Clean url to prevent attack due to CR LF

Question

I see this code in my application. Can someone please help me understand how this is helping to sanitize request URL to prevent any attack due to CR/LF?

public static String validaterequestURL(String requestURL) throws EncodingException {
    Encoder encoder = new DefaultEncoder(new ArrayList<String>());
    //canonicalize
    String clean = encoder.canonicalize(requestURL).trim();
    clean = encoder.decodeFromrequestURL(clean);        
    int idxR = clean.indexOf('\r');
    int idxN = clean.indexOf('\n');
    if(idxN >= 0 || idxR>=0){
        if(idxN>idxR){            
          clean = clean.substring(0,idxN-1);
        }
        else{            
         clean = clean.substring(0,idxR-1);
        }
    }       
    return clean;
}   

I would particularly like to understand how the below lines work?

int idxR = clean.indexOf('\r');
    int idxN = clean.indexOf('\n');
    if(idxN >= 0 || idxR>=0){
        if(idxN>idxR){            
          clean = clean.substring(0,idxN-1);
        }
        else{            
         clean = clean.substring(0,idxR-1);
        }
    }       

Answer 1

If a \\n (linefeed/newline) or \\r (carriage return) character exists, the corresponding index (its position in the string) will be >=0. If so, the substring operation truncates the string, removing the offending character and everything after it.

The logic seems to be set up so that if both \\n and \\r are found, only the later of the two (and anything after it) will be removed. I have no idea why the author thought that was a good idea; I would have expected truncation to be done from the earlier one.