Hello @Anders,
This is to let you know that I tested your code samples with SQ Developer Edition 7.7 and it raises the expected issues on the first one and nothing on the second one thanks to the sanization provided by ESAPI.encoder():
SQ 7.7 should be released before end of March 2019.
Regards