A problem in acs-templating procedure template::expand_percentage_signs where a user inputted string containing a variable name such as "$varname" would be evaluated if the user input was included in a variable reference in a localization message key.
An example message key from the search package.
<msg key="lt_No_pages_were_found_c">No pages were found containing &quot;&lt;b&gt;%query%&lt;/b&gt;&quot;.</msg>
If the user enetered search query contained $varname the template::expand_percentage_signs procedure would evalaute the value of the $query variable thorugh [subst] which would result in the replacement of the $varname with a variables value if the variable existed, otherwise a server error for a missing variable would be returned.
See bug#2691 https://openacs.org/bugtracker/openacs/bug?bug%5fnumber=2691
A patch is available https://openacs.org/bugtracker/openacs/patch?patch_number=744
This patch should apply on any 5.x version of OpenACS. A new version of acs-templating is available for install form the repository as well.