See the question and my original answer on StackOverflow

This is due to ASP.NET builtin Cross Site Scripting validation capabilities. There is some kind of a list of what's allowed and what's not by ASP.NET, here on SO: ASP.NET request validation causes: is there a list?

On the specific case of # encoded characters, there is a complete reference of XSS attacks available here: XSS (Cross Site Scripting) Cheat Sheet that demonstrate how complex these attacks can be, and why encoded characters are forbidden.