For variables accepting $1- inside INPUT/ACTION/TEXT/CHAT, yes, it must (and should) be able to cope with whatever local or remote users/bots spew.

Character replacement is not a solution because there is no character you can replace " with that cannot also be sent by the typist/bot. In other words, if "" becomes ~~, your ensuing code then cannot tell whether the user really sent "", or ~~ itself.

The only workaround I have figured out is var %s = $qt($1-). With this, $null stays $null (because a null string inside $qt() will cause %s to eat $qt()'s quotes). But " becomes """, "" becomes """", "a" becomes ""a"", etc. You can then refer to %s at all times with $left($right(%s,-1),-1). Of course, this makes things unnecessarily complex, especially when doing heavy string parsing.

(SM, thanks for explaining the true purpose of -n.)