[HackyGeeky]

As "sbd" said, the "html +=" statement is using the "num" parameter as it is.

The real problem is the substring(1) function which passes the "num", instead of making sure the length is 1 it is allowing everything.