I thought we needed a load macro in the existing template for the contents of an upload to be executed? Unless of course someone takes advantage of the way diff templating works in real folders (wasn't there a default mask done to prevent this?)
to execute the content of an upload is interesting as risky. an admin who really wants to be able to upload files load-able in the template by making an upload folder that automatically moves the file to the sys folder, with a diff template like
[upload-success] {.rename|%item-resource%|C:\hfs\{.filename|%item-resource%.}
you can't upload a diff tpl. doesn't depend on the mask.
you can't upload index.html, and this relies on the default mask.
this shows the will of the user to get such result, and hardly will cause any trouble to an unconscious user (excluding possible bugs&flaws)
But wouldn't a user who would allow upload access to their template folder be just as likely as allowing access to the HFS root folder? I don't see what we accomplished other than an arbitrary rule.
the template folder is often exposed because it may contain resources like images and stuff.