The reason I found this thread interesting is that when Blue Lane was a standalone company before the VMware acquisition, we used the platform that the vShield is built upon today (transparent bridge/transparent tcp/udp proxy) to deliver functionality to mitigate XSS scripting, handle some PHP vulnerabilities in the HTTP content, SQL Injection, plus other content-based vulnerabilities covered in the OWASP Top Ten - and we had good success helping w/ PCI Compliance on this front. Curious to see why transparent/bridging firewall should not offer this type of functionality.