I understand what ESAPI is used for, but I see these two lines repeated in a lot of ESAPI examples. Can someone please explain what exactly this does?
ESAPI.encoder().canonicalize(inputUrl,false,false);
See the docs:
Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form. This is important, because attackers frequently use encoding to change their input in a way that will bypass validation filters, but still be interpreted properly by the target of the attack. Note that data encoded more than once is not something that a normal user would generate and should be regarded as an attack.
The two additional parameters which are set to false in your example indicate whether or not to restrict multiple encoding and mixed encoding (see docs for meaning), respectively.