One question to the php-purists - how do you handle pure-php templates uploaded by users?
As most template engines support only a specified subset of what PHP offers it's relatively easy to deny the use of e.g. <?php unlink(...); ?> in a template - but how would you handle this in pure-php templates?
As far as I can see you'd have to parse the code, check each and every function call and again limit it to a specified subset that seems OK.

Just to make sure no one gets me wrong - I'm using both pure-php and Smarty, each one as it fits.
The question above should be no offence, I'm really interessted in a solution to solve the mentioned problem as I'd like to write a "pure-php template system" for one of my apps that handles cahcing etc. but lets the templates be pure-php.