I'm having problems with requests that include 'dangerous characters' as part of a Web API URL. The Url includes an & which is properly Url encoded, but still causes a Request Validation ASP.NET error.
Unlike MVC there appears to be no [ValidateInput(false)] attribute to force and disable this functionality.
Turns out the answer is to do this in web.config using:
<system.web>
<httpRuntime requestPathInvalidCharacters="" />
</system.web>
You can set this globally or at the sub-directory level. You can leverage the <location path=""> element to specify this setting only underneath certain paths. For example, if your Web API route that was affected lived underneath api/images you could do the following:
<location path="api/images">
<system.web>
<httpRuntime requestPathInvalidCharacters="" />
</system.web>
</location>
More information: https://msdn.microsoft.com/en-us/library/e1f13641(v=vs.100).aspx