Core uses the “ESAPI” lib (
application.fc.lib.esapi) internally, mostly so that we can provide compatibility across ACF 9.x+ and Railo 3.2+ without requiring the use of version specific built-in functions. Any time Core outputs something in a response that needs to be encoded then it should do so (e.g. particularly forms, so anything related to ft:form, ft:object, etc), so if you use those Core tags yourself you should be ok in those instances.
In your own project(s) code you are responsible for whatever you output directly / outside of using Core features. So if you’re outputting URL and Form variables in a page you should use the appropriate built-in encoding functions that your engine supports, or you could potentially use Core’s ESAPI lib if you need cross-engine compatibility (particularly for a plugin that you want to distribute).
As for “fields in content types”, whatever you allow into the DB will also be returned in an stObj or other struct representing a custom content type. Again, if you are outputting something using ft:form / ft:object then you should be covered, but if you are outputting something yourself that has come from a user then you should always use the appropriate encoding method at the point of output.