Don’t turn off request validation unless you need to. Request Validation in ASP.NET explains what this feature does, how to disable it if you must in Web Forms, MVC, and Web Pages and how to manually validate request in absence of it.
There is a new embedded code block syntax in ASP.NET 4 that automatically HTML encode output, the <%: %>.
Use Microsoft AntiXSS Library which extends the built-in encoding methods, provides extra output types like XML, and uses a white-listing approach that defines a list of valid characters (as opposed to the standard .NET framework encoding’s black-listing approach that defines a list of invalid characters). If using .NET 4.x, a version of AntiXSS is already included under System.Web.Security.AntiXss Namespace. You can have the .NET framework use the AntiXSS library by default by registering it via web.config in system.web/httpRuntime, attribute encoderType. See remarks in AntiXssEncoder on how to do this.
Beginning in .NET 5, a white list based encoder will be the only encoder.
If you must output certain black listed HTML elements in the input, good practice is to first encode the whole input and then selectively decode those that you wish to output as is.
Avoid using direct object references such as filenames and database record IDs in your query string, a vulnerability called Insecure Direct Object Reference. Use another key, index, map or indirect method such as GUID for example. If it must be used, make sure user is authorized first.