First of all, that you are concerned about security is a good thing. If more people took security seriously, we would likely have to spend less time on patching security issues, and have more time to produce better systems-but I digress there.

Reading your post, does (a) the BizTalk XML system send the output and send it to the script(s), or (b) are they using that (possibly on a different system) and posting the results to your scripts? If the former, then one thing would be to insure that the data is coming only from that system, not from anywhere else.

It sounds more like the case is the latter, though, in which case my feeling would be to perhaps have it act as a filter to check the data against some form of template to make sure all necessary fields exist, and that the data is of a type appropriate for each field (alphanumerics where expected, no alphabetics in numeric-only fields, or numerics in alphabetic-only fields, etc.) and reasonable.

Hopefully other, more experienced monks can provide you better or more detailed suggestions. In any case, good luck in your search for this knowledge.