re: #49 Charles Johnson

Yes - that’s why the $mjml variable is passed through the escapeshellarg() function, to make sure it can’t be used to execute any arbitrary shell commands.

There’s also some server-side security as far as making sure that your PHP parser isn’t running with elevated privileges - preferably in its own sandbox.