For me, if they were radio or check boxes, I would avoid using commas as values. In text and hidden fields, as in your example, I would uniquely name the fields to avoid worrying about it. Another problem you'll eventually run into is that pre-CF11, by default, passes duplicated named fields differently than CF11+. CF11+ passes the values as array an array instead of a list which actually solves your problem as it's no longer a comma separated list -- it's an array (again, by default).
As Steve Sommers pointed out, CF11 (and most likely later versions) will pass multiple-named inputs (and I'm assuming multi-select) as an array by default (it can be switched to submitting a list in CFAdmin).
So.. to be sure that what you want to do is compatible with all versions of CF is to first check for the existence of the form element, then check to see if it's an array (if not, it's a list.)
If you don't want the HTML entities to be entered into a database or email, then (depending upon what CF version you are running) you can use canonicalize() to correct the input just prior to whatever final processing you have in mind.
We do this all the time... especially when using an advanced configuration form and new fields are added on-the-fly with user-provided content and you can't really prevent commas from being submitted in the fields.
To work around this, use the formFieldAsArray UDF.
Here's the description:
"When you pass several form or URL variables into ColdFusion with the same name, they end up as a comma separated list. This is commonly done with checkboxes - a user can check as many items as they want, then they will end up in your code all in a single variable. This works fine, until your data contains a comma. This function will return the data as an array to get around that problem. Tested on ColdFusion 8 and 9, probably runs on CF 7 also, maybe even 6. UPDATE - rewritten to work in CF10. Code is much more simple now."
NOTE: If using this with checkboxes or radio buttons that may not be checked, be sure to check to see if the parameter exists first as nothing checked will result in no parameter being passed back to the server. (We usually add a blank text field with the same field name right before the first checkbox/radio field to overcome this potential issue.)