It's possible to bypass enable-local-variables safe mode.
vulners.com/securityvulns/securityvulns:doc:18407