If Exists(Select Top 1 object_id From tempdb.sys.tables Where name = '##InjWatch')
    Delete From ##injWatch
Else
    Create Table ##InjWatch(ctext nvarchar(max), tab varchar(768), col varchar(768));
GO

Set TRANSACTION ISOLATION LEVEL read uncommitted;

Declare CheckHtmlInjectCursor Cursor FAST_FORWARD READ_ONLY For
  Select 'CAST([' + c.name + '] AS NVARCHAR(MAX))' As c_cast,
    c.name As c_name, '' + s.name + '.[' +T.name + ']' As sT_name
  From sys.tables T
  Inner Join sys.columns c
    On  c.object_id = T.object_id
    And c.max_length > 16 And c.system_type_id In (
      Select system_type_id From sys.types Where name In (        -- TODO: check 'user defined' string types
        'varchar', 'nvarchar', 'char', 'nchar', 'text', 'ntext')) -- TODO: check binary types and xml => ;(
  Inner Join sys.schemas s
    On s.schema_id = T.schema_id

Declare @c_cast varchar(1024), @c_name varchar(768), @sT_name varchar(768)
Open CheckHtmlInjectCursor
Fetch Next From CheckHtmlInjectCursor Into @c_cast, @c_name, @sT_name

While (@@FETCH_STATUS = 0)
Begin
  Declare @execSQL nvarchar(max)
  Set @execSQL = 'INSERT INTO ##InjWatch(ctext, tab, col) ' +
    'SELECT ' + @c_cast + ' AS ctext, ''' + @sT_name + ''' AS tab, ''' + @c_name + ''' AS col ' +
    'FROM ' + @sT_name +
    ' WHERE (' + @c_cast + ' LIKE ''%<%'' AND ' + @c_cast + ' LIKE ''%>%'') ' +
    ' OR ' + @c_cast + ' LIKE ''%script:%'' OR ' + @c_cast + ' LIKE ''%://%''' +
    ' OR ' + @c_cast + ' LIKE ''%href%'' OR ' + @c_cast + ' LIKE ''%return %''' +
    ' OR ' + @c_cast + ' LIKE ''%mailto:%'''
  Execute sp_executesql @execSQL;
  Fetch Next From CheckHtmlInjectCursor Into @c_cast, @c_name, @sT_name
End
Close CheckHtmlInjectCursor
Deallocate CheckHtmlInjectCursor

Select Distinct * From ##InjWatch
GO