Nope…the difference is the placement of +$TBXRelatedLessonHTML(source) If I put it at the beginning of the string it triggers the security measure as there could be HTML in the original string. Whereas, if I place it at the end the action code first generates the new string and then adds on the existing content, thus not triggering the security measure.