I think that's either a bug or they're not meant to be used like that. HTML takes the < and > and replaces them with & lt ; and & gt ; (minus spaces), then SQL takes the ; and replaces them with nothing, so it's surprising that it even partly works. It seems to work if you use SQL first then HTML, but that's just for that one string. I'm sure you'd run into problems for others. Weird though.