Nope. Not that I am aware of.
Which version of CF?
There are a number of settings in the CF Administrator that prevent XSS out of the box. Enable Global Script Protection under Server Settings > Settings is a good starting point.
using version 11.
Used it, but doesn't work for user input in a Form.
Thought of replacing CFSET with a Custom tag to provide some degree of protection. But variable name in custom tag does not support complex name using (.) operator. eg <cf_myset url.value="123">
You mention forms but are using the url scope. Is this as an example? Why are you using url scope with form posts?