Is anyone using the ESAPI WAF? I'd love to hear about your experiences with it. I personally want to remove it from the code-base, but I do acknowledge that it solves a crucial political itch for PCI-DSS that is important. Luckily, Arshan has offered to clean up that code before the 2.0 release. :) Cheers, Jim