You can eval Perl without EVAL_PERL

[exercism-1]

The EVAL_PERL option controls the PERL directive, which allows Perl code to be embedded in a template. However, you don't need PERL to run arbitrary Perl code:

[% template.new({ 'BLOCK' => 'print STDERR "ace.\n"; die' }) %]

I'm not sure if this counts as a bug. Feel free to close.

[DrHyde]

I think it is a bug, and not just because it's a security concern. The Template::Parser docs say "The $data hash reference returned contains a BLOCK item containing the compiled Perl code for the template" so it seems to me that instantiating an object with that but no template, or with a template that doesn't match the BLOCK item, shouldn't really be possible.

[atoomic]

At first glance this seems to be by design,
look how the BLOCK directive is implemented

template($block) - https://github.com/abw/Template2/blob/master/lib/Template/Directive.pm#L69
anon_block($block) - https://github.com/abw/Template2/blob/master/lib/Template/Directive.pm#L100

[dracos]

This isn't a BLOCK directive, it's the BLOCK constructor argument to Template::Document. As template in a template is the Template::Document object, http://www.template-toolkit.org/docs/modules/Template/Document.html says new can be passed in a string which is then immediately eval()ed. I guess the special template and component template variables should not be an object on which you can call new, perhaps a Template::Document subclass that uses _new as the constructor? As then that wouldn't be available in the template (unless you've undefined PRIVATE). Or the Template::Document constructor could check and only let itself be called as Template::Document->new and not $instance->new.