Can the support for <include> tags be optional?
The reason I say this is because there are some serious security implications of allowing people to execute template code. If you have access to the template level, that's quite a security risk. <% rm /tmp/* %> is a rather benign example..
It would be pretty easy to make this optional, and include a disclaimer that if you enable templating support, that you're compromising in security.
Granted, anyone with HTML access can hack your system too. But it's just so much easier with templating level access.
At least that's my understanding of it. Perhaps I'm wrong?
Admin level access would let you change the parameters, but create, write, and read levels would not, right?