You have a higher risk vulnerability: you've written a method which will force you to write code which is vulnerable to SQL Injection
You need to rewrite your
method to allow you to pass parameters properly, rather than stuffing them into the query itself. You should also make sure you're not accepting queries directly from the user.
To prevent XSS vulnerabilities, you need to properly encode any output depending on where it is being displayed. For example, if you're displaying it as part of the HTML markup, you need to HTML encode it.
Many WebForms controls have properties which will let you specify that their output should be encoded. For example:
BoundField.HtmlEncode Property (System.Web.UI.WebControls) | Microsoft Docs
Literal.Mode Property (System.Web.UI.WebControls) | Microsoft Docs
So long as you use these properties correctly, and never output unencoded data which could be controlled or affected by the user, you should avoid any XSS vulnerabilities.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]