There is a discussion in Gemini here, about  server side code in HTML skins.
Gemini is not the place to discuss this, so I would like to continue here.
The discussion is about the question if this should be allowed, not how to...

IMO if you allow an admin to upload ASCX skins then there's no reason to not allow server side code in HTML skins.
(then there is no real security risk, so no gain and it would be a breaking change)

Unless you would split up the admin skin upload permissions in two options

1. Allow upload of HTML skins (no ASCX)
2. Allow upload of HTML & ASCX skins

Then if option 1. is selected, it would make sense to strip all server side code from the skin...

(This might have been discussed before)

Any opinions?

BTW, IMO the upload portal skin option should be per portal.

I agree that there really isn't a valid security reason to block server side code in HTML skins if you allow ASCX skins to be uploaded.  And splitting permission would be the best method to handle this, though a commercial HTML skin with server side code might be an issue for some admins.  Skinners would need to differentiate the skins.  Of course, since this isn't going to happen for a while, and Cambrian might change a lot of skinning options, skins developed to DNN 5.x could magae this.

Jeff

FYI, we were not discussing .NET code in script tags, I agree you should use an ASCX skin if you need that kind of functionality.

It was about "inline code" like: <%=Portalsettings.ActiveTab.TabName%> which the current skinparser doesn't touch, and would be easy to remove...

(I think the skinparser uses REGEX mostly so removing blocks with runat=server shouldn't be to difficult either)