There are several ways you can and should protect your site from XSS attacks. The easiest one to implement is keyword stripping - simply filter out all potentially dangerous words from your form inputs. This should probably include (but is by no means limited to):
If a script does somehow manage to find its way onto your page, it can be rendered harmless by escaping the characters. This converts the characters that a browser may interpret as control characters (e.g. <, ();) into a representative sequence (e.g. <, ();). For this to be effective, you need to escape HTML, Javascript and CSS. Once again, there are libraries available to do so - the most popular being ESAPI, which works for a variety of languages.
New means to inject scripts, and more sophisticated scripts that can evade detection, are always being created. The creators of the libraries mentioned above are always updating them, but you must still be aware of potential threats.