Really bad thing could happen even outside '(?{...})' constructs.

For example (this is something totally innocent, but you get the idea):

use strict;
my $str  = 'abcadefaghi';
my $pat  = qr/(a.)/;
my $repl = 'system dir ';
$str =~ s/$pat/$repl/eeg;
[download]

Of course you could try to filter out all system, exec and backticks, but that is only solving a small part of the possible problems as anything inside the $repl-variable gets run as a perl-program.

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law