Tcl has been a testbed for safe interpretation since before Java existed (at least under that name). As security becomes ever more important, perhaps attention will return to Tcl just for this feature.
Christoph Drube - Is this really true? I'm using safe interps all the days with great success for import/export filters - so there is no file type it cannot read/create :-) One thing more to stay with Tcl ...
KJN - It's true. PHP has a safe mode, but even the PHP manual cannot give you an authoritative list of the functions that are restricted or disabled by safe mode [L1 ]. Safe mode itself is scheduled to be dropped in PHP 6 [L2 ]. Although PHP has other security-related directives, there is nothing as slick as Tcl's safe interpreters.
schlenk - Tcl's multi-interp model and the safe interps are really little gems. They show some warts of time and neglect (no upgrade to keep up with the VFS features for Safe_Base, it uses its own policy stuff for safe filesystems), but in general it's an extremly powerful feature to work with untrusted user data. Especially combined with the fact that you can completely strip an interp of all commands if you want to and just enable your own versions.