The /atg/dynamo/servlet/dafpipeline/SecurityServlet component, and therefore query parameter validation, is enabled by default. You can disable validation by removing SecurityServlet from the request handling pipeline. To do this, set its insertAfterServlet property to null:

insertAfterServlet^=/Constants.null

Note that this disables filtering of query parameters only, not of POST parameters. For information about disabling validation of POST parameters, see Disabling POST Parameter Validation.

Keep in mind that disabling validation is strongly discouraged, as it can leave your application vulnerable to cross-site attacks.