ColdFusion versions MX7 and higher support a feature called ScriptProtect which helps prevent XSS (cross site scripting) attacks. This feature is helpful as it strips certain HTML entities from user input, but it can also affect your Web app's functionality. A common example of this is "<embed>" tags being removed when a user tries to post a YouTube video to their blog.

This feature is enabled on our servers, but its value can be modified in your "Application.cfc" or "Application.cfm" file. Placing the following code in the "<cfapplication>" section of this file will turn ScriptProtect off:
scriptProtect = "none"
With this feature off, you should take steps more steps to keep your site secure. These forum posts have some good tips for securing your site:

References: Adobe CF 9 LiveDocs - cfapplication