I know very well that using GET method and passing request parameters in URL is a bad practice and security vulnerability . But we are in a situation where project development is almost completed and we can not afford to change all the GET to POST and re-test the whole thing all over again.
Is there a way to change the displayed URL ?
Or URL encoding will do the job ? Please suggest what could be the best approach in this situation.
The way exists, it is the HTML5 History API.
It needs JavaScript and HTML5 compliant browsers, or a javascript fallback for old IE (eg History.js).
Take a look at history.replaceState() and history.pushState() methods: the first alter the current history entry, the second adds a new one (creating noise in back button usage, so I suggest the first).
To remove the QueryString (the ?param1=value1¶m2=value2 part) just run this script on page load:
<script>
$(function(){
history.replaceState("","",location.href.substring(0,location.href.indexOf("?")));
});
</script>
While this client-side solution definitely improves clearness and eye candy, I doubt it improves security at all; Post-Redirect-Get would be better, but if you can't, then use this technique.
I generally use PRG in conjunction with this to achieve pretty URLs, and it works perfectly.
Note that this is a simulated PRG, an F5 after the page is loaded might have unpredictable behaviors according to how you've programmed your application.