Strictly speaking yes, it would be at risk from an injection attack, but not in the case of this particular CMS.

The execsp portion tells the CMS that this is a stored procedure and it doesn't understand multiple commands, so if you try and fudge the chkTopics array to contain ";SELECT * from <table>" it will simply throw an error.  Ditto, executing a second stored procedure.

The error trapping code in the SSJS is quite extensive and successfully traps injection attempts.  I know, it has been extensively tested.

The user under which the CMS runs has specific execute rights to specific stored procedures and the live server has the majority of the system stored procedures locked down as per Brian Knight's security document.

I wish the CMS allowed request.form.field, but it doesn't.

Strictly speaking I should have written a testing function such as

function fnNumericArray(aValue){

   var bReturn=true;

   var sJoin=new String(aValue.toString);

   var aTest = sJoin.split(",");

   for(var x=0;x<aTest.length;x++){

        if(isNaN(aTest[x]){

          bReturn=false;

          break;

        }

    }

    return bReturn;

}

Again, strictly speaking I should have a try, throw, catch constructs to test that my value IS an array.