I think you've got it backwards. You're talking about information you have (the userId) that you're putting into the URL that is contained in the response.
Sanitizing to prevent XSS is about sanitizing
input, not so much the
output, which is what you're thinking of doing with <c:out userid> in the middle of the hard-coded URL.
For example, if you have userId = "rlaxmi" then that URL becomes this:
There is no security benefit in escaping or encoding the output there if you have full control of what the value of that parameter is when you craft the URL. All you'd be doing is
Security by obscurity which is nothing, essentially.
What you need to do is prevent malicious attackers from taking that URL (the attack surface) and replacing the value of the userId parameter to something that, if used raw and unsanitized, can be used to exploit a vulnerability in your code. It's the data that is coming in that you want to sanitize, not so much the values that you're displaying because at that point, it might already be too late.
Search for articles that explain
the anatomy of a XSS attack to get a better understanding of exactly what it is you're trying to prevent. Make sure you understand what you're doing, don't just take whatever instructions you're given verbatim and blindly do things without understanding the underlying mechanisms and issues you're trying to address.