If I evaluate variables, I may also evaluate code. The current templating system definitely allows that. You can - unfortunately - still embed TCL constructs in your ADP snippets and the get evaluated.
Now some mailicious user can come along and embed stuff like [rm -rf /] and that command will be executed with the rights of the webserver on the filesystem. You definitely don't want that.
(Maybe this doesn't apply in this particular case because new-portal does something unusual. Can someone confirm?)
Any snippet of html is potentially dangerous. You can always sneak in javascript e.g. even on the bold tag. And new-portal comes with its own templating system and isn't yet fully affected by the noquote patch. (See https://openacs.org/bugtracker/openacs/bug?bug%5fnumber=952).
