I suspect removing the tcl tag (or making it suppressible
via a state variable on <include> for example)
would still leave plenty of holes where you could potentially
execute commands. I would not really be comfortable allowing
user uploaded templates on any system I was responsible for
until we had gone through quite carefully to make sure
all the other tags did not allow code execution via other
back doors.
I think the include tag might be an issue too since you can pass arbitrary variables to tcl scripts and bypass permissioning.
The more general idea of making it possible to safely execute
user uploaded templates is an excellent idea and something
I am completely in favour of (and I hate the embeded tcl
code generally anyway).
