Hi Bruce-
Thanks for looking at this.
The point is that the processing for the message on the page has to be different than the what is sent to the Java Script. In the generated code:
p_web.Script('alert('''&clip(loc:alert)&''');')
has the potential for generating bad code. The loc:alert is being used by us lowly programmers and in my case, I can't even guarantee what the contents of the message will contain. We have places in our system where we allow the user to define the error that is to be displayed.
As far as limiting special characters are concerned, advice noted. But what about <>? They have the same problem and I can envision using those in messages.
Regards,
Gordon