I am trying to incorporate the ESAPI encoder with my JavaEE application and want it to not encode a certain set of characters, for example '<', '!', '(', ')'.
I read on the documentation https://static.javadoc.io/org.owasp.esapi/esapi/2.0.1/org/owasp/esapi/Encoder.html that "all characters should be encoded, except for a specific list of "immune" characters".
I would like to know where and how I can configure this specific list of "immune" characters. Would it be in the ESAPI.properties file?
The simple answer is, you can't. Or at least not easily. You could do this by changing the line in ESAPI.properties from:
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
to something like
ESAPI.Encoder=com.MyCompany.myApp.MyEncoder
and then in MyEncoder.java, replacing one or more of ESAPI's initializations of its various IMMUNE_* variables with your own. Butt that's the only way to do it. There is no method or property to redefine this, because in the general case, you should never want to do so. (There was a [poor, IMO] design decision to make all of ESAPI's reference implementations a singleton, so providing such a method to DefaultEncoder class would me you would be changing it for all instances of a class and that just seems too dangerous.)
So rather than answering your question like I did, I should be asking you why do you wish to do this? The IMMUNE_CSS codec recently had '#' added to in (currently only in the 'develop' branch on GitHub), but even that was not done without extensive discussion amongst current and former OWASP project leaders. The immune lists are judiciously choose to be "safe" in all know cases. Then are not intended to be applied for only some edge cases known to be safe. That is why I am asking "Why do you want to do this? What specifically are you trying to achieve?" as there may be a better approach to what you are trying to do.