The Bug I Found When Special Characters Broke My API

Today, I worked on a simple Spring Boot API, but it taught me an important lesson about handling user input properly. I created an endpoint to add a scope of work to a project: @PostMapping ( "/addScopeOfWork/{projectId}/{scopeOfWork}" ) public ManageProject addScopeOfWork ( @PathVariable Long projectId , @RequestBody Map < String , String > data ) { String scopeOfWork = data . get ( "scopeOfWork" ); return service . addScopeOfWork ( projectId , scopeOfWork ); } At first , everything is fine. When I tested the API with normal text, it worked perfectly. But when I passed special characters like: & / ? % The API started crashing. Why Did This Happen? /addScopeOfWork/{projectId}/{scopeOfWork} Here, scopeOfWork is part of the URL (path variable). Special characters are not safe inside URLs unless they are encoded. For example: / is treated as a path separator ? starts query parameters & separates parameters So the server misunderstand the input and breaks the request Instead of passing sco