One reason Sean has brought this issue up is related to my XmlSerialization
module, which uses REXML. My first shot used .send to assign values to
object instances during deserialization, but this requires having accessors
for all instance data. I recoded it to use instance_eval to remove the
accessor requirement, then taintedness and $SAFE levels came to mind. So I
bumped up the $SAFE level in my unit test suite, expecting them to all fail
since they read in strings from a file through REXML, but they all passed.

Sean's REXML does some processing of the strings to support different
encodings (calling unpack and pack, I believe), but nothing else really
happens to the string contents, yet they lose their taintedness ... then my
module runs an instance_eval on these strings. It seems like a security hole
to me.

Chris