Decode query parameters for an HTTP call in a Web API

Question

I have a Web API developed in C#, targeting the .NET Framework 4.7.1. It is used by some Angular front-end applications. Some of these applications are sending HTTP DELETE commands to the Web API, passing certain values as query parameters to the HTTP DELETE command. Recently we discovered a situation that was not detected prior. One of the query parameters is a comment and the user entered an illegal character ("#") as part of the comment. Obviously this screwed up the entire URL, so I figured I need to encode the query parameters of all these HTTP commands. On the Angular application's side, I can use "encodeURIComponent". On the Web API side I found out that I can use WebUtility.HtmlDecode method. The problem I face is where to add this call in the HTTP Pipe on the Web API application. My startup.cs class has the following two methods (I suppose that the call to "HtmlDecode" must be done in one of them):

  // This method gets called by the runtime. Use this method to add services to the container.
  public void ConfigureServices(IServiceCollection services)
  {
     // add the repository service
     services.AddScoped<IRepository, SqlServerRepository>();

     services.AddMvc();

     // local dateTime
     services.AddMvc().AddJsonOptions(options =>
        options.SerializerSettings.DateTimeZoneHandling = DateTimeZoneHandling.Local
     );
  }

  // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
  public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
  {
     if (env.IsDevelopment())
     {
        app.UseDeveloperExceptionPage();
     }

     loggerFactory.AddConsole(Configuration.GetSection("Logging"));
     loggerFactory.AddDebug();

     app.UseCors(builder => builder.WithOrigins("http://localhost:4200",
                                                "http://localhost:4201",
                                                "http://localhost:4202")
                                   .AllowCredentials()
                                   .AllowAnyHeader()
                                   .AllowAnyMethod());
     app.UseMvc();
  }

Here is what my HTTP Delete command looks like in the Angular application, after the URL has been encoded:

https://localhost:44344/api/invoices%2F839%3Fcomment%3DInvoice%20%23%20839&sessionHash=21AAEE0EA6631EF381CAC140460DF9BF4A6686

Unencoded, the URL would be

https://localhost:44344/api/invoices/839?comment=Invoice # 839&sessionHash=21AAEE0EA6631EF381CAC140460DF9BF4A6686

Obviously, the "#" character screws up the URL, hence the need for the encoding.

On my Web API side, the right method of the right controller gets called, but inside it, the invoice Id is 0, the comment is null and the sessionHash is also null. Here is the code of my method:

  [HttpDelete("{invoiceId}")]
  public IActionResult DeleteInvoice(string sessionHash, int invoiceId, [FromQuery] string comment)
  {
     try
     {
        if (string.IsNullOrEmpty(sessionHash))
        {
           return BadRequest("The user is not authenticated!");
        }

        if (invoiceId == 0)
        {
           return BadRequest("The invoice Id was not provided!");
        }

        int result = _repository.DeleteInvoice(sessionHash, invoiceId, comment);

        if (result == -1)
        {
           return Ok();
        }

        return BadRequest($"The invoice with Id {invoiceId} could not be deleted.");
     }
     catch (Exception ex)
     {
        return BadRequest(ExceptionErrorBuilder.GetShortErrorMessage(ex));
     }
  }

I have a breakpoint in my method and I can pause the call and inspect the values of all the parameters.