I tried that in chrome too, saw it didnt work and presumed the site handled it, not my browser, IE9 avoids it as well, even shows a little popup saying the site has been modified to prevent xss, latest FF still displays the alert though.

Safari also appears to prevent the alert. Must be built into WebKit.

Nope. Ipad show the text

They escape single- and double-quotes, what else is there to worry about?