There is a not insignificant risk of pirating the VFS by using alias of macro

[Mars]

[special:alias]
get={:set item|/|hide tree=1|comment=you should never see this!:}

add this section into your template and open your browser with root.

The problem appears because alias can replace the macro existing, the only means to avoid an impersonation is to apply alias only when no macro valid corresponds.

function cbMacros(fullMacro:string; pars:Tstrings; cbData:pointer):string;
label exitCbMacros;
var
  md: ^TmacroData;
  name, p: string;

....
    if pars.Count < 1 then goto exitCbMacros; // from here, only macros with parameters
....
    if pars.Count < 2 then goto exitCbMacros; // from here, only macros with parameters
....
    if pars.Count < 3 then goto exitCbMacros; // from here, only macros with parameters
....
    if pars.Count < 4 then goto exitCbMacros; // from here, only macros with parameters

    if name = 'for' then
      for_();

exitCbMacros:
// begin moved inside CbMacros
    // handle aliases
    if assigned(md.aliases) then
      begin
      s:=md.aliases.values[name];
      if s > '' then
        begin
        if not AnsiStartsStr(MARKER_OPEN, s) then
          s:=MARKER_OPEN+s+MARKER_CLOSE;
        call(s, 0);
        exit;
        end;
      end;
// end  moved inside CbMacros
  finally
    if mainfrm.macrosLogChk.checked then
      appendFile(MACROS_LOG_FILE, TAB+'> '+fullMacro+CRLF+TAB+'< '+result+CRLF+CRLF)
    end;
except
  if mainfrm.macrosLogChk.checked then
    appendFile(MACROS_LOG_FILE, TAB+'> '+fullMacro+CRLF+TAB+'< Exception, please report this bug on www.rejetto.com/forum/'+CRLF+CRLF);
  result:='';
  end;
end; // cbMacros

[rejetto]

if you run a script you don't trust, it may destroy the files on your hard disk.
scripts must be trusted.

so, i don't see your case as a problem. i see it instead as a possible tool: if you want to disable a specific command temporarily, you can.

[Mars]

so, i don't see your case as a problem. i see it instead as a possible tool: if you want to disable a specific command temporarily, you can.

I see in your choice as a fault of possible safety(security), if by publishing(editing) a template we are not careful to verify that alias do not replace macro in a illicit way (by hostility), then I cannot trust to a tpl. I do not believe that even there php it is possible.

Alias is there not to have to use the variables of type {.set|alias|{: $1 $2 $3 ... $40:}.}with {.^alias.} , the macro existing have to keep their primary function but not be surchargeables.
I did not verify, but is not there also a risk of recursion with alias?

[special:alias]
recur=recur|hello $1                -->>>>      {.recur|rejetto.}      --->>'infinite loop'



but this work correctly


[special:alias]
recur=recur|hello                -->>>>      {.recur|rejetto.}  ---->>>>>> hello


{.recur|rejetto.}

[rejetto]

i remember having put a check to avoid infinite recursion. i hope it's working

I see in your choice as a fault of possible safety(security), if by publishing(editing) a template we are not careful to verify that alias do not replace macro in a illicit way (by hostility), then I cannot trust to a tpl.

i don't fully understand your trust problem.
any script/template can destroy your hard disk and send personal data over the network to your attacker.
and all of this without replacing any existing macro.
macros ARE dangerous if written by someone else.
that's why i tried to restrict where the macros can come from.
how can you say that we would be safer than this if "replacing" was not allowed ?
sounds like making a car safer by wearing a sweater.