Both the org.owasp.esapi.reference.DefaultEncoder and org.owasp.encoder.Encode classes provide some of VeraCode's Supported Cleansing Functions for addressing potential cross-site scripting (XSS) attacks. Given that they both come from OWASP, I have to think that they aren't redundant, but some of the methods look like they are meant to do the same thing, for example, DefaultEncoder.encodeForHTML(String) and Encode.forHtml(String). I wonder what is different between them, and when it is preferable to use one class rather than the other.
They are from different projects that have some overlap in functionality. org.owasp.esapi.reference.DefaultEncoder is from the ESAPI project, and org.owasp.encoder.Encode is from the OWASP Java Encoder project. The Java Encoder project is newer and more actively maintained, and more specifically for output encoding, whereas ESAPI has other functionality too.
For something like HTML encoding, they're doing the same thing so it doesn't make much difference, but it looks like ESAPI is more of a legacy project now. See: