Only in query forms?
Both in query and registration (insert) forms?
It's a good approach add a validator against XSS in every single textbox that receives user's input?
What about validators to check against SQL Injection? May I (or should I) use them? Or just let the native protection of DataSet to this work?