What means "attack directly a script"? Is there CSRF protection ?

1. In the form, when generating on the server side, create a hidden: key field and write the value to the session.
2. Through JS on the client side (in the browser), change the key field: you can simply do an arithmetic operation based on the key numbers.
3. When submitting the form, check on the server that the key parameter is calculated correctly:
If incorrect, return a 404 error.

You don't need common methods, captchas and scripts.
You have an order form. What should be in it - you know approximately.
What should not be in it - too (tags, links and other good things that only bots will shove there).
You analyze what came and determine whether the text came to you or a hodgepodge of scripts and links. You process the first as it should be, the second - well, you can write it to the log for every fireman ...
And that's it.
On my website, the feedback form is protected by captcha from Bitrix. For bots, this captcha and the protection of Bitrix itself - "fuck the frost." But a normal user simply will not fill out the form with such crap that bots send. Don't confuse...