Response.encodeUrl doesn't escape characters. Its purpose is to embed the sessionId in the URL when session cookies are not enabled.
Look at java.net.URLEncoder. If used correctly, that will escape the necessary characters. You will still need to understand when and when not to encode characters or you'll end up encoding control characters that need to be left alone.