How to encode a URL string or form parameter in java

This is always advisable to encode URL or form parameters; plain form parameter is vulnerable to cross site attack, SQL injection and may direct our web application into some unpredicted output. A URL String or form parameters can be encoded using the URLEncoder class – static encode (String s, String enc) method.

For example, when a user enters following special characters, and your web application doesn’t handle encoding, it will caused cross site script attack.


<![CDATA[ <IMG SRC="  javascript:document.vulnerable=true;"> ]]>

Example to use URLEncoder to encode a string and URLDecoder to decode the encoded string


package com.mkyong;

import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;

public class testEncode {

  public static void main(String args[]) {

    try {

	String url = "<![CDATA[ <IMG SRC=\"  javascript:document.vulnerable=true;\"> ]]>";

	String encodedUrl = URLEncoder.encode(url, "UTF-8");

	System.out.println("Encoded URL " + encodedUrl);

	String decodedUrl = URLDecoder.decode(url, "UTF-8");

	System.out.println("Dncoded URL " + decodedUrl);

	} catch (UnsupportedEncodingException e) {

		System.err.println(e);

	}
    }
}

Result

Encoded URL %3C%21%5BCDATA%5B+%3CIMG+SRC%3D%22+%26%2314%3B+
javascript%3Adocument.vulnerable%3Dtrue%3B%22%3E+%5D%5D%3E
Dncoded URL  ]]>

Please remember always encode the URL string and form parameters to prevent all the vulnerability attacks.

Reference

  1. URLEncoder Javadoc

About the Author

author image
mkyong
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter, or befriend him on Facebook or Google Plus. If you like my tutorials, consider make a donation to these charities.

Comments

Leave a Reply

avatar
newest oldest most voted
java-coder
Guest
java-coder

The post is wrong by saying use URLEncoder for URL parameters. This class is supposed to be used for form parameter encoding and not for url encoding. Space in a url must be encoded as %20 and not as ‘+’. ‘+’ itself should be escaped in URL parameters, it is an unsafe char.

Kristina Mendoza
Guest
Kristina Mendoza

Thanks for posting such handy information! Really helped me a bunch.

bahtiaP
Guest
bahtiaP

URLEncoder.encode(url, “UTF-8”); is throwing UnsupportedEncodingException

blo
Guest
blo

should: String decodedUrl = URLDecoder.decode(url, “UTF-8”); , be: String decodedUrl = URLDecoder.decode(encodedUrl, “UTF-8”);

proving the decoding of the encoded url, not the original url?

neo
Guest
neo

Very helpful…!

neo
Guest
neo

yes..!

Nilam
Guest
Nilam

Thanx for solution

http://cancerwecan.com
Guest
http://cancerwecan.com

Are you in a position to guidebook me personally for your web marketer or man which looks after your website, I would like to determine it will be easy to be described as a guest poster.

hurelhuyag
Guest
hurelhuyag

space must be encoded to %20

trackback
Android java.io.IOException: java.net.URISyntaxException: : Android Community - For Application Development

[…] How to encode url in java […]

Fcrossroad
Guest
Fcrossroad

Hello Mkyong, can you explain a little more about how encoding url or form parameters we can prevent some attacks like Sql Injection?

Your post is very good, but i couldn’t undestand this part…

If you prefer only post some links that explain this, would be very helpful too!

fadzz
Guest
fadzz

thanks^^…verry simple and help me alot..!!