It is easy to believe that this encoding method will protect against injection attacks, but if the method is not used in exactly the right context, it can offer much less protection than it advertises.
Example 1: The following encoding call allows an attacker quite a bit of latitude for insering malicious JavaScript:
out.println("x = " + encoder.encodeForJavaScript(input) + ";");
[1] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 176
[2] OWASP ESAPI Secure Coding Guideline