@swguy, I've chosen to correct the issue a bit differently, changing that line to read:
Code:
$_SESSION['comments'] = (!empty($_POST['comments'])) ? htmlspecialchars($_POST['comments'], ENT_NOQUOTES, CHARSET, true) : '';
When using zen_output_string_protected, I found that simple double-quotes (") were being converted to "'s ... which I didn't like. I mean, what if the customer wanted to leave a simple comment like I'd like a margin of 2".?

The update is being tracked via this GitHub issue: https://github.com/lat9/one_page_checkout/issues/219