Six Apart (news, site) has kept their word and released a patch for the aforementioned bug in Movable Type 4.3. The new release, version 4.31, fixes some funk associated with custom fields and entry assets. More specifically, there was the possibility of a user viewing a template that might show code not designed to be viewed by the end user and couldn't be executed. New barriers include:
- Only allow the template_id parameter when the archive_type parameter exists.
- Force the template being used to match the archive type (e.g. if you're trying to paginate category archives, the template you're using has to be one that is producing category archives).
- Not allow the use of the template_id parameter when the extension is php or asp.
- Created a config directive (SearchAlwaysAllowTemplateID) that would always allow the use of template_id.
As the Movable Type team says, this release was almost entirely based on user requests and bug reports, so keep the ball rolling after you've upgraded to 4.31 by dropping your two cents here.