Hugo Mills wrote: <snip>
Themes.
From my limited investigation so far, it seems that Drupal themes
are basically PHP. Allowing users to upload themes directly is therefore a no-no. Is there a non-executable type of theme that we can support direct uploads for safely, or will all uploaded themes have to be audited before we allow them up? How flexible would the system be if we were to prevent theme uploads completely?
<snip>
I'd say that 80% of the themes I develop are Zen-based themes for which I only write new CSS. That's one way you could go -- pick a few good base themes and allow users to upload CSS-only subthemes.
IIRC, there is no PHP in Smarty themes -- the Smarty engine isn't used much any more, but I think it is still available for Drupal
Susan