I think executing a script upon GET of a URI should only be possible on generated (symlink or alias) URIs that are specifically configured for that purpose and have separate access control from the URIs used to edit/view those scripts. This follows the same practice used in Web servers with CGI scripts.
....Roy
