This is always advice to encode our URL or form parameters; uencoded form parameter is vulnerability to cross site attack, SQL injection and may direct our web application into some unpredicted output. A URL String or form parameters can be encoded using the URLEncoder class – static encode (String s, String enc) method.

For example, when user enters following special characters, and our web application is not handle encoding, it will open our application to cross site script attack.

<![CDATA[ <IMG SRC=" &#14; javascript:document.vulnerable=true;"> ]]>

How to use URLEncoder to encode a string and URLDecoder to decode the encoded string

package com.fsecure.swp;
 
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
 
public class testEncode{
 
	public static void main(String args[]){
 
	  try{
 
	    String url = "<![CDATA[ <IMG SRC=\" &#14; javascript:document.vulnerable=true;\"> ]]>";
 
	    String encodedUrl = URLEncoder.encode(url,"UTF-8"); 
 
	    System.out.println("Encoded URL " + encodedUrl);
 
	    String decodedUrl = URLDecoder.decode(url,"UTF-8"); 
 
	    System.out.println("Dncoded URL " + decodedUrl);
 
	  }catch(UnsupportedEncodingException e){
 
		  System.err.println(e);	  
 
	  }	
	}
}

Result

Encoded URL %3C%21%5BCDATA%5B+%3CIMG+SRC%3D%22+%26%2314%3B+
javascript%3Adocument.vulnerable%3Dtrue%3B%22%3E+%5D%5D%3E
Dncoded URL <![CDATA[ <IMG SRC=" &#14; javascript:document.vulnerable=true;"> ]]>

Please remember always encode the URL string and form parameters to prevent all the vulnerability attack.

Reference

http://java.sun.com/j2se/1.5.0/docs/api/java/net/URLEncoder.html