so why do you care about the URL? just make sure you don't just stream that data back without validation... but either way, are you expecting the users to 'hack' themselves?
point it, you need to care about user-data when and depending how you use that. you definitively shouldn't trust that data and validate it before using it but that has nothing to do with the URL, mind you CR+LF can be a legit value in those parameters sometimes (hence it's url-encoded).
if you do use set-header api or something then just make sure you don't add CR+LF in the value, not sure if the api already do that but it might worth checking and if not even raise a feature request at PSC.
if you store that data in database then it might be OK to leave those alone, in that case you often need to encode data when you output it back in generated html.