In XLsuite, we use Liquid templates in the CMS. Two days ago, I noticed a big problem: ERB code in the Liquid template ends up being eval’d. This is in direct contradiction with Liquid’s mission statement:
Ruby library for rendering safe templates which cannot affect the security of the server they are rendered on.
From Liquid Home Page
I’m reposting this here so this gets the attention it deserves.
If you are interested, you can view Liquid’s issue at: http://code.google.com/p/liquid-markup/issues/detail?id=6