The boss has given me the green light for getting rid of Portcullis in favor of ESAPI. GREAT!!
But all the documentation I've been looking at isn't really helping me to implement it.
What we did have set up with Portcullis was in Application.cfc. During the onRequestStart(), it checked to see if Portcullis was defined (init it if it wasn't), then passed URL and FORM scopes to Portcullis for scanning. If Portcullis found something that shouldn't be there, it redirected to the home page.
I'm leaning towards using ESAPI for sanitizing input, not detecting and redirecting. Is there a way to set ESAPI up to scan entire FORM or URL scoped values within the Application.cfc? Or am I doomed to going to every form processing page and adding the sanitization to every form or url value?