Cfqueryparam will escape certain symbols such as apostrophes so you don't have to worry about it.
If you are sending htmlformtatted strings as part of your query string, with or without cfqueryparam, the database will process the string that was sent. That means spaces will be converted to %20, and so on.
I don't understand your question about keywords.
If you store what you collected, and use htmleditformat for displaying the data, the js will not execute. However, if you are using a rich textarea to collect the data, you might have a problem because that data will include html tags.
If you go to cfilb.org you will find a useful function called safetext. It strips the nefarious tags and preserves the benign ones.
Europe, Middle East and Africa