fix security issues

Author: 1nhann

src/main/java/jodd/http/HttpRequest.java

@@ -37,6 +37,7 @@
 import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.util.Map;
 import java.util.concurrent.CompletableFuture;
@@ -338,35 +339,38 @@ public String path() {
 	 * Previous query is discarded.
 	 * @see #query()
 	 */
-	public HttpRequest path(String path) {
+	public HttpRequest path(String path){
 		// this must be the only place that sets the path
 
 		if (!path.startsWith(StringPool.SLASH)) {
 			path = StringPool.SLASH + path;
 		}
 
-		// remove fragment
+		try {
+			// remove fragment
+			final int fragmentIndex = path.indexOf('#');
+			if (path.indexOf('#') != -1) {
+				this.fragment = URLEncoder.encode(path.substring(fragmentIndex + 1), StandardCharsets.UTF_8.name());
+				path = path.substring(0, fragmentIndex);
+			}
 
-		final int fragmentIndex = path.indexOf('#');
-		if (path.indexOf('#') != -1) {
-			this.fragment = path.substring(fragmentIndex + 1);
-			path = path.substring(0, fragmentIndex);
-		}
+			final int ndx = path.indexOf('?');
 
-		final int ndx = path.indexOf('?');
+			if (ndx != -1) {
+				final String queryString = path.substring(ndx + 1);
 
-		if (ndx != -1) {
-			final String queryString = path.substring(ndx + 1);
+				path = URLEncoder.encode(path.substring(0, ndx), StandardCharsets.UTF_8.name());
 
-			path = path.substring(0, ndx);
+				query = HttpUtil.parseQuery(queryString, true);
+			} else {
+				query = HttpMultiMap.newCaseInsensitiveMap();
+			}
 
-			query = HttpUtil.parseQuery(queryString, true);
-		} else {
-			query = HttpMultiMap.newCaseInsensitiveMap();
+			this.path = URLEncoder.encode(path, StandardCharsets.UTF_8.name());
+			;
+		}catch (UnsupportedEncodingException e) {
+			return null;
 		}
-
-		this.path = path;
-
 		return this;
 	}