"Scanning for SQL injection / XSS attacks should be the WebServers responsibility. I have never wanted to pass sql / script via a querystring or form field."

The result will be an overzealous webserver blocking legitimate queries, or blacklist filtering that will inevitably miss a certain type of string and still allow exploitation. If you have developers who have even a basic understanding of security, webserver filtering causes far more trouble than it's worth. At the most basic level, any app framework that doesn't allow named or positional parameters in SQL strings is seriously defective.

Anyway, if a site allows SQL injection, it is already broken even to non-malicious users. Better hope that your name doesn't contain an any quotes (eg John O'Toole or John "JJ" O'Toole) or that you don't need to enter an ampersand (John & Mary).