Hello Pods community!

I've been doing research for an upcoming project and happened across Pods CMS and I've gotta say that I'm pretty impressed with the project. I've read Jonathan Christopher's fantastic blog posts and have checked out he User Guide a bit, but I've still left wondering about a couple of things..

First: Editing pages.

I may be missing something completely obvious, but it seems like most of the code must be written in (or pasted into) textareas from the browsing in the Pods admin section. I'm not a huge fan of this type of workflow and this is a showstopper for me.

Second: PHP code stored in MySQL.

Another huge issue for me is how Pods seems to allow the user to write PHP code then store it in the database and then have it evaluated on the fly [presumably by eval()]. This seems like a pretty big security issue to me. What if an attacker managed to gain access to your database (via XSS or other) and wrote some malicious PHP into a template page or helper? Are there any special mechanisms in place to help avoid this type of issue from popping up, or are we relying on PHP's built-in filters?

These are my two major hangups in Pods. I really appreciate the project, and do understand why your conventions exist, but coming from a sysadmin background I can't help but worry about the issues above.

Thanks in advance for any insight you can provide.

Mike

Edit: I just discovered via this blog post that my first point is moot: http://mondaybynoon.com/2010/01/04/pulling-pods-data/#comment-18948

However, I am still concerned about XSS. Thoughts?