URL encoding represents characters as percent-encoded sequences (%20 = space). Attackers use double-encoding and Unicode encoding to bypass WAF filters and input validation.
WAF evasion via encoding: if a WAF blocks 'script', encoding it as '%73%63%72%69%70%74' may bypass naive pattern matching. Defenses: normalize/decode ALL input before validation. Input validation must happen after decoding.