Or just writing parameterized statements using JDBC should also be sufficient, or just using Stored Procedures. It's amazing when I have interviewed potential candidates for coding positions how few know about Cross-Site Scripting and SQL Injection attacks, if you don't know those things, you are DOA as far as I'm concerned as for getting a position on my team.
In many internal business applications that are behind the firewall, it may not be necessary to protect again such attacks. If only senior management has access to the application, what’s the point?
I would not be surprised if coders coming from such an environment would not know how to create a site that is accessible from the public internet.