As far as programmers including something dangerous themselves directly in ad_form, this is no more a problem than it is with a set statement. "set foo [exec rm -f]" is equally evil ...
So it is really just the double-substitution instance noted by Lars that is an issue, no?
