As I said, generate a key before outputting the form and store it in the session. Also put it in the form in a hidden field. This will at least stop many automated bots from submitting the form (though some are smart and will scrape your form for this key every time they visit).
To be honest, I wouldn't class this as xss vulnerable. While it can indeed be the recipient of xss targetting, your script isn't really 'attackable' in the sense that it can allow someone to hack the server etc. Well not that I know of anyway..
My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!