Good option would be to exclude the Percentage codec, if it is not really needed.
To do that, one needs to write own customized encoder implementation that extends ESAPI provided org.owasp.esapi.reference.DefaultEncoder
and register that to ESAPI.properties
like
ESAPI.Encoder=path.to.ESAPIDefaultEncoderImpl
See below the implementation example.
package path.to;
import java.util.ArrayList;
import java.util.List;
public class ESAPIDefaultEncoderImpl extends org.owasp.esapi.reference.DefaultEncoder
{
private static List<String> codecs;
private static ESAPIDefaultEncoderImpl singletonInstance ;
static
{
codecs = new ArrayList<String>();
codecs.add("HTMLEntityCodec ");
codecs.add("JavaScriptCodec");
singletonInstance = new ESAPIDefaultEncoderImpl();
}
public static ESAPIDefaultEncoderImpl getInstance()
{
return singletonInstance;
}
private ESAPIDefaultEncoderImpl()
{
super(codecs);
}
}
In this customized encoder, one should not register the Percentage Codec, but only the ones which are really needed. (To see all ESAPI codecs, visit ESAPI documentation).