Could templates be made safe by removing the tcl tag? This would seem to prevent designers from introducing code that isn't safe. The <% an <%= tags are first replaced by the tcl tag. If this tag could optionally return the empty string, based on configuration of the server, it might be safe to allow designers to provide their own templates without review.
Proposal it to add a config parameter to redefine the tcl tag.