Just to emphasize what "something rather malicious" can mean:

    "This string, @{[system('echo rm -rf /')]} is almost evil."
[download]

I put the "echo" in so any fool who wonders what that does and cuts-and-pastes it into Perl doesn't get too burnt. So, how far do you want to trust string interpolation now?

Me, I don't trust string interpolation even if I'm not doing something obviously dangerous like CGI. It becomes very easy to forget to properly guard access to your templates and end up running code that you didn't want to.

Now, as for the code (slightly rewritten, just for variety -- I don't claim my version is not worse):

    s#\$(\w+)#'$'.$1#gee
[download]

we are quite safe. This code cannot create variables. It cannot even access variables from other packages (\w matches neither ":" nor the Perl4-ish "'") nor the built-in variables (unless you use English in your package).

Even fairly nasty stuff like a tied variable whose FETCH routine sends threatening e-mail to your boss isn't a problem unless your script created such a tied variable before we interpolate the arbitrary string.

So I don't see any use for the ${"${package}::$1"} suggestion in this particular case, since the same thing could be accomplished via (with yet another variation thrown in):

    {
        package SandBox;
        s/([\$\@]\w+)/"join' ',$1"/gee;
    }
[download]

Finally, you can't throw a TCP/IP packet at CPAN without hitting yet another templating module. Some of these do "safe" templating. Some of them do "full power" templating where all the dangers of eval apply. Some support both modes and stuff in between. Just be careful.

        - tye (but my friends call me "Tye")