a rule of URLs: sanitize them

like all user input, you can't trust it

make it into canonical form for the specific use never ever use any value from outside your code without making it clean and canonical

sql injections only worked because of lack of this processing