Allowing for language-specific differences, all OWASP ESAPI versions have the same basic design:
There is a set of security control interfaces. They define for example types of parameters that are passed to types of security controls.
There is a reference implementation for each security control. The logic is not organization-specific and the logic is not application-specific. An example: string-based input validation. There are optionally your own implementations for each security control. There may be application logic contained in these classes which may be developed by or for your organization. An example: enterprise authentication.
This project source code is licensed under the BSD license, which is very permissive and about as close to public domain as is possible.
The project documentation is licensed under the Creative Commons license. You can use or modify ESAPI however you want, even include it
in commercial products.