<%radio.macros.viewWeblog ()%>
. These are what generate the HTML sent to a remote www server. What I am about to say next may be premature. I haven't had a chance to really dig through the code to see what's going on here. If Radio is doing some kind of checking/untainting on the string value of the macro directive then everything I am about to say should be moot. If, however, Radio is simply eval
-ing the macro it raises an enormous red flag. It means that all a bad person needs to do is fire up a copy of NotePad and change one of the files in the www
directory to contain a new <% do.something.bad () %>
macro which would be run the next time you sync your blog with a remote server. Just in case you ever thought that your sysadmin was being grumpy and cranky or just generally contrary simply out of spite.