ESAPI is no longer a flagship project for OWASP. There has been no releases since 2013, which means the project is stale.
If all you need is output escaping, use the encoder project. That one is maintained.
No single solution can be guaranteed to sanitize all XSS. You have to allow that a clever attacker might be able to exploit a bug in the HTML sanitizer.