As reported by Christoph Neuroth at OFBIZ-5254, we still use a patched version from OFBIZ-3135 and it's time to update to last version
Update esapi to 2.1.0
Issue to group security concerns
Services allow arbitrary HTML for parameters with allow-html set to "safe"
In owasp-esapi-java, htmlCodec.decode is broken for all entities where entity.substr(0, x) exists