Index: openacs-4/packages/acs-tcl/acs-tcl.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/acs-tcl.info,v
diff -u -r1.95.2.52 -r1.95.2.53
--- openacs-4/packages/acs-tcl/acs-tcl.info	26 Aug 2022 12:06:43 -0000	1.95.2.52
+++ openacs-4/packages/acs-tcl/acs-tcl.info	7 Nov 2022 13:34:33 -0000	1.95.2.53
@@ -9,7 +9,7 @@
     <implements-subsite-p>f</implements-subsite-p>
     <inherit-templates-p>t</inherit-templates-p>
 
-    <version name="5.10.1d22" url="http://openacs.org/repository/download/apm/acs-tcl-5.10.1d22.apm">
+    <version name="5.10.1d23" url="http://openacs.org/repository/download/apm/acs-tcl-5.10.1d23.apm">
         <owner url="http://openacs.org">OpenACS</owner>
         <summary>The Kernel Tcl API library.</summary>
         <release-date>2021-09-15</release-date>
@@ -18,7 +18,7 @@
         <license>GPL version 2</license>
         <maturity>3</maturity>
 
-        <provides url="acs-tcl" version="5.10.1d22"/>
+        <provides url="acs-tcl" version="5.10.1d23"/>
         <requires url="acs-bootstrap-installer" version="5.10.0"/>
         <requires url="acs-kernel" version="5.10.1d3"/>
 
Index: openacs-4/packages/acs-tcl/tcl/utilities-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/utilities-procs.tcl,v
diff -u -r1.189.2.153 -r1.189.2.154
--- openacs-4/packages/acs-tcl/tcl/utilities-procs.tcl	23 Oct 2022 18:19:55 -0000	1.189.2.153
+++ openacs-4/packages/acs-tcl/tcl/utilities-procs.tcl	7 Nov 2022 13:34:34 -0000	1.189.2.154
@@ -891,6 +891,7 @@
     return $export_string
 }
 
+
 ad_proc -private export_vars_sign {
     {-params ""}
     value
@@ -3599,6 +3600,44 @@
     return $external_url_p
 }
 
+ad_proc util::potentially_unsafe_eval_p { -warn:boolean string } {
+
+    Check content of the string to identify potentially unsafe content
+    in the provided string. The content is unsafe, when it contains
+    externally provided content, which might be provided e.g. via
+    query variables, or via user values stored in the database. When
+    such content contains square braces, a "subst" command on
+    theses can evaluate arbitrary commands, which is dangerous.
+
+} {
+    set unsafe_p 0
+    set original_string $string
+    while {1} {
+        set p [string first \[ $string ]
+        if {$p > 0} {
+            set previous_char [string range $string $p-1 $p-1]
+            set string [string range $string $p+1 end]
+            if {$previous_char eq "\\"} {
+                continue
+            }
+        }
+        if {$p < 0 || [string length $string] < 2} {
+            break
+        }
+        set unsafe_p 1
+        if {$warn_p} {
+            ad_log warning "potentially unsafe eval on '$original_string'"
+        }
+    }
+    return $unsafe_p
+}
+
+# potential test cases
+#util::potentially_unsafe_eval_p 123
+#util::potentially_unsafe_eval_p {123[aaa}
+#util::potentially_unsafe_eval_p {123\[aaa}
+#util::potentially_unsafe_eval_p {123\[aaa[567}
+
 ad_proc -public ad_job {
     {-queue jobs}
     {-timeout ""}
Index: openacs-4/packages/xotcl-core/xotcl-core.info
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xotcl-core/xotcl-core.info,v
diff -u -r1.106.2.45 -r1.106.2.46
--- openacs-4/packages/xotcl-core/xotcl-core.info	30 Oct 2022 10:00:55 -0000	1.106.2.45
+++ openacs-4/packages/xotcl-core/xotcl-core.info	7 Nov 2022 13:34:34 -0000	1.106.2.46
@@ -10,7 +10,7 @@
     <inherit-templates-p>t</inherit-templates-p>
     <auto-mount>xotcl</auto-mount>
 
-    <version name="5.10.1d12" url="http://media.wu-wien.ac.at/download/xotcl-core-5.10.1d12.apm">
+    <version name="5.10.1d13" url="http://media.wu-wien.ac.at/download/xotcl-core-5.10.1d13.apm">
 	<owner url="mailto:neumann@wu-wien.ac.at">Gustaf Neumann</owner>
 	<summary>XOTcl library functionality (e.g. thread handling, online documentation, Generic Form and List Classes)</summary>
 	<release-date>2021-09-16</release-date>
@@ -42,13 +42,13 @@
 	<license>BSD-Style</license>
 	<maturity>2</maturity>
 
-	<provides url="xotcl-core" version="5.10.1d12"/>
+	<provides url="xotcl-core" version="5.10.1d13"/>
 	<requires url="acs-kernel" version="5.10.0"/>
 	<requires url="acs-bootstrap-installer" version="5.10.1d1"/>        
         <requires url="acs-templating" version="5.10.1d6"/>        
 	<requires url="acs-api-browser" version="5.10.0"/>
 	<requires url="acs-content-repository" version="5.10.0"/>
-	<requires url="acs-tcl" version="5.10.1d8"/>
+	<requires url="acs-tcl" version="5.10.1d23"/>
 	<requires url="acs-admin" version="5.10.0"/>
 
 	<callbacks>
Index: openacs-4/packages/xotcl-core/tcl/06-package-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xotcl-core/tcl/06-package-procs.tcl,v
diff -u -r1.41.2.51 -r1.41.2.52
--- openacs-4/packages/xotcl-core/tcl/06-package-procs.tcl	22 Aug 2022 17:06:40 -0000	1.41.2.51
+++ openacs-4/packages/xotcl-core/tcl/06-package-procs.tcl	7 Nov 2022 13:34:34 -0000	1.41.2.52
@@ -991,7 +991,10 @@
         # The variable specification "$_var" is a pair of name and
         # value.
         #
-        lappend __vars [lindex $_var 0] [uplevel subst [lindex $_var 1]]
+        if {util::potentially_unsafe_eval_p -- [uplevel [lindex $_var 1]]} {
+          ad_log warning "depecated usage of variable/value pair $_var, potentially unsafe for 'subst'"
+        }
+        lappend __vars [lindex $_var 0] [uplevel subst -nocommands [lindex $_var 1]]
       } else {
         #
         # We have just a variable name, provide a linked variable to