Cross site scripting security holes open when you display a value from a form directly without encoding characters... particularly "<" and ">", which could be used by a cross site scripting hack to run javascript or other code.
Of the two pages you sent... one is corrupt and I can't read it, and the other is the form itself. The cross site scripting vulnerability would actually be exposed and fixed on the action page of that form. The form itself looks fine, cross site scripting is about what you do with the results of the form, not problems with the form itself.