AI OnAI Off
If you have XForms on only a few page types you could just add ValidateRequest="false" to the ASPX page directive for those templates.
XForm rendering and submission code will probably be just fine but of course you add a little risk for vulnerbilities for places where you output form values in site's own templates.
I usually have validateRequest on unless site has features where HTML is posted by forms. Users shouldn't post HTML chars otherwise.
In Episerver 6.1.379.0, .Net 4.5 is validating an xform that has a '<' charater in the input and throwing the error:>'>
A potentially dangerous Request.Form value was detected from the client
The Episerver knowledge base describes disabling validateRequest in, http://world.episerver.com/kb/10443/.
My question, there a risk in disabling this at the .NET level or does Episerver appropriately guard against these attacks since the knowledge base very casually suggests doing this to fix the issue?