alone.  

More info here: http://wiki.coldbox.org/wiki/Plugins:AntiSamy.cfm

P.S. The ColdBox AntiSamy plugin ships with several policies such as ebay (default), myspace, slashdot, and tinymce stored as XML files in /coldbox/system/plugins/AntiSamy-lib/.  If you want to roll up your sleeves, you can even supply a policy of your own making.