scriptProtect not working

[dubious]

CFM 7
Fusebox 5.5
ScriptProtect?="all" (in CF server admin as well as application.cfc)

Problem:

If you refer to a variable as attributes.var the script ptotect will not work. It only works if you refer to the variables as form.var

Input
submitted form input: "<script><embed>"
Output
form.test returns: "<InvalidTag?><InvalidTag?>"
attributes.test returns: "<script><embed>"

Code
index.cfm

<h2>Input</h2>
<form name="test" action="index.cfm" method="post" >

<input type="text" name="test" value="<script><embed>" /><br />
<input type="submit" name="submit" value="submit" />

</form>

<cfif isdefined("form.FIELDNAMES")>

<h2>Results</h2>
<cfoutput>

post.test <input value="#form.test#"/><br />
attributes.test: <input value="#attributes.test#"/>

</cfoutput>

</cfif>

[dubious]

Added this to my application.cfc as a workaround:

<cffunction name="onRequestStart" output="false">

<cfargument name="TargetPage?" type="string" required="yes" />
<cfset xGo=super.onRequestStart(argumentCollection=arguments) />

<cfif isdefined("attributes.FIELDNAMES")>
<cfloop list="#attributes.FIELDNAMES#" index="i">

<cfif find('<InvalidTag?>',"#evaluate("form.#i#")#")>

<cfset "attributes.#i#" = "#evaluate("form.#i#")#"/>

</cfif>

</cfloop>

</cfif>
<cfreturn true />

</cffunction>

[scorfield]

Interesting. It affects URL scope being copied to attributes scope as well so the correct solution is more complex than your workaround. Also note that you do not need evaluate() to solve this: form[i] will retrieve an item from form scope for you. It'll take me a while to figure out the right thing to do here but I'll probably raise the issue with the CF team since it's not the behavior I would expect.