I’ve gotten this question many times so I thought I’d write up a quick FAQ. If you are displaying dynamic content on your ColdFusion site and see InvalidTag instead of the HTML you thought you would - it means one of two things. Either your ColdFusion Admin has Enable Global Script Protection turned on or your Application has scriptProtect set to true. This would be set in either the CFAPPLICATION tag or the This scope of your Application.cfc file.
This is a feature that helps prevent cross-site scripting attacks. Personally I don’t use this feature as I always htmlEditFormat user input before displaying it. For more information about this feature, see this page from the LiveDocs:
So - raise your hand if you’ve seen this and had no idea what it was!