Has anyone see this error:

SecurityConfiguration for IntrusionDetector.Disable not found in ESAPI.properties

The reported line is in a cfm, rendering a vanilla input field. That error appears to be related to OWASP security stuff, but we're not calling it ourselves. Server was recently updated to 2021 U16 from U14, it's been on 11.0.24 since it was recommended. Have only seen this error once, no other weirdness except the install thing I've mentioned here before. Ring any bells?

Hmmm, don't think so. First off this is ACF 2021 not Lucee. Second, we're not calling ESAPI-anything; "ESAPI" only appears in our code in few unrelated mentions, as somethingServic*esAPI.*

Encoding or Decoding things from the url around this code that is causing issues?

Turns out I was wrong about the calling line of code. Assuming the reported line was off slightly, it was a deserializeJSON() call, which I can somewhat reasonably see OWASP having an opinion about. However, so far I can't reproduce it. Investigating...

I believe so

@Dave Merrill yes - various ACF "EncodeFor..." functions and attributes use OWASP ESAPI. Maybe other places too.

How about deserializeJSON()? That's on the line of code the error (almost) points to. Also weirdly, that call is inside a try/catch, but still apparently made it out to our higher level exception handling stuff, which I don't understand.

Not that I can immediately tell, but that's only based on some quick testing