Forum OpenACS Improvement Proposals (TIPs): TIP #14 (Rejected): Making templates safe by removing tcl tag.
Could templates be made safe by removing the tcl tag? This would seem to prevent designers from introducing code that isn't safe. The <% an <%= tags are first replaced by the tcl tag. If this tag could optionally return the empty string, based on configuration of the server, it might be safe to allow designers to provide their own templates without review.
Proposal it to add a config parameter to redefine the tcl tag.
If it's possible to deactivate both then I support it. What default value for a new install do you suggest (I tend towards tcl within adp deactivated by default - would have to be introduced early for 5.1 though so that there is time to clean up dotrln etc.).
The preprocessor for the templating system replaces <% with <tcl>, so you just need to disable the <tcl> tag in the templatng system.
As others have pointed out, some packages still rely on this tag and inline tcl, so you could never, and probably should never, remove it completely. An individual install could easily disable it anyway.
One additional note: the ATS is very good a separating application logic from display logic. I would say it is one of the best systems available, if not the best. Removal of the tcl tag may make it safe to allow users to upload their own templates for pages.
I think the include tag might be an issue too since you can pass arbitrary variables to tcl scripts and bypass permissioning.
The more general idea of making it possible to safely execute user uploaded templates is an excellent idea and something I am completely in favour of (and I hate the embeded tcl code generally anyway).