Changed the tongue-in-cheek property names to the actual ones we are using.

Author: kwwall

configuration/esapi/ESAPI.properties

@@ -556,3 +556,30 @@ Validator.HtmlValidationAction=throw
 # This is the default behaviour of ESAPI.
 #
 #Validator.HtmlValidationConfigurationFile=antisamy-esapi.xml
+
+########################################################################################
+# The following methods are now disabled in the default configuration and must
+# be explicity enabled. If you try to invoke a method disabled by default, ESAPI
+# will thrown a NotConfiguredByDefaultException.
+#
+# The reason for this varies, but ranges from they are not really suitable for
+# enterprise scale to that are only marginally tested (if at all) versus the are
+# unsafe for general use, although them may be fine when combined with other
+# security-in-depth techiques.
+#
+# The disabled-by-default methods are:
+#   org.owasp.esapi.reference.DefaultEncoder.encodeForSQL
+#   org.owasp.esapi.ESAPI.accessController  [FUTURE; will correspond to deprecation notice]
+#
+# Mote details to explain this may be found in the ESAPI GitHub wiki article at
+#   https://github.com/ESAPI/esapi-java-legacy/wiki/Reducing-the-ESAPI-Library's-Attack-Surface
+###########
+# The format is a comma-separated list of fully.Qualified.ClassName.methodName;
+# all class names must begin with "org.owasp.esapi.".
+ESAPI.dangerouslyAllowUnsafeMethods.methodNames=
+###########
+# Normally you would put some text here (that will be logged) that provides some
+# justification as to why you have enabled these functions. This can be
+# anythuing such as a Jira or ServiceNow ticket number, a security exception
+# reference, etc. If it is left empty, it will just like "Justification: none".`
+ESAPI.enableLegCannonModeAndGetMyAssFired.justification=