The TLDR version: OWASP's recommendation is specifically to render code
intended to be executed as unexecutable. I'd suggest a fix be done at
OWASP-Java-Encoder project and not here. I believe the suggestion of
providing this feature even at OWASP has near-zero value in the long run
because
Hello,
I'm Matt Seil, project co-lead for OWASP's ESAPI-Java-Legacy project.
This email caught my attention. In short, I don't think you're going to
get an affirmative answer because the potential use cases are too
numerous. I'm totally speaking out of turn here however, there may
Greetings!
I'm the project Co-Lead for OWASP's ESAPI project, and I'm looking
into this library to enhance capability. What I'm unsure about is
that it looks like every release was either "incubator" or "Snapshot,"
and if we brought it on as a dependency, many companies have rules
against using
